Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
aS4XS9m23e.exe

Overview

General Information

Sample name:aS4XS9m23e.exe
renamed because original name is a hash value
Original sample name:a1c682e062a48d9c0b1a1c2d818873e7.exe
Analysis ID:1501227
MD5:a1c682e062a48d9c0b1a1c2d818873e7
SHA1:bed463472dac1ea86538e3627a84c268df713df5
SHA256:ac16409881c939baaca90116feba3724f5d6aed3dc7ca00672dfee067c72c2ae
Tags:exeRedLineStealer
Infos:

Detection

RedLine
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AntiVM3
Yara detected RedLine Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
C2 URLs / IPs found in malware configuration
Found many strings related to Crypto-Wallets (likely being stolen)
Injects a PE file into a foreign processes
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Crypto Currency Wallets
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer

Classification

Process Tree

  • System is w10x64
  • aS4XS9m23e.exe (PID: 6644 cmdline: "C:\Users\user\Desktop\aS4XS9m23e.exe" MD5: A1C682E062A48D9C0B1A1C2D818873E7)
    • powershell.exe (PID: 6868 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 6884 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 5172 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 6964 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7096 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7128 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • aS4XS9m23e.exe (PID: 4268 cmdline: "C:\Users\user\Desktop\aS4XS9m23e.exe" MD5: A1C682E062A48D9C0B1A1C2D818873E7)
  • mjCLFIohWTlhgd.exe (PID: 6432 cmdline: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe MD5: A1C682E062A48D9C0B1A1C2D818873E7)
    • schtasks.exe (PID: 4048 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • mjCLFIohWTlhgd.exe (PID: 7112 cmdline: "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe" MD5: A1C682E062A48D9C0B1A1C2D818873E7)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
RedLine StealerRedLine Stealer is a malware available on underground forums for sale apparently as a standalone ($100/$150 depending on the version) or also on a subscription basis ($100/month). This malware harvests information from browsers such as saved credentials, autocomplete data, and credit card information. A system inventory is also taken when running on a target machine, to include details such as the username, location data, hardware configuration, and information regarding installed security software. More recent versions of RedLine added the ability to steal cryptocurrency. FTP and IM clients are also apparently targeted by this family, and this malware has the ability to upload and download files, execute commands, and periodically send back information about the infected computer.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer

Malware Configuration

Threatname: RedLine

{"C2 url": ["85.209.133.187:1912"], "Bot Id": "BIN", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_RedLine_1Yara detected RedLine StealerJoe Security
    dump.pcapJoeSecurity_RedLineYara detected RedLine StealerJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000008.00000002.1753433472.0000000003834000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
        00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
          00000007.00000002.1819381063.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
            00000008.00000002.1753433472.0000000003868000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
              00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                Click to see the 13 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                8.2.mjCLFIohWTlhgd.exe.38345e0.8.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                  8.2.mjCLFIohWTlhgd.exe.387f800.4.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                    0.2.aS4XS9m23e.exe.419ce80.8.raw.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                      8.2.mjCLFIohWTlhgd.exe.38345e0.8.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                        8.2.mjCLFIohWTlhgd.exe.387f800.4.unpackJoeSecurity_RedLineYara detected RedLine StealerJoe Security
                          Click to see the 3 entries

                          Sigma Signatures

                          System Summary

                          barindex
                          Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\aS4XS9m23e.exe", ParentImage: C:\Users\user\Desktop\aS4XS9m23e.exe, ParentProcessId: 6644, ParentProcessName: aS4XS9m23e.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe", ProcessId: 6868, ProcessName: powershell.exe
                          Sigma detected: Powershell Defender Exclusion
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\aS4XS9m23e.exe", ParentImage: C:\Users\user\Desktop\aS4XS9m23e.exe, ParentProcessId: 6644, ParentProcessName: aS4XS9m23e.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe", ProcessId: 6868, ProcessName: powershell.exe
                          Sigma detected: Suspicious Add Scheduled Task Parent
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe, ParentImage: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe, ParentProcessId: 6432, ParentProcessName: mjCLFIohWTlhgd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp", ProcessId: 4048, ProcessName: schtasks.exe
                          Sigma detected: Suspicious Schtasks From Env Var Folder
                          Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\aS4XS9m23e.exe", ParentImage: C:\Users\user\Desktop\aS4XS9m23e.exe, ParentProcessId: 6644, ParentProcessName: aS4XS9m23e.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp", ProcessId: 7096, ProcessName: schtasks.exe
                          Sigma detected: Non Interactive PowerShell Process Spawned
                          Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\aS4XS9m23e.exe", ParentImage: C:\Users\user\Desktop\aS4XS9m23e.exe, ParentProcessId: 6644, ParentProcessName: aS4XS9m23e.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe", ProcessId: 6868, ProcessName: powershell.exe

                          Persistence and Installation Behavior

                          barindex
                          Sigma detected: Scheduled temp file as task from temp location
                          Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\aS4XS9m23e.exe", ParentImage: C:\Users\user\Desktop\aS4XS9m23e.exe, ParentProcessId: 6644, ParentProcessName: aS4XS9m23e.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp", ProcessId: 7096, ProcessName: schtasks.exe

                          Suricata Signatures

                          Timestamp:2024-08-29T15:57:14.582663+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.209793+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:13.693655+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:13.031512+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:09.758204+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:13.793345+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:03.628786+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:03.628786+0200
                          SID:2046045
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:03.723989+0200
                          SID:2043234
                          Severity:1
                          Source Port:1912
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:14.376435+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.532053+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:12.176588+0200
                          SID:2046056
                          Severity:1
                          Source Port:1912
                          Destination Port:49731
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:13.229012+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:15.483183+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.995188+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.928398+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.104735+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:13.130583+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:12.536410+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:12.755077+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:10.682490+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:10.810358+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:14.044948+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:13.945146+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:06.849653+0200
                          SID:2043234
                          Severity:1
                          Source Port:1912
                          Destination Port:49731
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:09.093192+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:13.674414+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:14.271625+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:14.577260+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:10.909327+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:08.971200+0200
                          SID:2046056
                          Severity:1
                          Source Port:1912
                          Destination Port:49730
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:06.752935+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:06.752935+0200
                          SID:2046045
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:14.171253+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.811858+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:13.328171+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:09.221278+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:15.335316+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:12.169489+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.989237+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.007941+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:15.580288+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:14.533892+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:15.678097+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.305933+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:15.235114+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:15.799278+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.630868+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:09.870434+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:09.600356+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:11.405453+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:13.503543+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:12.633051+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:10.511808+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:08.787507+0200
                          SID:2043231
                          Severity:1
                          Source Port:49730
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected
                          Timestamp:2024-08-29T15:57:15.132790+0200
                          SID:2043231
                          Severity:1
                          Source Port:49731
                          Destination Port:1912
                          Protocol:TCP
                          Classtype:A Network Trojan was detected

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Found malware configuration
                          Source: 8.2.mjCLFIohWTlhgd.exe.387f800.4.raw.unpackMalware Configuration Extractor: RedLine {"C2 url": ["85.209.133.187:1912"], "Bot Id": "BIN", "Authorization Header": "c74790bd166600f1f665c8ce201776eb"}
                          Multi AV Scanner detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeReversingLabs: Detection: 65%
                          Multi AV Scanner detection for submitted file
                          Source: aS4XS9m23e.exeReversingLabs: Detection: 65%
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for dropped file
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeJoe Sandbox ML: detected
                          Machine Learning detection for sample
                          Source: aS4XS9m23e.exeJoe Sandbox ML: detected
                          Source: aS4XS9m23e.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: aS4XS9m23e.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: Binary string: RCDR.pdbSHA256= source: aS4XS9m23e.exe, mjCLFIohWTlhgd.exe.0.dr
                          Source: Binary string: RCDR.pdb source: aS4XS9m23e.exe, mjCLFIohWTlhgd.exe.0.dr

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49731 -> 85.209.133.187:1912
                          Source: Network trafficSuricata IDS: 2043231 - Severity 1 - ET MALWARE Redline Stealer TCP CnC Activity : 192.168.2.4:49730 -> 85.209.133.187:1912
                          Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49730 -> 85.209.133.187:1912
                          Source: Network trafficSuricata IDS: 2046045 - Severity 1 - ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization) : 192.168.2.4:49731 -> 85.209.133.187:1912
                          Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 85.209.133.187:1912 -> 192.168.2.4:49730
                          Source: Network trafficSuricata IDS: 2043234 - Severity 1 - ET MALWARE Redline Stealer TCP CnC - Id1Response : 85.209.133.187:1912 -> 192.168.2.4:49731
                          Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 85.209.133.187:1912 -> 192.168.2.4:49730
                          Source: Network trafficSuricata IDS: 2046056 - Severity 1 - ET MALWARE Redline Stealer/MetaStealer Family Activity (Response) : 85.209.133.187:1912 -> 192.168.2.4:49731
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: 85.209.133.187:1912
                          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 85.209.133.187:1912
                          Source: Joe Sandbox ViewASN Name: CMCSUS CMCSUS
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: unknownTCP traffic detected without corresponding DNS query: 85.209.133.187
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-utility-1.0.xsd
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-x509-token-profile-1.0#X509SubjectKeyIdentif
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#GSS_Kerberosv5_AP_REQ1510
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV1.1
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#ThumbprintSHA1
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://docs.oasis-open.org/wss/oasis-wss-wssecurity-secext-1.1.xsd
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/2005/02/trust/tlsnego#TLS_Wrap
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/actor/next
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2002/12/policy
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/sc
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/sc/sct
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Issue
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/Nonce
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/Issue
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/SCT
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/06/addressingex
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/fault
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Commit
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Committed
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepared
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Rollback
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wsat/fault
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContext
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisterResponse
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/10/wscoor/fault
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequence
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/CreateSequenceResponse
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/LastMessage
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/SequenceAcknowledgement
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/rmX
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/sc/sct
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/CK/PSHA1
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Cancel
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Issue
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Renew
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/Renew
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/SymmetricKey
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/spnego
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns
                          Source: aS4XS9m23e.exe, 00000000.00000002.1706854872.00000000026C7000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1750753728.000000000281F000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/right/possessproperty
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2006/02/addressingidentity
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/D
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003332000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id10ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id11ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id12ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000326B000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000331E000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id13ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003332000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id14ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id15ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id16ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id17ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id18ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id19ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id1ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FFF000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000329C000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id20ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000329C000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id21ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id22ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id23ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id24Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id2ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id3Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id4ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id5ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003316000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id6ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id7ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003332000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id8ResponseD
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9Response
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003294000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://tempuri.org/Entity/Id9ResponseD
                          Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1819381063.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1753433472.0000000003834000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1753433472.0000000003868000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1753433472.00000000038B3000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ip.sb/ip
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 0_2_0225D5DC0_2_0225D5DC
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 0_2_07A357AA0_2_07A357AA
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 0_2_07A357B80_2_07A357B8
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 0_2_07A323270_2_07A32327
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 0_2_07A323380_2_07A32338
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 0_2_07A30C900_2_07A30C90
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 0_2_07A32C100_2_07A32C10
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 0_2_07A308580_2_07A30858
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 7_2_02BEDC747_2_02BEDC74
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_00E6D5DC8_2_00E6D5DC
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A073888_2_05A07388
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A052C88_2_05A052C8
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A03C508_2_05A03C50
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A09F108_2_05A09F10
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A026C88_2_05A026C8
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A026D88_2_05A026D8
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A052BA8_2_05A052BA
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A032288_2_05A03228
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A032188_2_05A03218
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A03C158_2_05A03C15
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A09F008_2_05A09F00
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A099008_2_05A09900
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A098F08_2_05A098F0
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_02E3DC7412_2_02E3DC74
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_054CEE5812_2_054CEE58
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_054C885012_2_054C8850
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_054C004012_2_054C0040
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_054C000612_2_054C0006
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_054C884012_2_054C8840
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_05ADB5B012_2_05ADB5B0
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_05AD96C812_2_05AD96C8
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_05AD766012_2_05AD7660
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_05ADB17012_2_05ADB170
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_05ADB9E812_2_05ADB9E8
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_05AD692812_2_05AD6928
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067AB22812_2_067AB228
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067AC84812_2_067AC848
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067AA90812_2_067AA908
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067AF66012_2_067AF660
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067AF65012_2_067AF650
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067AB21912_2_067AB219
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067A30E012_2_067A30E0
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067AC83812_2_067AC838
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067A92C812_2_067A92C8
                          Source: aS4XS9m23e.exe, 00000000.00000002.1724802320.0000000004F20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameSalmun.dll. vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1725569609.0000000007D50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1706854872.00000000023E1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSalmun.dll. vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.000000000422A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000000.1691055371.0000000000112000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRCDR.exe( vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1727285984.000000000B776000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1727285984.000000000B776000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRCDR.exe( vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1706854872.0000000002404000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSalmun.dll. vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1704789511.000000000066E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000000.00000002.1706854872.000000000245A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSalmun.dll. vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1819381063.0000000000446000.00000040.00000400.00020000.00000000.sdmpBinary or memory string: OriginalFilenameSteanings.exe8 vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamefirefox.exe0 vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\000004B0\\OriginalFilename vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamechrome.exe< vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\040904B0\\OriginalFilename vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXE.MUID vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameIEXPLORE.EXED vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q,\\StringFileInfo\\080904B0\\OriginalFilename vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamemsedge.exe> vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exe, 00000007.00000002.1820320958.0000000000FA8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exeBinary or memory string: OriginalFilenameRCDR.exe( vs aS4XS9m23e.exe
                          Source: aS4XS9m23e.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: aS4XS9m23e.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: mjCLFIohWTlhgd.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, SImenbonHhNE64Sk5C.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, SImenbonHhNE64Sk5C.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, SImenbonHhNE64Sk5C.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, SImenbonHhNE64Sk5C.csSecurity API names: _0020.SetAccessControl
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, SImenbonHhNE64Sk5C.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, SImenbonHhNE64Sk5C.csSecurity API names: System.Security.AccessControl.FileSystemSecurity.AddAccessRule(System.Security.AccessControl.FileSystemAccessRule)
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, R8S4YJKjS79XM3F61y.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, R8S4YJKjS79XM3F61y.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                          Source: 0.2.aS4XS9m23e.exe.4f20000.10.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                          Source: 0.2.aS4XS9m23e.exe.245e390.2.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                          Source: 0.2.aS4XS9m23e.exe.244a74c.1.raw.unpack, ReactionVessel.csSuspicious method names: .ReactionVessel.Inject
                          Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@20/15@0/1
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMutant created: NULL
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7128:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \BaseNamedObjects\Local\SM0:6868:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6884:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5012:120:WilError_03
                          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA2E9.tmpJump to behavior
                          Source: aS4XS9m23e.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: aS4XS9m23e.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process Where SessionId=&apos;1&apos;
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Process
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: aS4XS9m23e.exeReversingLabs: Detection: 65%
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile read: C:\Users\user\Desktop\aS4XS9m23e.exeJump to behavior
                          Source: unknownProcess created: C:\Users\user\Desktop\aS4XS9m23e.exe "C:\Users\user\Desktop\aS4XS9m23e.exe"
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe"
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp"
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Users\user\Desktop\aS4XS9m23e.exe "C:\Users\user\Desktop\aS4XS9m23e.exe"
                          Source: unknownProcess created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp"
                          Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"
                          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp"Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Users\user\Desktop\aS4XS9m23e.exe "C:\Users\user\Desktop\aS4XS9m23e.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: ntmarta.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: dwrite.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: msvcp140_clr0400.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: secur32.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: wbemcomn.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: dpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: rstrtmgr.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: ncrypt.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: ntasn1.dllJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: mscoree.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: version.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: uxtheme.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: windowscodecs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: amsi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: userenv.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: msasn1.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: gpapi.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: propsys.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: edputil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: wintypes.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: appresolver.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: bcp47langs.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: slc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: sppc.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                          Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                          Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: mscoree.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: kernel.appcore.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: version.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: vcruntime140_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: ucrtbase_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: uxtheme.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: windows.storage.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: wldp.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: profapi.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: cryptsp.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: rsaenh.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: cryptbase.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: dwrite.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: msvcp140_clr0400.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: mswsock.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: secur32.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: sspicli.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: wbemcomn.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: amsi.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: userenv.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: dpapi.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: rstrtmgr.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: ncrypt.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: ntasn1.dll
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeSection loaded: windowscodecs.dll
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                          Source: Window RecorderWindow detected: More than 3 window changes detected
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                          Source: aS4XS9m23e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                          Source: aS4XS9m23e.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Source: aS4XS9m23e.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: Binary string: RCDR.pdbSHA256= source: aS4XS9m23e.exe, mjCLFIohWTlhgd.exe.0.dr
                          Source: Binary string: RCDR.pdb source: aS4XS9m23e.exe, mjCLFIohWTlhgd.exe.0.dr

                          Data Obfuscation

                          barindex
                          .NET source code contains potential unpacker
                          Source: aS4XS9m23e.exe, FormMain.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                          Source: mjCLFIohWTlhgd.exe.0.dr, FormMain.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.aS4XS9m23e.exe.4ce0000.9.raw.unpack, PingPong.cs.Net Code: _202B_206B_206C_202A_206A_202A_200D_200F_200B_202D_206D_202A_206D_206E_206A_202B_200F_200D_202B_202B_202D_206C_200F_206C_206A_206E_200C_202D_206F_206D_206A_202D_200C_200D_200E_206D_200E_202D_206E_200E_202E System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.aS4XS9m23e.exe.34045c0.6.raw.unpack, PingPong.cs.Net Code: _202B_206B_206C_202A_206A_202A_200D_200F_200B_202D_206D_202A_206D_206E_206A_202B_200F_200D_202B_202B_202D_206C_200F_206C_206A_206E_200C_202D_206F_206D_206A_202D_200C_200D_200E_206D_200E_202D_206E_200E_202E System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, SImenbonHhNE64Sk5C.cs.Net Code: fn5TswrbXPesOPsTicT System.Reflection.Assembly.Load(byte[])
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, SImenbonHhNE64Sk5C.cs.Net Code: fn5TswrbXPesOPsTicT System.Reflection.Assembly.Load(byte[])
                          Source: aS4XS9m23e.exeStatic PE information: 0xEE1E000E [Sat Aug 4 18:31:42 2096 UTC]
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 0_2_07A38F45 push FFFFFF8Bh; iretd 0_2_07A38F47
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 0_2_07A35BE0 push esp; ret 0_2_07A35BE1
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 7_2_02BEC1E1 push cs; retf 7_2_02BEC1EE
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 7_2_02BE47D7 push ebp; ret 7_2_02BE483D
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeCode function: 7_2_02BE983A push eax; retf 7_2_02BE983B
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A0268B push esp; ret 8_2_05A0268C
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 8_2_05A059CE push 69FFFFFEh; ret 8_2_05A059D3
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_054CD442 push eax; ret 12_2_054CD451
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_05AD8C90 push ecx; ret 12_2_05AD8EE2
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_05AD8E90 push ecx; ret 12_2_05AD8EE2
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067A75DC push 8BD08BFCh; iretd 12_2_067A75E1
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeCode function: 12_2_067A7A92 push 8BD08BFCh; iretd 12_2_067A7A97
                          Source: aS4XS9m23e.exeStatic PE information: section name: .text entropy: 7.827386336620395
                          Source: mjCLFIohWTlhgd.exe.0.drStatic PE information: section name: .text entropy: 7.827386336620395
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, R8S4YJKjS79XM3F61y.csHigh entropy of concatenated method names: 'FfDXvohTcS', 'UhxXYCsXJe', 'znCXDmeATt', 'IliX86Ofuj', 'h2VXphg2j1', 'LvOXRcjcZd', 'HsiX1jh0bY', 'QoZX3THgJ7', 's1FXlBhm9K', 'fyoXrKlbU1'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, zAxyIpwTKhnef4K7Nv.csHigh entropy of concatenated method names: 'HxPiGsF9bb', 'BQjiNk8wDs', 'fytdjg4H2Q', 'dT2d6Md6UJ', 'kXddnqXiwI', 'J5adOdJcdu', 'oNrdqQaALg', 'Tg8dATJvu2', 'bdWdhsUSxU', 'JIKdB7j6Rv'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, WFU9KKJA5xKyctnM2Z.csHigh entropy of concatenated method names: 'OSvQa8S4YJ', 'HS7Qo9XM3F', 'dfrQ9NoViC', 'lwDQ72MAxy', 'vK7QgNvqRV', 'SrjQPkL5TF', 'NJ3TvCIsGVLhwJm7x2', 'n9hKlaFDwDNUtQwjS1', 'DZ7QQBaupv', 'qKtQcWh1B5'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, FRButebDvSMlp4EWM0.csHigh entropy of concatenated method names: 'hGTY7p6japrTPaa9JNu', 'jqQ75b6GMUU8bCE55eI', 'zDWksYhrX2', 'KbvkC5HseB', 'HRQkTqaXD7', 'srJVQd63reVKHbMgXjS', 'hfUBiQ6cLYJAS1E3yil', 'MKYX6o68xtXd7hHc6sV'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, QqIB8XXbskoyyUDO29.csHigh entropy of concatenated method names: 'Dispose', 'YhCQloIRE3', 'pWUEbF5X9D', 'Gpqee9gSF4', 'gBkQrYKcgu', 'qXiQz27w25', 'ProcessDialogKey', 'HscEVHD9Pf', 'mUpEQPvnhW', 'cRnEESW7CB'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, BIwkGYdbdIvNJ2eTjq.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'topElYP9h4', 'PUfEra9DVu', 'O3mEzo68Yf', 'NgCcVEF1m4', 'v2kcQiMjZq', 'UQxcESKktE', 'JELccXZsuB', 'q1STGEr6O69up7UREVT'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, DDMeWyDwJlBT3BPtTq.csHigh entropy of concatenated method names: 'ToString', 'jZJPLOuZWI', 'cS6Pb9xZ1G', 'DS5PjmNn80', 'amwP6CBAff', 'rKyPnH3huG', 'NlTPOqEHmU', 'FHbPq1WKFY', 'DBSPAOTPWw', 'GvUPhMlyl6'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, o8lBHfRxpS5EawtT34.csHigh entropy of concatenated method names: 'HBMx3Rfgrp', 'sC7xrYBd0H', 'z8ksVr53YJ', 'DjssQnXq5g', 'gNOxLnS338', 'Bckx03KM3Q', 'lFdxItxas9', 'LYYxv28ht5', 'kjQxYknRIo', 'jHvxDF45hr'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, brw85TEd7RapdvLqKK.csHigh entropy of concatenated method names: 'IPjMJ0Y86', 'OBq2EWQuk', 'TgkSyElB5', 'jegN4pGfh', 'tB9mc0yl9', 'tLnwyTuMq', 'WihXxYOO5w65aZJA0V', 'R4XY34NEuctyvqX3fU', 'JoOsJAVll', 'scwTLw7lc'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, pyj4hWQcGquiBcRb4yO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UhgTvWxAJP', 'mNZTYDaCOu', 'Jl7TDTqAar', 'bVKT82Lyst', 'bsmTpaIpk7', 'HhmTRY600Q', 'jEqT1KhHKP'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, IRJXpUQVdUfGuHIwlYH.csHigh entropy of concatenated method names: 'U6oCZRqgGs', 'XPZC5NA5tr', 'vKCCMLDokZ', 'QZGC2L8GlV', 'MLXCGiGqLo', 's8bCSJf39m', 'j5jCNisyjG', 'sZGCKYXwb7', 'uRwCmT40an', 'UbSCw1hYow'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, dHD9Pfl9UpPvnhWcRn.csHigh entropy of concatenated method names: 'ibtsuEuuvM', 'Y4MsbAUCw2', 'SIVsjRTNC4', 'byIs68x49Q', 'wKCsvrw3UJ', 'cfcsnCB5H5', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, FkWti3qZvcHhuARErS.csHigh entropy of concatenated method names: 'WA6afCa0O2', 'k8fadxi5if', 'akTakpMol3', 'IcSkrcqKvM', 'SHckzoYbwj', 'IAbaV2rsEN', 'OGVaQp9bqI', 'GRsaEAVewA', 'e0gacXP7Ns', 'kZiaJ9X9dV'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, R1BKZNIvfU2wWRS7CK.csHigh entropy of concatenated method names: 'wt4FKLlEJi', 'wMKFmmBn85', 'fXCFuLP3Kr', 'w21FbwgmiI', 'sDTF6jUVfv', 'cB4FnqvAXp', 's1VFqO5Jay', 'xslFATIJqS', 'vG1FBi30KE', 'hBmFLJSaQB'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, NkYKcg3usXi27w25js.csHigh entropy of concatenated method names: 'mlCsfm45hm', 'kIVsXWfoMx', 'jbrsdLVaDT', 'eSKsikejPA', 'HgwskUJNq3', 'RpSsaqLcGG', 'SfRsowi3BM', 'kWWsHJopS2', 'chxs96U7Ns', 'spts7Mc2Sp'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, IYRikavddLvq8ZhnHY.csHigh entropy of concatenated method names: 'gZ2gBaEiBJ', 'EC7g0E9A3D', 'A4bgv6bwTA', 'lwBgYqGLPM', 'OSwgbR6qTl', 'KlYgjIyVRm', 'iCMg6KPADW', 'Gcwgn4rSqE', 'uTYgO2BWdV', 'M0Agq35Gkp'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, j6JrWi8mtm7M3mOwCy.csHigh entropy of concatenated method names: 'wRgx9qSqkd', 'jYXx7TFuul', 'ToString', 'kt5xfqOobQ', 'FsaxX4BR5l', 'fCqxdFUWKb', 'oGOxi9jQsn', 'eohxkPP2N6', 'Bl0xayjoIj', 'KJWxo9J3mk'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, SImenbonHhNE64Sk5C.csHigh entropy of concatenated method names: 'pEAcyPhptD', 'l7RcfmIX1x', 'vnacXR5imR', 'moxcd3om5b', 'g3icitNb5B', 'EG7ck2ly02', 'SUocafTqtN', 'neHcoFCpTJ', 'nm6cHcwFb6', 'EMEc9bt8d4'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, BW7CBHr7yd8eYI7iuI.csHigh entropy of concatenated method names: 'j22CQPF8R3', 'Vk5CcmYdtj', 'F1QCJqY6v1', 'yBRCfp8AJ5', 'UZFCXhZSIC', 'i5LCiGa1EA', 'c92CkIbkvl', 'fv9s1Gv8Ln', 'dvxs3iE4da', 'Om4sloWhjq'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, iawlVJmfrNoViCHwD2.csHigh entropy of concatenated method names: 'XeFd2utP7q', 'S9VdSxSx0V', 'dRhdKTelS7', 'dQgdmM19s8', 'ES3dgtrrDJ', 'XAIdP323RM', 'zmtdxW2HIR', 'nJkdsScFVE', 'uG7dCPG3KH', 'EZ8dTo7ppr'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, KRVDrjukL5TFTGeb51.csHigh entropy of concatenated method names: 'JT1kyCD5uD', 'oY3kXfKb29', 'qufkie1FNQ', 'F2qkaZAMuS', 'uhtkoTgmdm', 'LLhipIDYYF', 'nUliRM5HNg', 'R9Xi1WHDto', 'Eu3i3GGalY', 'va6ilkLstF'
                          Source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, Jc68PPhxOf9FN6n7TO.csHigh entropy of concatenated method names: 'yIPaZqGyf8', 'vXia5hG2cB', 'EFaaMxhyHo', 'RSpa275tyi', 'DRWaGADwKA', 'AWaaSr3JKP', 'qTVaNXyQLJ', 'N4baKomYc6', 'W0bamfAptJ', 'unCawhilSD'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, R8S4YJKjS79XM3F61y.csHigh entropy of concatenated method names: 'FfDXvohTcS', 'UhxXYCsXJe', 'znCXDmeATt', 'IliX86Ofuj', 'h2VXphg2j1', 'LvOXRcjcZd', 'HsiX1jh0bY', 'QoZX3THgJ7', 's1FXlBhm9K', 'fyoXrKlbU1'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, zAxyIpwTKhnef4K7Nv.csHigh entropy of concatenated method names: 'HxPiGsF9bb', 'BQjiNk8wDs', 'fytdjg4H2Q', 'dT2d6Md6UJ', 'kXddnqXiwI', 'J5adOdJcdu', 'oNrdqQaALg', 'Tg8dATJvu2', 'bdWdhsUSxU', 'JIKdB7j6Rv'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, WFU9KKJA5xKyctnM2Z.csHigh entropy of concatenated method names: 'OSvQa8S4YJ', 'HS7Qo9XM3F', 'dfrQ9NoViC', 'lwDQ72MAxy', 'vK7QgNvqRV', 'SrjQPkL5TF', 'NJ3TvCIsGVLhwJm7x2', 'n9hKlaFDwDNUtQwjS1', 'DZ7QQBaupv', 'qKtQcWh1B5'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, FRButebDvSMlp4EWM0.csHigh entropy of concatenated method names: 'hGTY7p6japrTPaa9JNu', 'jqQ75b6GMUU8bCE55eI', 'zDWksYhrX2', 'KbvkC5HseB', 'HRQkTqaXD7', 'srJVQd63reVKHbMgXjS', 'hfUBiQ6cLYJAS1E3yil', 'MKYX6o68xtXd7hHc6sV'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, QqIB8XXbskoyyUDO29.csHigh entropy of concatenated method names: 'Dispose', 'YhCQloIRE3', 'pWUEbF5X9D', 'Gpqee9gSF4', 'gBkQrYKcgu', 'qXiQz27w25', 'ProcessDialogKey', 'HscEVHD9Pf', 'mUpEQPvnhW', 'cRnEESW7CB'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, BIwkGYdbdIvNJ2eTjq.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'topElYP9h4', 'PUfEra9DVu', 'O3mEzo68Yf', 'NgCcVEF1m4', 'v2kcQiMjZq', 'UQxcESKktE', 'JELccXZsuB', 'q1STGEr6O69up7UREVT'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, DDMeWyDwJlBT3BPtTq.csHigh entropy of concatenated method names: 'ToString', 'jZJPLOuZWI', 'cS6Pb9xZ1G', 'DS5PjmNn80', 'amwP6CBAff', 'rKyPnH3huG', 'NlTPOqEHmU', 'FHbPq1WKFY', 'DBSPAOTPWw', 'GvUPhMlyl6'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, o8lBHfRxpS5EawtT34.csHigh entropy of concatenated method names: 'HBMx3Rfgrp', 'sC7xrYBd0H', 'z8ksVr53YJ', 'DjssQnXq5g', 'gNOxLnS338', 'Bckx03KM3Q', 'lFdxItxas9', 'LYYxv28ht5', 'kjQxYknRIo', 'jHvxDF45hr'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, brw85TEd7RapdvLqKK.csHigh entropy of concatenated method names: 'IPjMJ0Y86', 'OBq2EWQuk', 'TgkSyElB5', 'jegN4pGfh', 'tB9mc0yl9', 'tLnwyTuMq', 'WihXxYOO5w65aZJA0V', 'R4XY34NEuctyvqX3fU', 'JoOsJAVll', 'scwTLw7lc'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, pyj4hWQcGquiBcRb4yO.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'UhgTvWxAJP', 'mNZTYDaCOu', 'Jl7TDTqAar', 'bVKT82Lyst', 'bsmTpaIpk7', 'HhmTRY600Q', 'jEqT1KhHKP'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, IRJXpUQVdUfGuHIwlYH.csHigh entropy of concatenated method names: 'U6oCZRqgGs', 'XPZC5NA5tr', 'vKCCMLDokZ', 'QZGC2L8GlV', 'MLXCGiGqLo', 's8bCSJf39m', 'j5jCNisyjG', 'sZGCKYXwb7', 'uRwCmT40an', 'UbSCw1hYow'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, dHD9Pfl9UpPvnhWcRn.csHigh entropy of concatenated method names: 'ibtsuEuuvM', 'Y4MsbAUCw2', 'SIVsjRTNC4', 'byIs68x49Q', 'wKCsvrw3UJ', 'cfcsnCB5H5', 'Next', 'Next', 'Next', 'NextBytes'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, FkWti3qZvcHhuARErS.csHigh entropy of concatenated method names: 'WA6afCa0O2', 'k8fadxi5if', 'akTakpMol3', 'IcSkrcqKvM', 'SHckzoYbwj', 'IAbaV2rsEN', 'OGVaQp9bqI', 'GRsaEAVewA', 'e0gacXP7Ns', 'kZiaJ9X9dV'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, R1BKZNIvfU2wWRS7CK.csHigh entropy of concatenated method names: 'wt4FKLlEJi', 'wMKFmmBn85', 'fXCFuLP3Kr', 'w21FbwgmiI', 'sDTF6jUVfv', 'cB4FnqvAXp', 's1VFqO5Jay', 'xslFATIJqS', 'vG1FBi30KE', 'hBmFLJSaQB'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, NkYKcg3usXi27w25js.csHigh entropy of concatenated method names: 'mlCsfm45hm', 'kIVsXWfoMx', 'jbrsdLVaDT', 'eSKsikejPA', 'HgwskUJNq3', 'RpSsaqLcGG', 'SfRsowi3BM', 'kWWsHJopS2', 'chxs96U7Ns', 'spts7Mc2Sp'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, IYRikavddLvq8ZhnHY.csHigh entropy of concatenated method names: 'gZ2gBaEiBJ', 'EC7g0E9A3D', 'A4bgv6bwTA', 'lwBgYqGLPM', 'OSwgbR6qTl', 'KlYgjIyVRm', 'iCMg6KPADW', 'Gcwgn4rSqE', 'uTYgO2BWdV', 'M0Agq35Gkp'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, j6JrWi8mtm7M3mOwCy.csHigh entropy of concatenated method names: 'wRgx9qSqkd', 'jYXx7TFuul', 'ToString', 'kt5xfqOobQ', 'FsaxX4BR5l', 'fCqxdFUWKb', 'oGOxi9jQsn', 'eohxkPP2N6', 'Bl0xayjoIj', 'KJWxo9J3mk'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, SImenbonHhNE64Sk5C.csHigh entropy of concatenated method names: 'pEAcyPhptD', 'l7RcfmIX1x', 'vnacXR5imR', 'moxcd3om5b', 'g3icitNb5B', 'EG7ck2ly02', 'SUocafTqtN', 'neHcoFCpTJ', 'nm6cHcwFb6', 'EMEc9bt8d4'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, BW7CBHr7yd8eYI7iuI.csHigh entropy of concatenated method names: 'j22CQPF8R3', 'Vk5CcmYdtj', 'F1QCJqY6v1', 'yBRCfp8AJ5', 'UZFCXhZSIC', 'i5LCiGa1EA', 'c92CkIbkvl', 'fv9s1Gv8Ln', 'dvxs3iE4da', 'Om4sloWhjq'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, iawlVJmfrNoViCHwD2.csHigh entropy of concatenated method names: 'XeFd2utP7q', 'S9VdSxSx0V', 'dRhdKTelS7', 'dQgdmM19s8', 'ES3dgtrrDJ', 'XAIdP323RM', 'zmtdxW2HIR', 'nJkdsScFVE', 'uG7dCPG3KH', 'EZ8dTo7ppr'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, KRVDrjukL5TFTGeb51.csHigh entropy of concatenated method names: 'JT1kyCD5uD', 'oY3kXfKb29', 'qufkie1FNQ', 'F2qkaZAMuS', 'uhtkoTgmdm', 'LLhipIDYYF', 'nUliRM5HNg', 'R9Xi1WHDto', 'Eu3i3GGalY', 'va6ilkLstF'
                          Source: 0.2.aS4XS9m23e.exe.7d50000.11.raw.unpack, Jc68PPhxOf9FN6n7TO.csHigh entropy of concatenated method names: 'yIPaZqGyf8', 'vXia5hG2cB', 'EFaaMxhyHo', 'RSpa275tyi', 'DRWaGADwKA', 'AWaaSr3JKP', 'qTVaNXyQLJ', 'N4baKomYc6', 'W0bamfAptJ', 'unCawhilSD'
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeJump to dropped file

                          Boot Survival

                          barindex
                          Uses schtasks.exe or at.exe to add and modify task schedules
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp"

                          Hooking and other Techniques for Hiding and Protection

                          barindex
                          Loading BitLocker PowerShell Module
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess information set: NOOPENFILEERRORBOX

                          Malware Analysis System Evasion

                          barindex
                          Yara detected AntiVM3
                          Source: Yara matchFile source: Process Memory Space: aS4XS9m23e.exe PID: 6644, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 6432, type: MEMORYSTR
                          Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
                          Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - root\CIMV2 : SELECT * FROM Win32_VideoController
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 2250000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 23E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 43E0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 5640000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 6640000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 6770000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 7770000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 7DE0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 8DE0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 9DE0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: ADE0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 1240000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: 2A30000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: E60000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 27F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 47F0000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 5B50000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 6B50000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 6C80000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 7C80000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 8410000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 5B50000 memory reserve | memory write watchJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 2D40000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 2FB0000 memory reserve | memory write watch
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeMemory allocated: 2D40000 memory reserve | memory write watch
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeThread delayed: delay time: 922337203685477
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5127Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 364Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5013Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 367Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWindow / User API: threadDelayed 943Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWindow / User API: threadDelayed 2821Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWindow / User API: threadDelayed 1542
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWindow / User API: threadDelayed 3865
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exe TID: 6720Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6096Thread sleep count: 5127 > 30Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7140Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6096Thread sleep count: 364 > 30Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7124Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5840Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exe TID: 5312Thread sleep time: -11990383647911201s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exe TID: 1928Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe TID: 4192Thread sleep time: -922337203685477s >= -30000sJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe TID: 7076Thread sleep time: -20291418481080494s >= -30000s
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe TID: 5672Thread sleep time: -922337203685477s >= -30000s
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeThread delayed: delay time: 922337203685477Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeThread delayed: delay time: 922337203685477
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeThread delayed: delay time: 922337203685477
                          Source: aS4XS9m23e.exe, 00000000.00000002.1704789511.00000000006D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}a
                          Source: aS4XS9m23e.exe, 00000007.00000002.1820320958.000000000107C000.00000004.00000020.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1850838372.00000000010F6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                          Source: aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 9%fvmci0[P@
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess token adjusted: DebugJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory allocated: page read and write | page guardJump to behavior

                          HIPS / PFW / Operating System Protection Evasion

                          barindex
                          Adds a directory exclusion to Windows Defender
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe"
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"Jump to behavior
                          Injects a PE file into a foreign processes
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeMemory written: C:\Users\user\Desktop\aS4XS9m23e.exe base: 400000 value starts with: 4D5AJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp"Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeProcess created: C:\Users\user\Desktop\aS4XS9m23e.exe "C:\Users\user\Desktop\aS4XS9m23e.exe"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp"Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeProcess created: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Users\user\Desktop\aS4XS9m23e.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Users\user\Desktop\aS4XS9m23e.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel\v4.0_4.0.0.0__b77a5c561934e089\System.ServiceModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.IdentityModel\v4.0_4.0.0.0__b77a5c561934e089\System.IdentityModel.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformation
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\SecurityCenter2 : AntiVirusProduct
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter : SELECT * FROM FirewallProduct
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntivirusProduct
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiSpyWareProduct
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeWMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM FirewallProduct

                          Stealing of Sensitive Information

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 8.2.mjCLFIohWTlhgd.exe.38345e0.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.mjCLFIohWTlhgd.exe.387f800.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.aS4XS9m23e.exe.419ce80.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.mjCLFIohWTlhgd.exe.38345e0.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.mjCLFIohWTlhgd.exe.387f800.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.aS4XS9m23e.exe.419ce80.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.aS4XS9m23e.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000008.00000002.1753433472.0000000003834000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1819381063.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.1753433472.0000000003868000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.1753433472.00000000038B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: aS4XS9m23e.exe PID: 6644, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aS4XS9m23e.exe PID: 4268, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 6432, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 7112, type: MEMORYSTR
                          Found many strings related to Crypto-Wallets (likely being stolen)
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ElectrumE#
                          Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q1C:\Users\user\AppData\Roaming\Electrum\wallets\*
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: JaxxE#
                          Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Exodus\exodus.walletLR^q0
                          Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: %appdata%\Ethereum\walletsLR^q
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: ExodusE#
                          Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q%appdata%`,^qdC:\Users\user\AppData\Roaming`,^qdC:\Users\user\AppData\Roaming\Binance
                          Source: aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: EthereumE#
                          Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1865799472.0000000006400000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: \??\C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\*S
                          Source: mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: $^q5C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\*
                          Tries to harvest and steal browser information (history, passwords, etc)
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extension Cookies
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
                          Tries to steal Crypto Currency Wallets
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Roaming\atomic\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Roaming\Binance\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\Jump to behavior
                          Source: C:\Users\user\Desktop\aS4XS9m23e.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\Jump to behavior
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\atomic\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\Binance\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\Cache\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\db\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\Electrum\wallets\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\Ethereum\wallets\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\Exodus\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\Guarda\
                          Source: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exeFile opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\
                          Source: Yara matchFile source: 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: aS4XS9m23e.exe PID: 4268, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 7112, type: MEMORYSTR

                          Remote Access Functionality

                          barindex
                          Yara detected RedLine Stealer
                          Source: Yara matchFile source: dump.pcap, type: PCAP
                          Source: Yara matchFile source: 8.2.mjCLFIohWTlhgd.exe.38345e0.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.mjCLFIohWTlhgd.exe.387f800.4.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.aS4XS9m23e.exe.419ce80.8.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.mjCLFIohWTlhgd.exe.38345e0.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 8.2.mjCLFIohWTlhgd.exe.387f800.4.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.aS4XS9m23e.exe.419ce80.8.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 7.2.aS4XS9m23e.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.aS4XS9m23e.exe.4038820.7.raw.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000008.00000002.1753433472.0000000003834000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000007.00000002.1819381063.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.1753433472.0000000003868000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000008.00000002.1753433472.00000000038B3000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: aS4XS9m23e.exe PID: 6644, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: aS4XS9m23e.exe PID: 4268, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 6432, type: MEMORYSTR
                          Source: Yara matchFile source: Process Memory Space: mjCLFIohWTlhgd.exe PID: 7112, type: MEMORYSTR

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts221
                          Windows Management Instrumentation                          		1
                          Scheduled Task/Job                          		111
                          Process Injection                          		1
                          Masquerading                          		1
                          OS Credential Dumping                          		321
                          Security Software Discovery                          		Remote Services1
                          Archive Collected Data                          		1
                          Encrypted Channel                          		Exfiltration Over Other Network MediumAbuse Accessibility Features
                          CredentialsDomainsDefault Accounts1
                          Scheduled Task/Job                          		1
                          DLL Side-Loading                          		1
                          Scheduled Task/Job                          		11
                          Disable or Modify Tools                          		LSASS Memory1
                          Process Discovery                          		Remote Desktop Protocol3
                          Data from Local System                          		1
                          Non-Standard Port                          		Exfiltration Over BluetoothNetwork Denial of Service
                          Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                          DLL Side-Loading                          		241
                          Virtualization/Sandbox Evasion                          		Security Account Manager241
                          Virtualization/Sandbox Evasion                          		SMB/Windows Admin SharesData from Network Shared Drive1
                          Application Layer Protocol                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook111
                          Process Injection                          		NTDS1
                          Application Window Discovery                          		Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                          Obfuscated Files or Information                          		LSA Secrets1
                          File and Directory Discovery                          		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts12
                          Software Packing                          		Cached Domain Credentials113
                          System Information Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Timestomp                          		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                          DLL Side-Loading                          		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet
                          behaviorgraph top1 signatures2 2 Behavior Graph ID: 1501227 Sample: aS4XS9m23e.exe Startdate: 29/08/2024 Architecture: WINDOWS Score: 100 50 Suricata IDS alerts for network traffic 2->50 52 Found malware configuration 2->52 54 Sigma detected: Scheduled temp file as task from temp location 2->54 56 8 other signatures 2->56 8 aS4XS9m23e.exe 7 2->8         started        12 mjCLFIohWTlhgd.exe 5 2->12         started        process3 file4 40 C:\Users\user\AppData\...\mjCLFIohWTlhgd.exe, PE32 8->40 dropped 42 C:\...\mjCLFIohWTlhgd.exe:Zone.Identifier, ASCII 8->42 dropped 44 C:\Users\user\AppData\Local\...\tmpA2E9.tmp, XML 8->44 dropped 46 C:\Users\user\AppData\...\aS4XS9m23e.exe.log, ASCII 8->46 dropped 58 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 8->58 60 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 8->60 62 Uses schtasks.exe or at.exe to add and modify task schedules 8->62 68 2 other signatures 8->68 14 aS4XS9m23e.exe 5 3 8->14         started        18 powershell.exe 23 8->18         started        20 powershell.exe 23 8->20         started        22 schtasks.exe 1 8->22         started        64 Multi AV Scanner detection for dropped file 12->64 66 Machine Learning detection for dropped file 12->66 24 mjCLFIohWTlhgd.exe 12->24         started        26 schtasks.exe 12->26         started        signatures5 process6 dnsIp7 48 85.209.133.187, 1912, 49730, 49731 CMCSUS Germany 14->48 70 Loading BitLocker PowerShell Module 18->70 28 conhost.exe 18->28         started        30 WmiPrvSE.exe 18->30         started        32 conhost.exe 20->32         started        34 conhost.exe 22->34         started        72 Found many strings related to Crypto-Wallets (likely being stolen) 24->72 74 Tries to harvest and steal browser information (history, passwords, etc) 24->74 76 Tries to steal Crypto Currency Wallets 24->76 36 conhost.exe 26->36         started        signatures8 process9 process10 38 conhost.exe 28->38         started       

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          aS4XS9m23e.exe66%ReversingLabsByteCode-MSIL.Ransomware.RedLine
                          aS4XS9m23e.exe100%Joe Sandbox ML

                          Dropped Files

                          SourceDetectionScannerLabelLink
                          C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe100%Joe Sandbox ML
                          C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe66%ReversingLabsByteCode-MSIL.Ransomware.RedLine

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Text0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sct0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dk0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinary0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha10%URL Reputationsafe
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_Wrap0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLID0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Prepare0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecret0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#license0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/Issue0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Aborted0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequence0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/fault0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKey0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Renew0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/Register0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKey0%URL Reputationsafe
                          https://api.ip.sb/ip0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/sc0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PC0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/Cancel0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA10%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA10%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/Issue0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequested0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnly0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Replay0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnego0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64Binary0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PC0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKey0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/08/addressing0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/Issue0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Completion0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponse0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/Cancel0%URL Reputationsafe
                          http://tempuri.org/Entity/Id90%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id23ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id14ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id21Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Nonce0%URL Reputationsafe
                          http://tempuri.org/0%Avira URL Cloudsafe
                          85.209.133.187:19120%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dns0%URL Reputationsafe
                          http://tempuri.org/Entity/Id12Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/Renew0%URL Reputationsafe
                          http://tempuri.org/Entity/Id80%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKey0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.00%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionID0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCT0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentity0%URL Reputationsafe
                          http://tempuri.org/Entity/Id6ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id2Response0%Avira URL Cloudsafe
                          http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKey0%URL Reputationsafe
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA10%URL Reputationsafe
                          http://schemas.xmlsoap.org/ws/2005/02/trust0%URL Reputationsafe
                          http://tempuri.org/Entity/Id60%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id19Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id13ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id70%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id40%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id50%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id15Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id5ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id6Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id200%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id9Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id24Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id240%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id210%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id230%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id220%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id1Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id100%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id21ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id10ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id16Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id110%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id140%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id120%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id130%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id160%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id150%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id170%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id180%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id5Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id11ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id15ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id190%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id8Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id10Response0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id17ResponseD0%Avira URL Cloudsafe
                          http://tempuri.org/Entity/Id8ResponseD0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          No contacted domains info

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          85.209.133.187:1912true
                          • Avira URL Cloud: safe
                          		unknown

                          URLs from Memory and Binaries

                          NameSourceMaliciousAntivirus DetectionReputation
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#TextaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/sctaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/sc/dkaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id14ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003332000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id23ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#HexBinaryaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id12ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id2ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/sc/dk/p_sha1aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id21ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/2005/02/trust/spnego#GSS_WrapaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id9aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003294000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLIDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id8aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003316000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/PrepareaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id4aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id7aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id6aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust#BinarySecretaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id19ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-rel-token-profile-1.0.pdf#licenseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/IssueaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/AbortedaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/TerminateSequenceaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id13ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000331E000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/faultaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsataS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeyaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id15ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameaS4XS9m23e.exe, 00000000.00000002.1706854872.00000000026C7000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1750753728.000000000281F000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/RenewaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/RegisteraS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id6ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/SymmetricKeyaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ip.sb/ipaS4XS9m23e.exe, 00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1819381063.0000000000402000.00000040.00000400.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1753433472.0000000003834000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1753433472.0000000003868000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 00000008.00000002.1753433472.00000000038B3000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/scaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Volatile2PCaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RSTR/SCT/CancelaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id9ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id20aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id21aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id22aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-kerberos-token-profile-1.1#Kerberosv5APREQSHA1aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id23aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/CK/PSHA1aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id24aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RSTR/IssueaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id24ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id1ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/rm/AckRequestedaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReadOnlyaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/ReplayaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/tlsnegoaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-soap-message-security-1.0#Base64BinaryaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/Durable2PCaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/SymmetricKeyaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id21ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000329C000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/08/addressingaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/IssueaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wsat/CompletionaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trustaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id10aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id11aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id10ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003332000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id12aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/10/wscoor/CreateCoordinationContextResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RST/SCT/CancelaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id13aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.000000000326B000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id14aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id15aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id16aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/NonceaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id17aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002F4D000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id18aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id5ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id19aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/dnsaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id15ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id10ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/RenewaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id11ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002EF9000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://tempuri.org/Entity/Id8ResponseaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/trust/PublicKeyaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.1#SAMLV2.0aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-saml-token-profile-1.0#SAMLAssertionIDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2004/04/security/trust/RST/SCTaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2006/02/addressingidentityaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id17ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FB3000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/soap/envelope/aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002CD1000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000002FB1000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://tempuri.org/Entity/Id8ResponseDaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002FED000.00000004.00000800.00020000.00000000.sdmp, aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002DDA000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.00000000030B8000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003332000.00000004.00000800.00020000.00000000.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trust/PublicKeyaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://docs.oasis-open.org/wss/oasis-wss-soap-message-security-1.1#EncryptedKeySHA1aS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://schemas.xmlsoap.org/ws/2005/02/trustaS4XS9m23e.exe, 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, mjCLFIohWTlhgd.exe, 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          85.209.133.187
                          		unknownGermany
                          		33657CMCSUStrue

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1501227
                          Start date and time:2024-08-29 15:56:06 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 7m 0s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:18
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:aS4XS9m23e.exe
                          renamed because original name is a hash value
                          Original Sample Name:a1c682e062a48d9c0b1a1c2d818873e7.exe
                          Detection:MAL
                          Classification:mal100.troj.spyw.evad.winEXE@20/15@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 98%
                          • Number of executed functions: 214
                          • Number of non-executed functions: 12
                          Cookbook Comments:
                          • Found application associated with file extension: .exe

                          Warnings

                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size exceeded maximum capacity and may have missing behavior information.
                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                          • Report size getting too big, too many NtCreateKey calls found.
                          • Report size getting too big, too many NtOpenKeyEx calls found.
                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                          • Report size getting too big, too many NtQueryValueKey calls found.
                          • Report size getting too big, too many NtReadVirtualMemory calls found.
                          • VT rate limit hit for: aS4XS9m23e.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          09:56:59API Interceptor21x Sleep call for process: aS4XS9m23e.exe modified
                          09:57:01API Interceptor37x Sleep call for process: powershell.exe modified
                          09:57:04API Interceptor29x Sleep call for process: mjCLFIohWTlhgd.exe modified
                          14:57:01Task SchedulerRun new task: mjCLFIohWTlhgd path: C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          CMCSUSPO-014842-2.xlsGet hashmaliciousFormBookBrowse
                          • 45.89.247.151
                          August Shipment - Inv No. 041.xlsGet hashmaliciousRemcosBrowse
                          • 45.90.89.98
                          SecuriteInfo.com.Exploit.CVE-2017-11882.123.32304.23264.rtfGet hashmaliciousRemcosBrowse
                          • 45.90.89.98
                          file.exeGet hashmaliciousRHADAMANTHYS, XWormBrowse
                          • 85.209.133.150
                          M12_20240821.xlsGet hashmaliciousRemcosBrowse
                          • 45.90.89.98
                          7jJ5MmlHbSHkdkHmvUSAjcUp2P2shzjYzN.elfGet hashmaliciousUnknownBrowse
                          • 95.214.27.215
                          5W1oMx0mvDdA5qxT1IJjtPL48vEFbOM1gh.elfGet hashmaliciousUnknownBrowse
                          • 95.214.27.215
                          b4JF06gZTMJpnYlsUOImGOM77xqMU1h8u3.elfGet hashmaliciousUnknownBrowse
                          • 95.214.27.215
                          FtxaQtUvjBYIMfEEaq6CUaPLqJCNXnjMDz.elfGet hashmaliciousUnknownBrowse
                          • 95.214.27.215
                          f4rgX4ruBw0IqdorzUGWIF1EBpCY4DpfH7.elfGet hashmaliciousUnknownBrowse
                          • 95.214.27.215

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aS4XS9m23e.exe.log

                          Download File
                          Process:C:\Users\user\Desktop\aS4XS9m23e.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:true
                          Reputation:high, very likely benign file
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\mjCLFIohWTlhgd.exe.log

                          Download File
                          Process:C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):1216
                          Entropy (8bit):5.34331486778365
                          Encrypted:false
                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                          Malicious:false
                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):2232
                          Entropy (8bit):5.379184608538005
                          Encrypted:false
                          SSDEEP:48:bWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//ZmUyus:bLHyIFKL3IZ2KRH9Ouggs
                          MD5:A2017015E9C089A7BA7ED4485941A879
                          SHA1:F1EA8F952FD29C31CC64D477DE9FA00FAEAA12C0
                          SHA-256:AD74B83455712A0286AB59F1B0808464EE092F8BA4D2FDEF6D61BD1FB1B0EC95
                          SHA-512:8126D05E0A478BBA6D80D83F6623F82DD076210BF6B0FE68FF7D082B0AA59373C43C5824CE22DD688F554322010FDB88E1367599E326A3D8743ACBD802492450
                          Malicious:false
                          Preview:@...e.................................&..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5325vrta.dls.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5an3ohja.njz.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aw052apz.m01.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bwizdmk5.ipf.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_en5v3mtm.0xm.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_gabhgbw5.lit.ps1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_mnuh5v4c.0n1.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nfz5r1my.oiy.psm1

                          Download File
                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):60
                          Entropy (8bit):4.038920595031593
                          Encrypted:false
                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                          Malicious:false
                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                          C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp

                          Download File
                          Process:C:\Users\user\Desktop\aS4XS9m23e.exe
                          File Type:XML 1.0 document, ASCII text
                          Category:dropped
                          Size (bytes):1580
                          Entropy (8bit):5.114974583905553
                          Encrypted:false
                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTkv
                          MD5:F76F9A60366EC297BDA0B742393AA437
                          SHA1:861E2CFA22DA4C597DAB29E6B239D156F014B728
                          SHA-256:C82B867904851FF21BBEE6608AD41EB84C94EE0E64197BFC770C68FD6C2FCC1B
                          SHA-512:147089C13FFF44B1A29FBB6F0115B79A8D94412C696E325F77D57E27C6576AC69CE9223400FCD63551DE532B524F2FC05B06476E4A713D69B33BE88C811EF18E
                          Malicious:true
                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                          C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp

                          Download File
                          Process:C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe
                          File Type:XML 1.0 document, ASCII text
                          Category:dropped
                          Size (bytes):1580
                          Entropy (8bit):5.114974583905553
                          Encrypted:false
                          SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtaLxvn:cge1wYrFdOFzOzN33ODOiDdKrsuTkv
                          MD5:F76F9A60366EC297BDA0B742393AA437
                          SHA1:861E2CFA22DA4C597DAB29E6B239D156F014B728
                          SHA-256:C82B867904851FF21BBEE6608AD41EB84C94EE0E64197BFC770C68FD6C2FCC1B
                          SHA-512:147089C13FFF44B1A29FBB6F0115B79A8D94412C696E325F77D57E27C6576AC69CE9223400FCD63551DE532B524F2FC05B06476E4A713D69B33BE88C811EF18E
                          Malicious:false
                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                          C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe

                          Download File
                          Process:C:\Users\user\Desktop\aS4XS9m23e.exe
                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Category:dropped
                          Size (bytes):787968
                          Entropy (8bit):7.822802947029212
                          Encrypted:false
                          SSDEEP:12288:E2iNevIGc2JkmzACQDUJfpYhWuAwXm8jTIMueVoxa6l7w2Vz+:E1AxJzDhYhWuAympYiPLz
                          MD5:A1C682E062A48D9C0B1A1C2D818873E7
                          SHA1:BED463472DAC1EA86538E3627A84C268DF713DF5
                          SHA-256:AC16409881C939BAACA90116FEBA3724F5D6AED3DC7CA00672DFEE067C72C2AE
                          SHA-512:10DD4EEA1EE67E8BF4FE39A8F4D5B6D1DA2679A71B9CF2A62DE48C347018BA18C77AFF2B98E39EA2EC55588D6BCD7315D8AB9EF18C34240D5DDF6A980AB2D296
                          Malicious:true
                          Antivirus:
                          • Antivirus: Joe Sandbox ML, Detection: 100%
                          • Antivirus: ReversingLabs, Detection: 66%
                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0...... ......*.... ... ....@.. .......................`............@.....................................O.... .......................@......L...p............................................ ............... ..H............text...0.... ...................... ..`.rsrc........ ......................@..@.reloc.......@......................@..B........................H........Z...=......O.......R..........................................^..}.....(.......(.....*.0..;........(.........(.....o............,..r...p.+....t....o.....+..*..0..;........(.........(.....o............,..r...p.+....t....o.....+..*..0..;........(.........(.....o............,..r...p.+....t....o.....+..*..0..;........(.........(.....o............,..r...p.+....t....o.....+..*..0..+.........,..{.......+....,...{....o........(.....*..0................(....s......s ...}....

                          C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe:Zone.Identifier

                          Download File
                          Process:C:\Users\user\Desktop\aS4XS9m23e.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):26
                          Entropy (8bit):3.95006375643621
                          Encrypted:false
                          SSDEEP:3:ggPYV:rPYV
                          MD5:187F488E27DB4AF347237FE461A079AD
                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                          Malicious:true
                          Preview:[ZoneTransfer]....ZoneId=0

                          Static File Info

                          General

                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                          Entropy (8bit):7.822802947029212
                          TrID:
                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                          • Win32 Executable (generic) a (10002005/4) 49.78%
                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                          • Generic Win/DOS Executable (2004/3) 0.01%
                          • DOS Executable Generic (2002/1) 0.01%
                          File name:aS4XS9m23e.exe
                          File size:787'968 bytes
                          MD5:a1c682e062a48d9c0b1a1c2d818873e7
                          SHA1:bed463472dac1ea86538e3627a84c268df713df5
                          SHA256:ac16409881c939baaca90116feba3724f5d6aed3dc7ca00672dfee067c72c2ae
                          SHA512:10dd4eea1ee67e8bf4fe39a8f4d5b6d1da2679a71b9cf2a62de48c347018ba18c77aff2b98e39ea2ec55588d6bcd7315d8ab9ef18c34240d5ddf6a980ab2d296
                          SSDEEP:12288:E2iNevIGc2JkmzACQDUJfpYhWuAwXm8jTIMueVoxa6l7w2Vz+:E1AxJzDhYhWuAympYiPLz
                          TLSH:EFF4E0C13B36731ADEA58638A2A8DDB243B50D68B114F9E719C93B87399D7109E1CF43
                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................0...... ......*.... ... ....@.. .......................`............@................................

                          File Icon

                          Icon Hash:9c306e8c8cb682ac

                          Static PE Info

                          General

                          Entrypoint:0x4c022a
                          Entrypoint Section:.text
                          Digitally signed:false
                          Imagebase:0x400000
                          Subsystem:windows gui
                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                          Time Stamp:0xEE1E000E [Sat Aug 4 18:31:42 2096 UTC]
                          TLS Callbacks:
                          CLR (.Net) Version:
                          OS Version Major:4
                          OS Version Minor:0
                          File Version Major:4
                          File Version Minor:0
                          Subsystem Version Major:4
                          Subsystem Version Minor:0
                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                          Entrypoint Preview

                          Instruction
                          jmp dword ptr [00402000h]
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al
                          add byte ptr [eax], al

                          Data Directories

                          NameVirtual AddressVirtual Size Is in Section
                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IMPORT0xc01d50x4f.text
                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xc20000x1db4.rsrc
                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xc40000xc.reloc
                          IMAGE_DIRECTORY_ENTRY_DEBUG0xbea4c0x70.text
                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                          Sections

                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                          .text0x20000xbe2300xbe4004c0c37c48d81a4e2a778dacb20337121False0.919076205239816data7.827386336620395IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          .rsrc0xc20000x1db40x1e00f5e2fc19d62680f8116a8e8e045557eeFalse0.8252604166666667data7.381781226147565IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                          .reloc0xc40000xc0x200aa793799ad5c21383af5fcbac96b8a0cFalse0.041015625data0.07763316234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                          Resources

                          NameRVASizeTypeLanguageCountryZLIB Complexity
                          RT_ICON0xc21300x1745PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9288232331710593
                          RT_GROUP_ICON0xc38780x14data0.9
                          RT_VERSION0xc388c0x33cdata0.4359903381642512
                          RT_MANIFEST0xc3bc80x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                          Imports

                          DLLImport
                          mscoree.dll_CorExeMain

                          Network Behavior

                          Suricata IDS Alerts

                          TimestampProtocolSIDSignatureSeveritySource PortDest PortSource IPDest IP
                          2024-08-29T15:57:14.582663+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.209793+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:13.693655+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:13.031512+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:09.758204+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:13.793345+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:03.628786+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:03.628786+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:03.723989+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response119124973085.209.133.187192.168.2.4
                          2024-08-29T15:57:14.376435+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.532053+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:12.176588+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)119124973185.209.133.187192.168.2.4
                          2024-08-29T15:57:13.229012+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:15.483183+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.995188+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.928398+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.104735+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:13.130583+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:12.536410+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:12.755077+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:10.682490+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:10.810358+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:14.044948+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:13.945146+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:06.849653+0200TCP2043234ET MALWARE Redline Stealer TCP CnC - Id1Response119124973185.209.133.187192.168.2.4
                          2024-08-29T15:57:09.093192+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:13.674414+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:14.271625+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:14.577260+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:10.909327+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:08.971200+0200TCP2046056ET MALWARE Redline Stealer/MetaStealer Family Activity (Response)119124973085.209.133.187192.168.2.4
                          2024-08-29T15:57:06.752935+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:06.752935+0200TCP2046045ET MALWARE [ANY.RUN] RedLine Stealer/MetaStealer Family Related (MC-NMF Authorization)1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:14.171253+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.811858+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:13.328171+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:09.221278+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:15.335316+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:12.169489+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.989237+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.007941+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:15.580288+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:14.533892+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:15.678097+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.305933+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:15.235114+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:15.799278+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.630868+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:09.870434+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:09.600356+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:11.405453+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:13.503543+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187
                          2024-08-29T15:57:12.633051+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:10.511808+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:08.787507+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497301912192.168.2.485.209.133.187
                          2024-08-29T15:57:15.132790+0200TCP2043231ET MALWARE Redline Stealer TCP CnC Activity1497311912192.168.2.485.209.133.187

                          Network Port Distribution

                          TCP Packets

                          TimestampSource PortDest PortSource IPDest IP
                          Aug 29, 2024 15:57:03.139746904 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:03.144717932 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:03.144798994 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:03.176474094 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:03.181375980 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:03.591645956 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:03.628786087 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:03.633610010 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:03.723989010 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:03.846290112 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:06.258042097 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:06.264309883 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:06.267729998 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:06.280502081 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:06.285343885 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:06.725378990 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:06.752934933 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:06.758466959 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:06.849653006 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:06.893160105 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:08.787507057 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:08.792423964 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:08.883913040 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:08.883939981 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:08.883999109 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:08.898202896 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:08.898425102 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:08.898436069 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:08.898607969 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:08.971199989 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:08.971210003 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:08.971422911 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:09.093192101 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:09.098046064 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:09.188268900 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:09.221277952 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:09.226041079 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:09.316157103 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:09.361928940 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:09.600356102 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:09.605400085 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:09.695732117 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:09.736932993 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:09.758203983 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:09.762968063 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:09.853187084 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:09.870434046 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:09.875224113 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:09.965375900 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.018177986 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:10.511807919 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:10.516757011 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.516769886 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.516849995 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.609961987 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.658791065 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:10.682490110 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:10.688510895 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.688523054 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.688595057 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.688604116 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.688607931 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.688868999 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.688878059 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.688987017 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.688997030 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.693291903 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.693301916 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.693312883 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.693322897 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.808259010 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.810358047 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:10.817184925 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.905724049 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:10.909327030 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:10.914402962 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.005950928 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.007941008 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.012834072 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.103066921 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.104734898 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.116616011 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.206660032 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.209793091 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.215404034 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.305039883 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.305932999 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.310851097 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.401149988 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.405452967 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.410460949 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.410736084 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.510127068 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.532052994 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.536890984 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.627130985 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.630867958 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.635723114 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.728782892 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.768718004 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.811857939 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.816735029 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.907115936 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.928397894 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.933207035 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.955662966 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.989237070 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.995115995 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.995187998 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.995264053 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.995368958 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:11.995737076 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.995745897 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.995750904 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:11.995834112 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.000127077 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000199080 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.000413895 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000456095 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000466108 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000471115 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.000502110 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000510931 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000514984 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.000523090 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000545979 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.000575066 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.000581026 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000622988 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000626087 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.000632048 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000674009 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.000866890 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000875950 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000890970 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000900030 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000921965 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.000940084 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.000956059 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000966072 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000971079 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.000973940 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001013041 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001020908 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001030922 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001548052 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001555920 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001564980 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001573086 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001607895 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001616001 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001624107 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001640081 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001648903 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001657009 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001662016 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001691103 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001699924 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001730919 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001781940 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001791000 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.001844883 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.001857042 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001866102 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001869917 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.001907110 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.005070925 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005121946 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.005163908 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005172014 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005179882 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005619049 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005664110 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005672932 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005681038 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005696058 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005703926 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005712986 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005750895 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005759001 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005877972 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005893946 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005903006 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005908966 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005989075 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.005999088 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006001949 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006006002 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006014109 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006084919 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006118059 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006172895 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006181955 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006189108 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006197929 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006206036 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006282091 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006335020 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006344080 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006347895 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006356955 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006366014 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006381989 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006391048 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006407022 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006416082 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006418943 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.006639957 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.006709099 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.007069111 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007158995 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007168055 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007179976 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007188082 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007200003 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007208109 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007251978 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007260084 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007273912 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007282019 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007314920 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007323980 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007337093 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007344961 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007354021 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007417917 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007494926 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007539988 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007549047 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007555962 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007565975 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007600069 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007608891 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007611990 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007637024 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007646084 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007671118 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007679939 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007797003 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007805109 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007838964 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007848024 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007857084 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007864952 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007916927 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007925987 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007932901 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007941961 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007951975 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007961988 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.007999897 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.008307934 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.008316040 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.008369923 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.008378029 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.008384943 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.008393049 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.008397102 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.008410931 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.008419037 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.010451078 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.010466099 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.010541916 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.010745049 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.010806084 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.011791945 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.011809111 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.011862040 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012125015 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012134075 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012211084 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012218952 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012320042 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012330055 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012418032 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012427092 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012444019 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012494087 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012531996 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012541056 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012551069 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012595892 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012605906 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012682915 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012691975 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012695074 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012703896 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012712955 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012728930 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012737989 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012772083 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012779951 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012818098 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012826920 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012835979 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012845039 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012856960 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012866974 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012922049 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012931108 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012933969 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012942076 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012949944 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012959003 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012967110 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012974024 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.012990952 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013000011 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013015985 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013024092 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013031006 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013040066 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013062000 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013071060 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013078928 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013087034 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013103962 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013112068 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013441086 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.013636112 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.013700962 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.015702009 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015712023 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015778065 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015786886 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015803099 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015810966 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015883923 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015892982 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015932083 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015940905 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015954971 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015964031 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015974998 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.015983105 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016072035 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016084909 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016092062 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016100883 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016108990 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016119003 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016211033 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016220093 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016253948 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016262054 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016277075 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016285896 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016479015 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016541958 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016551018 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016555071 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016566038 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016573906 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016654968 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016663074 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016688108 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016696930 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016767025 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016778946 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016787052 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016796112 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016946077 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016953945 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016963005 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016972065 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016974926 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016983032 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016990900 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.016999960 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.017004967 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.017019987 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.017040968 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.017049074 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.017077923 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.017137051 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.017354012 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.017421007 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.018704891 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018716097 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018763065 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018771887 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018779039 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018788099 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018816948 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018826962 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018872976 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018919945 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018929005 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018973112 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018981934 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.018990040 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019026041 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019033909 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019071102 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019079924 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019108057 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019117117 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019145012 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019154072 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019186020 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019195080 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019222975 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019288063 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019296885 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019309998 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019359112 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019367933 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019401073 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019409895 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019433975 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019443035 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019488096 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019496918 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019640923 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019648075 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019655943 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019664049 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019673109 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019681931 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019696951 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019706011 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019710064 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019833088 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019843102 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019850016 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019861937 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019869089 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019877911 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019886971 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019896984 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.019906044 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.020086050 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.020145893 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.022296906 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022306919 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022311926 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022375107 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022425890 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022434950 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022449970 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022459030 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022512913 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022521973 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022552013 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022597075 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022605896 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022609949 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022722960 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022731066 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022739887 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022747993 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022764921 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022773981 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022861004 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022870064 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022896051 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022945881 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022959948 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022969007 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022984982 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.022993088 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023039103 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023046970 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023102045 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023111105 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023127079 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023134947 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023158073 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023166895 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023221970 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023230076 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023266077 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023274899 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023291111 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023325920 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023334980 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023430109 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023439884 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023446083 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023456097 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023464918 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023472071 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023478985 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023488998 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023495913 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023566961 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023576975 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.023740053 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.023799896 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.025085926 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025103092 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025151014 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025166988 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025223017 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025230885 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025279045 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025288105 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025330067 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025337934 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025435925 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025444031 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025485039 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025525093 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025583982 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025592089 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025666952 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025675058 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025696993 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025710106 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025775909 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025784969 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025794029 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025809050 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025839090 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025883913 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025923967 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025933027 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025940895 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025949001 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025958061 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.025966883 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.026046991 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026056051 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026063919 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026072025 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026079893 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026098013 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026110888 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026120901 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026127100 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026134968 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026144028 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026150942 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.026173115 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026177883 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.026180983 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026190042 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026199102 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026207924 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026216984 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026225090 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026232958 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026293993 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026303053 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026309967 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026319027 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026326895 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026335001 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026417017 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026426077 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026433945 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026442051 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.026609898 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.026675940 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.028639078 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028649092 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028670073 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028678894 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028737068 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028744936 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028753042 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028760910 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028825998 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028835058 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028861046 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028870106 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028903008 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028949976 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028964996 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.028973103 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029047966 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029056072 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029099941 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029108047 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029175997 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029184103 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029192924 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029202938 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029218912 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029227018 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029264927 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029310942 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029342890 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029351950 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029395103 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029402971 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029457092 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029465914 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029510021 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029520035 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029584885 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029593945 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029608965 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029617071 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029625893 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029633999 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029823065 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.029977083 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.031457901 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031467915 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031514883 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031523943 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031578064 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031591892 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031641960 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031652927 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031750917 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031760931 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031771898 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.031783104 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.065139055 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.070022106 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.169488907 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.176588058 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.268363953 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.315174103 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.532243013 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.536410093 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.541347027 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.632391930 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.633050919 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:12.637852907 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.728821993 CEST19124973085.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:12.755076885 CEST497301912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.031512022 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.036375999 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.036499023 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.036509037 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.129127979 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.130583048 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.135307074 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.227273941 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.229012012 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.233808041 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.325947046 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.328171015 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.332972050 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.425018072 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.471282005 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.503542900 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.508620977 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.508630037 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.508650064 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.508692980 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.508734941 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.508743048 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.508825064 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.508832932 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.508851051 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.508871078 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.628299952 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.674413919 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.693655014 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.698445082 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.790673018 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.793344975 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.798187971 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.890239954 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:13.940032005 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.945146084 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:13.949929953 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.041584015 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.044948101 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.051866055 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.142760992 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.171252966 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.176124096 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.267868996 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.271625042 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.276833057 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.370115995 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.376435041 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.381968975 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.482947111 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.533891916 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.577260017 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.582175970 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.582331896 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.582354069 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.582443953 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.582609892 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.582663059 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.582715034 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.582784891 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.582875013 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.587515116 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587524891 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587532997 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587541103 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587548971 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587558031 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587563038 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587574005 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587596893 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.587632895 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.587647915 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.587647915 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587656975 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587706089 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.587938070 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587946892 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587953091 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587955952 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587964058 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.587973118 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588012934 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588015079 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.588022947 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588032961 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588041067 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588049889 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588058949 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588143110 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588151932 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588155031 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588162899 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588282108 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588294983 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588304043 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588325024 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.588359118 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.588392019 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588399887 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588407993 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588416100 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588418961 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.588429928 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.588502884 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.588517904 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588526011 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588536978 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588540077 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588547945 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588557005 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588606119 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.588645935 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588655949 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588660002 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588666916 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588675976 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588707924 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.588711977 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588721991 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588737011 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588746071 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588860989 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588870049 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588879108 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.588887930 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.592859030 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.592868090 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.592875957 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.592987061 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.592995882 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593003035 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593010902 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593019962 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593106031 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593115091 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593122959 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593132019 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593139887 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593203068 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593211889 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593219995 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593229055 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593236923 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593245983 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593256950 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593327045 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593336105 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593344927 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593353987 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593362093 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593466043 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593565941 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593575001 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593584061 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593591928 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593638897 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593647957 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593683004 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593691111 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593700886 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593708992 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593724012 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593734026 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593741894 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593744040 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.593746901 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593820095 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.593831062 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593838930 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593851089 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593909025 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593919039 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.593972921 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594019890 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594029903 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594050884 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594094038 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594166040 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594193935 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594250917 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594302893 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594310999 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594372034 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594379902 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594405890 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594423056 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594491959 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594501019 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594535112 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594554901 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594598055 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594641924 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594671011 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594685078 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594702005 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594713926 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594744921 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594753027 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594763041 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594793081 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594801903 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594810963 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594940901 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594949961 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594958067 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594968081 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.594991922 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.595001936 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.595235109 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.595293045 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.598638058 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598685980 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598692894 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598706007 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598730087 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598737001 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598745108 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598754883 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598826885 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598834991 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598839045 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598846912 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598856926 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598865986 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598881960 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598891020 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598901987 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598911047 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598982096 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.598990917 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599034071 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599042892 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599088907 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599097967 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599137068 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599144936 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599226952 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599239111 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599289894 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599298954 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599307060 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599314928 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599343061 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599350929 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599359035 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599363089 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599452019 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599461079 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599468946 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599473000 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599477053 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599484921 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599502087 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599509954 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599519014 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599579096 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599586964 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599596024 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599643946 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599652052 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599688053 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599698067 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599730015 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599737883 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.599947929 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.600025892 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.600127935 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600136995 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600207090 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600215912 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600223064 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600225925 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600286961 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600295067 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600297928 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600301981 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600310087 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600317955 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600321054 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600326061 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600349903 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600445032 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600454092 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600557089 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600578070 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600651979 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600661039 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600675106 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600683928 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600698948 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600707054 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600742102 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600749969 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600795031 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600804090 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600814104 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600821972 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600841045 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600848913 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600872040 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600922108 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600930929 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600940943 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600950003 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600975037 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600984097 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.600999117 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601052999 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601062059 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601070881 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601080894 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601089954 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601131916 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601140976 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601175070 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601182938 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601200104 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601207972 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601247072 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601294994 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.601528883 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.601614952 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.604865074 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.604875088 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.604901075 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.604911089 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.604995012 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605004072 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605103016 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605114937 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605130911 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605139971 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605190992 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605200052 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605242014 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605249882 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605257034 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605268002 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605278015 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605293036 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605300903 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605303049 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605350018 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605359077 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605393887 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605463028 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605472088 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605479002 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605499029 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605551004 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605645895 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605684996 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605739117 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605747938 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605794907 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605803967 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605833054 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605842113 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605846882 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605938911 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605947971 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.605956078 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606045008 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606054068 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606062889 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606070995 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606075048 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606082916 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606101036 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606108904 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606149912 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606158018 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606209040 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606216908 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606236935 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606245041 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606434107 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606442928 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606470108 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.606503963 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606545925 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.606583118 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606592894 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606600046 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606616974 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606625080 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606657982 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606694937 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606731892 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606739998 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606825113 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606833935 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606879950 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606889963 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.606990099 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607073069 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607084036 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607130051 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607139111 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607188940 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607197046 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607286930 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607295036 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607302904 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607316971 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607388020 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607395887 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607438087 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607455015 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607462883 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607512951 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607522011 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607531071 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607594013 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607604027 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607610941 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607626915 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607635021 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607639074 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607661009 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607670069 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607677937 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607686043 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607727051 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607734919 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607743025 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607752085 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607763052 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607795954 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607805014 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607815027 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.607822895 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.608067989 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.608134985 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.611356974 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611366034 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611375093 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611443996 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611452103 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611468077 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611478090 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611527920 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611536980 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611576080 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611584902 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611599922 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611608982 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611654043 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611666918 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611676931 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611686945 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611747980 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611757040 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611763000 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611773968 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611790895 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611799002 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611803055 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611807108 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611850977 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611860037 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611865044 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611881018 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611890078 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611897945 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611908913 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611943960 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611979961 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.611989021 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612050056 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612059116 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612062931 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612071991 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612081051 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612112999 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612128973 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612137079 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612229109 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612236977 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612246037 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612248898 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612287998 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612297058 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612345934 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612354040 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612401962 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612411022 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612477064 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612728119 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.612808943 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.612940073 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.612991095 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613050938 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613059998 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613091946 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613132000 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613154888 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613163948 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613183022 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613192081 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613203049 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613213062 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613245964 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613266945 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613308907 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613329887 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613351107 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613404989 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613444090 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613452911 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613457918 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613514900 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613564014 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613571882 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613579988 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613615990 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613625050 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613631964 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613642931 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613658905 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613667965 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613675117 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613684893 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613692999 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613732100 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613739967 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613794088 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613801956 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613814116 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613821983 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613832951 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.613841057 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.658821106 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.660877943 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.661070108 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.663861036 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666333914 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666342974 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666455984 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666464090 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666471958 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666481018 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666573048 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666582108 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666585922 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666593075 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666673899 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666681051 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666690111 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666697979 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.666707039 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:14.690076113 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:14.694958925 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.130923986 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.132790089 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:15.140609026 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.232861042 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.235114098 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:15.240268946 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.334481001 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.335315943 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:15.340312958 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.432564974 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.483182907 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:15.487968922 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.579873085 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.580287933 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:15.585647106 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.677433014 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.678097010 CEST497311912192.168.2.485.209.133.187
                          Aug 29, 2024 15:57:15.682931900 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.776467085 CEST19124973185.209.133.187192.168.2.4
                          Aug 29, 2024 15:57:15.799278021 CEST497311912192.168.2.485.209.133.187

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:09:56:59
                          Start date:29/08/2024
                          Path:C:\Users\user\Desktop\aS4XS9m23e.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\aS4XS9m23e.exe"
                          Imagebase:0x50000
                          File size:787'968 bytes
                          MD5 hash:A1C682E062A48D9C0B1A1C2D818873E7
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1715114558.0000000004194000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1715114558.00000000041DF000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000000.00000002.1715114558.0000000003DF9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:1
                          Start time:09:57:00
                          Start date:29/08/2024
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\aS4XS9m23e.exe"
                          Imagebase:0xbd0000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:2
                          Start time:09:57:00
                          Start date:29/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:09:57:00
                          Start date:29/08/2024
                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"
                          Imagebase:0xbd0000
                          File size:433'152 bytes
                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:4
                          Start time:09:57:00
                          Start date:29/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:5
                          Start time:09:57:00
                          Start date:29/08/2024
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpA2E9.tmp"
                          Imagebase:0x420000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:09:57:00
                          Start date:29/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:7
                          Start time:09:57:00
                          Start date:29/08/2024
                          Path:C:\Users\user\Desktop\aS4XS9m23e.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\Desktop\aS4XS9m23e.exe"
                          Imagebase:0x810000
                          File size:787'968 bytes
                          MD5 hash:A1C682E062A48D9C0B1A1C2D818873E7
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000007.00000002.1819381063.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.1822155150.0000000002D66000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:8
                          Start time:09:57:01
                          Start date:29/08/2024
                          Path:C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe
                          Imagebase:0x470000
                          File size:787'968 bytes
                          MD5 hash:A1C682E062A48D9C0B1A1C2D818873E7
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.1753433472.0000000003834000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.1753433472.0000000003868000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_RedLine, Description: Yara detected RedLine Stealer, Source: 00000008.00000002.1753433472.00000000038B3000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Antivirus matches:
                          • Detection: 100%, Joe Sandbox ML
                          • Detection: 66%, ReversingLabs
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:9
                          Start time:09:57:03
                          Start date:29/08/2024
                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                          Imagebase:0x7ff693ab0000
                          File size:496'640 bytes
                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:10
                          Start time:09:57:05
                          Start date:29/08/2024
                          Path:C:\Windows\SysWOW64\schtasks.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mjCLFIohWTlhgd" /XML "C:\Users\user\AppData\Local\Temp\tmpB4FA.tmp"
                          Imagebase:0x420000
                          File size:187'904 bytes
                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:11
                          Start time:09:57:05
                          Start date:29/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:12
                          Start time:09:57:05
                          Start date:29/08/2024
                          Path:C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe
                          Wow64 process (32bit):true
                          Commandline:"C:\Users\user\AppData\Roaming\mjCLFIohWTlhgd.exe"
                          Imagebase:0xb60000
                          File size:787'968 bytes
                          MD5 hash:A1C682E062A48D9C0B1A1C2D818873E7
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1854072998.0000000003046000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.1854072998.00000000030F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:low
                          Has exited:true

                          General

                          Target ID:15
                          Start time:09:57:21
                          Start date:29/08/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff7699e0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Execution Graph

                            Execution Coverage:11.6%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:227
                            Total number of Limit Nodes:12
                            execution_graph 21108 7a33a43 21113 7a36228 21108->21113 21130 7a3629e 21108->21130 21148 7a36238 21108->21148 21109 7a33a5b 21114 7a3622c 21113->21114 21125 7a3625a 21114->21125 21165 7a36d17 21114->21165 21169 7a366f3 21114->21169 21174 7a36909 21114->21174 21178 7a3668a 21114->21178 21182 7a36cca 21114->21182 21187 7a36966 21114->21187 21192 7a36bdc 21114->21192 21197 7a36c3d 21114->21197 21202 7a366fd 21114->21202 21210 7a36ad8 21114->21210 21218 7a368d4 21114->21218 21226 7a36874 21114->21226 21231 7a367f5 21114->21231 21236 7a36796 21114->21236 21125->21109 21131 7a3622c 21130->21131 21133 7a362a1 21130->21133 21132 7a3625a 21131->21132 21134 7a36966 2 API calls 21131->21134 21135 7a36cca 2 API calls 21131->21135 21136 7a3668a 2 API calls 21131->21136 21137 7a36909 2 API calls 21131->21137 21138 7a366f3 2 API calls 21131->21138 21139 7a36d17 2 API calls 21131->21139 21140 7a36796 2 API calls 21131->21140 21141 7a367f5 2 API calls 21131->21141 21142 7a36874 2 API calls 21131->21142 21143 7a368d4 2 API calls 21131->21143 21144 7a36ad8 2 API calls 21131->21144 21145 7a366fd 2 API calls 21131->21145 21146 7a36c3d 2 API calls 21131->21146 21147 7a36bdc 2 API calls 21131->21147 21132->21109 21133->21109 21134->21132 21135->21132 21136->21132 21137->21132 21138->21132 21139->21132 21140->21132 21141->21132 21142->21132 21143->21132 21144->21132 21145->21132 21146->21132 21147->21132 21149 7a36252 21148->21149 21150 7a36966 2 API calls 21149->21150 21151 7a36cca 2 API calls 21149->21151 21152 7a3668a 2 API calls 21149->21152 21153 7a36909 2 API calls 21149->21153 21154 7a366f3 2 API calls 21149->21154 21155 7a36d17 2 API calls 21149->21155 21156 7a36796 2 API calls 21149->21156 21157 7a367f5 2 API calls 21149->21157 21158 7a36874 2 API calls 21149->21158 21159 7a368d4 2 API calls 21149->21159 21160 7a3625a 21149->21160 21161 7a36ad8 2 API calls 21149->21161 21162 7a366fd 2 API calls 21149->21162 21163 7a36c3d 2 API calls 21149->21163 21164 7a36bdc 2 API calls 21149->21164 21150->21160 21151->21160 21152->21160 21153->21160 21154->21160 21155->21160 21156->21160 21157->21160 21158->21160 21159->21160 21160->21109 21161->21160 21162->21160 21163->21160 21164->21160 21241 7a33048 21165->21241 21245 7a33040 21165->21245 21166 7a36d31 21166->21125 21170 7a366e9 21169->21170 21171 7a366fb 21170->21171 21249 7a331e0 21170->21249 21253 7a331d8 21170->21253 21171->21125 21176 7a331e0 WriteProcessMemory 21174->21176 21177 7a331d8 WriteProcessMemory 21174->21177 21175 7a36937 21176->21175 21177->21175 21257 7a33468 21178->21257 21261 7a3345e 21178->21261 21183 7a36d81 21182->21183 21265 7a332d0 21183->21265 21269 7a332ca 21183->21269 21184 7a36da3 21188 7a3696c 21187->21188 21273 7a32b60 21188->21273 21277 7a32b58 21188->21277 21189 7a36fde 21193 7a36c5a 21192->21193 21194 7a36c78 21193->21194 21281 7a33120 21193->21281 21285 7a33118 21193->21285 21198 7a36c40 21197->21198 21200 7a33120 VirtualAllocEx 21198->21200 21201 7a33118 VirtualAllocEx 21198->21201 21199 7a36c78 21200->21199 21201->21199 21203 7a36aef 21202->21203 21204 7a366e9 21203->21204 21206 7a331e0 WriteProcessMemory 21203->21206 21207 7a331d8 WriteProcessMemory 21203->21207 21205 7a366fb 21204->21205 21208 7a331e0 WriteProcessMemory 21204->21208 21209 7a331d8 WriteProcessMemory 21204->21209 21205->21125 21206->21204 21207->21204 21208->21204 21209->21204 21211 7a36ade 21210->21211 21214 7a331e0 WriteProcessMemory 21211->21214 21215 7a331d8 WriteProcessMemory 21211->21215 21212 7a366e9 21213 7a366fb 21212->21213 21216 7a331e0 WriteProcessMemory 21212->21216 21217 7a331d8 WriteProcessMemory 21212->21217 21213->21125 21214->21212 21215->21212 21216->21212 21217->21212 21219 7a367f9 21218->21219 21220 7a366e9 21219->21220 21224 7a331e0 WriteProcessMemory 21219->21224 21225 7a331d8 WriteProcessMemory 21219->21225 21221 7a366fb 21220->21221 21222 7a331e0 WriteProcessMemory 21220->21222 21223 7a331d8 WriteProcessMemory 21220->21223 21221->21125 21222->21220 21223->21220 21224->21220 21225->21220 21227 7a36881 21226->21227 21229 7a32b60 ResumeThread 21227->21229 21230 7a32b58 ResumeThread 21227->21230 21228 7a36fde 21229->21228 21230->21228 21234 7a331e0 WriteProcessMemory 21231->21234 21235 7a331d8 WriteProcessMemory 21231->21235 21232 7a366e9 21232->21231 21233 7a366fb 21232->21233 21233->21125 21234->21232 21235->21232 21237 7a37010 21236->21237 21239 7a33040 Wow64SetThreadContext 21237->21239 21240 7a33048 Wow64SetThreadContext 21237->21240 21238 7a3702b 21239->21238 21240->21238 21242 7a3308d Wow64SetThreadContext 21241->21242 21244 7a330d5 21242->21244 21244->21166 21246 7a33048 Wow64SetThreadContext 21245->21246 21248 7a330d5 21246->21248 21248->21166 21250 7a33228 WriteProcessMemory 21249->21250 21252 7a3327f 21250->21252 21252->21170 21254 7a331e0 WriteProcessMemory 21253->21254 21256 7a3327f 21254->21256 21256->21170 21258 7a334f1 21257->21258 21258->21258 21259 7a33656 CreateProcessA 21258->21259 21260 7a336b3 21259->21260 21260->21260 21262 7a334f1 21261->21262 21262->21262 21263 7a33656 CreateProcessA 21262->21263 21264 7a336b3 21263->21264 21264->21264 21266 7a3331b ReadProcessMemory 21265->21266 21268 7a3335f 21266->21268 21268->21184 21270 7a332d0 ReadProcessMemory 21269->21270 21272 7a3335f 21270->21272 21272->21184 21274 7a32ba0 ResumeThread 21273->21274 21276 7a32bd1 21274->21276 21276->21189 21278 7a32ba0 ResumeThread 21277->21278 21280 7a32bd1 21278->21280 21280->21189 21282 7a33160 VirtualAllocEx 21281->21282 21284 7a3319d 21282->21284 21284->21194 21286 7a33120 VirtualAllocEx 21285->21286 21288 7a3319d 21286->21288 21288->21194 21289 7a37400 21290 7a3758b 21289->21290 21292 7a37426 21289->21292 21292->21290 21293 7a34f00 21292->21293 21294 7a37680 PostMessageW 21293->21294 21295 7a376ec 21294->21295 21295->21292 21296 225d060 21297 225d0a6 GetCurrentProcess 21296->21297 21299 225d0f8 GetCurrentThread 21297->21299 21302 225d0f1 21297->21302 21300 225d135 GetCurrentProcess 21299->21300 21301 225d12e 21299->21301 21303 225d16b 21300->21303 21301->21300 21302->21299 21304 225d193 GetCurrentThreadId 21303->21304 21305 225d1c4 21304->21305 21398 225d6b0 DuplicateHandle 21399 225d746 21398->21399 21306 2254668 21307 225467a 21306->21307 21308 2254686 21307->21308 21312 2254779 21307->21312 21317 2253e28 21308->21317 21310 22546a5 21313 225479d 21312->21313 21321 2254879 21313->21321 21325 2254888 21313->21325 21318 2253e33 21317->21318 21333 2255c44 21318->21333 21320 225704f 21320->21310 21323 22548af 21321->21323 21322 225498c 21322->21322 21323->21322 21329 22544b0 21323->21329 21326 22548af 21325->21326 21327 22544b0 CreateActCtxA 21326->21327 21328 225498c 21326->21328 21327->21328 21330 2255918 CreateActCtxA 21329->21330 21332 22559db 21330->21332 21334 2255c4f 21333->21334 21337 2255c64 21334->21337 21336 225711d 21336->21320 21338 2255c6f 21337->21338 21341 2255c94 21338->21341 21340 22571fa 21340->21336 21342 2255c9f 21341->21342 21345 2255cc4 21342->21345 21344 22572ed 21344->21340 21346 2255ccf 21345->21346 21348 22585eb 21346->21348 21351 225ac98 21346->21351 21347 2258629 21347->21344 21348->21347 21355 225cd9c 21348->21355 21359 225acc0 21351->21359 21363 225acd0 21351->21363 21352 225acae 21352->21348 21357 225cdb9 21355->21357 21356 225cddd 21356->21347 21357->21356 21386 225cf48 21357->21386 21360 225acd0 21359->21360 21366 225adc8 21360->21366 21361 225acdf 21361->21352 21365 225adc8 2 API calls 21363->21365 21364 225acdf 21364->21352 21365->21364 21367 225add9 21366->21367 21368 225adfc 21366->21368 21367->21368 21374 225b051 21367->21374 21378 225b060 21367->21378 21368->21361 21369 225adf4 21369->21368 21370 225b000 GetModuleHandleW 21369->21370 21371 225b02d 21370->21371 21371->21361 21375 225b074 21374->21375 21376 225b099 21375->21376 21382 225a150 21375->21382 21376->21369 21380 225b074 21378->21380 21379 225b099 21379->21369 21380->21379 21381 225a150 LoadLibraryExW 21380->21381 21381->21379 21383 225b240 LoadLibraryExW 21382->21383 21385 225b2b9 21383->21385 21385->21376 21387 225cf55 21386->21387 21388 225cf8f 21387->21388 21390 225bb00 21387->21390 21388->21356 21391 225bb0b 21390->21391 21393 225dca8 21391->21393 21394 225d2fc 21391->21394 21393->21393 21395 225d307 21394->21395 21396 2255cc4 2 API calls 21395->21396 21397 225dd17 21396->21397 21397->21393

                            Executed Functions

                            Function 0225D050 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 294 225d050-225d0ef GetCurrentProcess 298 225d0f1-225d0f7 294->298 299 225d0f8-225d12c GetCurrentThread 294->299 298->299 300 225d135-225d169 GetCurrentProcess 299->300 301 225d12e-225d134 299->301 303 225d172-225d18d call 225d638 300->303 304 225d16b-225d171 300->304 301->300 307 225d193-225d1c2 GetCurrentThreadId 303->307 304->303 308 225d1c4-225d1ca 307->308 309 225d1cb-225d22d 307->309 308->309
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0225D0DE
                            • GetCurrentThread.KERNEL32 ref: 0225D11B
                            • GetCurrentProcess.KERNEL32 ref: 0225D158
                            • GetCurrentThreadId.KERNEL32 ref: 0225D1B1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 9940db8d7c5e47c2b19cf1375e728a05c99d604637f6ce31a868c04bbb99e5d2
                            • Instruction ID: 758ee5632246165c08835b0ef6dc6fa961e1820afbc85d2ec960d4f83451342b
                            • Opcode Fuzzy Hash: 9940db8d7c5e47c2b19cf1375e728a05c99d604637f6ce31a868c04bbb99e5d2
                            • Instruction Fuzzy Hash: D35155B0A003498FDB14DFA9D648BDEBBF1EF48304F20C469D419A72A0D735A885CF65
                            Function 0225D060 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 316 225d060-225d0ef GetCurrentProcess 320 225d0f1-225d0f7 316->320 321 225d0f8-225d12c GetCurrentThread 316->321 320->321 322 225d135-225d169 GetCurrentProcess 321->322 323 225d12e-225d134 321->323 325 225d172-225d18d call 225d638 322->325 326 225d16b-225d171 322->326 323->322 329 225d193-225d1c2 GetCurrentThreadId 325->329 326->325 330 225d1c4-225d1ca 329->330 331 225d1cb-225d22d 329->331 330->331
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 0225D0DE
                            • GetCurrentThread.KERNEL32 ref: 0225D11B
                            • GetCurrentProcess.KERNEL32 ref: 0225D158
                            • GetCurrentThreadId.KERNEL32 ref: 0225D1B1
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 1789053dbf1162f95c011856066103b4fa8a6aa6029921632254a153c34699be
                            • Instruction ID: 141960bbaf20cf7b1068f6d13d3df66fc7d50ee2476bd90e3654d994c5fcf14b
                            • Opcode Fuzzy Hash: 1789053dbf1162f95c011856066103b4fa8a6aa6029921632254a153c34699be
                            • Instruction Fuzzy Hash: 235124B0A103098FDB14DFAAD648BDEBBF1EF48314F20C469D419A7264DB35A984CF65
                            Function 07A3345E Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 413 7a3345e-7a334fd 415 7a33536-7a33556 413->415 416 7a334ff-7a33509 413->416 421 7a33558-7a33562 415->421 422 7a3358f-7a335be 415->422 416->415 417 7a3350b-7a3350d 416->417 419 7a33530-7a33533 417->419 420 7a3350f-7a33519 417->420 419->415 423 7a3351b 420->423 424 7a3351d-7a3352c 420->424 421->422 426 7a33564-7a33566 421->426 432 7a335c0-7a335ca 422->432 433 7a335f7-7a336b1 CreateProcessA 422->433 423->424 424->424 425 7a3352e 424->425 425->419 427 7a33589-7a3358c 426->427 428 7a33568-7a33572 426->428 427->422 430 7a33576-7a33585 428->430 431 7a33574 428->431 430->430 435 7a33587 430->435 431->430 432->433 434 7a335cc-7a335ce 432->434 444 7a336b3-7a336b9 433->444 445 7a336ba-7a33740 433->445 436 7a335f1-7a335f4 434->436 437 7a335d0-7a335da 434->437 435->427 436->433 439 7a335de-7a335ed 437->439 440 7a335dc 437->440 439->439 441 7a335ef 439->441 440->439 441->436 444->445 455 7a33742-7a33746 445->455 456 7a33750-7a33754 445->456 455->456 457 7a33748 455->457 458 7a33756-7a3375a 456->458 459 7a33764-7a33768 456->459 457->456 458->459 460 7a3375c 458->460 461 7a3376a-7a3376e 459->461 462 7a33778-7a3377c 459->462 460->459 461->462 463 7a33770 461->463 464 7a3378e-7a33795 462->464 465 7a3377e-7a33784 462->465 463->462 466 7a33797-7a337a6 464->466 467 7a337ac 464->467 465->464 466->467 469 7a337ad 467->469 469->469
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A3369E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 8bd6f574ab7b09875ae811d7370818f9c2a2b1093096149238ac91dd460247e2
                            • Instruction ID: d2faacdd4dd34af42ce00899b7adc2771fe3eb684f0b9e6414de3791a3503e0a
                            • Opcode Fuzzy Hash: 8bd6f574ab7b09875ae811d7370818f9c2a2b1093096149238ac91dd460247e2
                            • Instruction Fuzzy Hash: 7DA17DB1D0421ADFDF14CF69C8417EDBBB2BF48310F1485AAE819A7250DB749985CF92
                            Function 07A33468 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 470 7a33468-7a334fd 472 7a33536-7a33556 470->472 473 7a334ff-7a33509 470->473 478 7a33558-7a33562 472->478 479 7a3358f-7a335be 472->479 473->472 474 7a3350b-7a3350d 473->474 476 7a33530-7a33533 474->476 477 7a3350f-7a33519 474->477 476->472 480 7a3351b 477->480 481 7a3351d-7a3352c 477->481 478->479 483 7a33564-7a33566 478->483 489 7a335c0-7a335ca 479->489 490 7a335f7-7a336b1 CreateProcessA 479->490 480->481 481->481 482 7a3352e 481->482 482->476 484 7a33589-7a3358c 483->484 485 7a33568-7a33572 483->485 484->479 487 7a33576-7a33585 485->487 488 7a33574 485->488 487->487 492 7a33587 487->492 488->487 489->490 491 7a335cc-7a335ce 489->491 501 7a336b3-7a336b9 490->501 502 7a336ba-7a33740 490->502 493 7a335f1-7a335f4 491->493 494 7a335d0-7a335da 491->494 492->484 493->490 496 7a335de-7a335ed 494->496 497 7a335dc 494->497 496->496 498 7a335ef 496->498 497->496 498->493 501->502 512 7a33742-7a33746 502->512 513 7a33750-7a33754 502->513 512->513 514 7a33748 512->514 515 7a33756-7a3375a 513->515 516 7a33764-7a33768 513->516 514->513 515->516 517 7a3375c 515->517 518 7a3376a-7a3376e 516->518 519 7a33778-7a3377c 516->519 517->516 518->519 520 7a33770 518->520 521 7a3378e-7a33795 519->521 522 7a3377e-7a33784 519->522 520->519 523 7a33797-7a337a6 521->523 524 7a337ac 521->524 522->521 523->524 526 7a337ad 524->526 526->526
                            APIs
                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07A3369E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: CreateProcess
                            • String ID:
                            • API String ID: 963392458-0
                            • Opcode ID: 15438e2d62954cb1d41602cf458106db21aaa3b57445794ed638d844680a38c9
                            • Instruction ID: a1264e5d70aa25bac44619627c71eacbfb8aecbd0cbb912d3c75a2840d9e7bf8
                            • Opcode Fuzzy Hash: 15438e2d62954cb1d41602cf458106db21aaa3b57445794ed638d844680a38c9
                            • Instruction Fuzzy Hash: AB917CB1D0421ADFDF10CFA9C8417EDBBB2BF48310F1485AAE819A7250DB749985CF92
                            Function 0225ADC8 Relevance: 1.7, APIs: 1, Instructions: 196COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 527 225adc8-225add7 528 225ae03-225ae07 527->528 529 225add9-225ade6 call 225a0ec 527->529 530 225ae09-225ae13 528->530 531 225ae1b-225ae5c 528->531 536 225adfc 529->536 537 225ade8 529->537 530->531 538 225ae5e-225ae66 531->538 539 225ae69-225ae77 531->539 536->528 584 225adee call 225b051 537->584 585 225adee call 225b060 537->585 538->539 540 225ae79-225ae7e 539->540 541 225ae9b-225ae9d 539->541 544 225ae80-225ae87 call 225a0f8 540->544 545 225ae89 540->545 543 225aea0-225aea7 541->543 542 225adf4-225adf6 542->536 546 225af38-225af4f 542->546 547 225aeb4-225aebb 543->547 548 225aea9-225aeb1 543->548 550 225ae8b-225ae99 544->550 545->550 560 225af51-225afb0 546->560 551 225aebd-225aec5 547->551 552 225aec8-225aeca call 225a108 547->552 548->547 550->543 551->552 556 225aecf-225aed1 552->556 558 225aed3-225aedb 556->558 559 225aede-225aee3 556->559 558->559 561 225aee5-225aeec 559->561 562 225af01-225af0e 559->562 578 225afb2-225aff8 560->578 561->562 563 225aeee-225aefe call 225a118 call 225a128 561->563 567 225af31-225af37 562->567 568 225af10-225af2e 562->568 563->562 568->567 579 225b000-225b02b GetModuleHandleW 578->579 580 225affa-225affd 578->580 581 225b034-225b048 579->581 582 225b02d-225b033 579->582 580->579 582->581 584->542 585->542
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0225B01E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 796aeacbac8bedfa8bf1ae3f8d2afccdc82e4d11230b0ccef5c848425e825bac
                            • Instruction ID: e46d8db064cb3c8ce417863a0acc92a0ab954047f1ac1ae425af9849b38cd57d
                            • Opcode Fuzzy Hash: 796aeacbac8bedfa8bf1ae3f8d2afccdc82e4d11230b0ccef5c848425e825bac
                            • Instruction Fuzzy Hash: 657164B0A10B168FD724DFA9C04175ABBF2BF48304F008A2DD88AD7A54DB35E849CB90
                            Function 0225590C Relevance: 1.6, APIs: 1, Instructions: 98COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 586 225590c-225598c 588 225598f-22559d9 CreateActCtxA 586->588 590 22559e2-2255a3c 588->590 591 22559db-22559e1 588->591 598 2255a3e-2255a41 590->598 599 2255a4b-2255a4f 590->599 591->590 598->599 600 2255a51-2255a5d 599->600 601 2255a60 599->601 600->601 603 2255a61 601->603 603->603
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 022559C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: f78d797fada62fc373eb932e8af3da38b15ff4f66ecd15fa412fa8371ee77d54
                            • Instruction ID: 390dc5e329155b96ab250b41dbe62090040bd27ebce49796155ff0019fe52f5c
                            • Opcode Fuzzy Hash: f78d797fada62fc373eb932e8af3da38b15ff4f66ecd15fa412fa8371ee77d54
                            • Instruction Fuzzy Hash: 7041D1B0C0062DCFDB24DFA9C9847CDBBB5BF48304F64806AD408AB255DB75698ACF90
                            Function 022544B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 604 22544b0-22559d9 CreateActCtxA 608 22559e2-2255a3c 604->608 609 22559db-22559e1 604->609 616 2255a3e-2255a41 608->616 617 2255a4b-2255a4f 608->617 609->608 616->617 618 2255a51-2255a5d 617->618 619 2255a60 617->619 618->619 621 2255a61 619->621 621->621
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 022559C9
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 904e8293db957eae2cc7d86e28556862d6a60c55c12f04047a3a2ecac1d6611c
                            • Instruction ID: cf422a516450c32462eb488caea73e193a173327dca319d444c246942ea7cab6
                            • Opcode Fuzzy Hash: 904e8293db957eae2cc7d86e28556862d6a60c55c12f04047a3a2ecac1d6611c
                            • Instruction Fuzzy Hash: 7141F2B0C1072DCBDB24DFA9C94478DBBF5BF48304F60806AE408AB255DB756945CF90
                            Function 02255A84 Relevance: 1.6, APIs: 1, Instructions: 92COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 622 2255a84-2255a90 623 2255a42-2255a47 622->623 624 2255a92-2255b14 622->624 627 2255a4b-2255a4f 623->627 628 2255a51-2255a5d 627->628 629 2255a60 627->629 628->629 631 2255a61 629->631 631->631
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f3f755d20eac5fdff00e360d67a26d9696bd938563474d23833392c578d5e998
                            • Instruction ID: 93f149db3f994043e8a181347ae72db1b5e7c069b096c5b91dca7f0895dfd74e
                            • Opcode Fuzzy Hash: f3f755d20eac5fdff00e360d67a26d9696bd938563474d23833392c578d5e998
                            • Instruction Fuzzy Hash: 0A31E170804769CFDB11CFE8C8847EDBBF1EF46318F588199D405AB299DB79984ACB81
                            Function 07A331D8 Relevance: 1.6, APIs: 1, Instructions: 72injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 632 7a331d8-7a3322e 635 7a33230-7a3323c 632->635 636 7a3323e-7a3327d WriteProcessMemory 632->636 635->636 638 7a33286-7a332b6 636->638 639 7a3327f-7a33285 636->639 639->638
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A33270
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 9ab9de6599a13daf01ff5c14276b37febe226da79e8221042d4a1cc52dfc9e91
                            • Instruction ID: 7a20caa22a8f497c2d7f449dcb5ac96fd207c365b266c157341b9fc5ccb3bb22
                            • Opcode Fuzzy Hash: 9ab9de6599a13daf01ff5c14276b37febe226da79e8221042d4a1cc52dfc9e91
                            • Instruction Fuzzy Hash: BC2117B59003599FCF10DFA9C885BDEBBF5FB48310F108429E958A7250C7749945CBA5
                            Function 07A331E0 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 643 7a331e0-7a3322e 645 7a33230-7a3323c 643->645 646 7a3323e-7a3327d WriteProcessMemory 643->646 645->646 648 7a33286-7a332b6 646->648 649 7a3327f-7a33285 646->649 649->648
                            APIs
                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 07A33270
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: MemoryProcessWrite
                            • String ID:
                            • API String ID: 3559483778-0
                            • Opcode ID: 6c0a232aa15e16453bba9335366ae35d198d3040c09d0d4ef7c406f6399f2f57
                            • Instruction ID: d3063d60b84b29d180136d11818b76f8d7376cfecaa815ffaeb152f29ea02377
                            • Opcode Fuzzy Hash: 6c0a232aa15e16453bba9335366ae35d198d3040c09d0d4ef7c406f6399f2f57
                            • Instruction Fuzzy Hash: 342127B19003599FCF10CFA9C885BDEBBF5FF48310F108429E958A7250C7789944CBA4
                            Function 07A33040 Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 653 7a33040-7a33093 656 7a330a3-7a330d3 Wow64SetThreadContext 653->656 657 7a33095-7a330a1 653->657 659 7a330d5-7a330db 656->659 660 7a330dc-7a3310c 656->660 657->656 659->660
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A330C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: e436639836644fe6613d6f1364b63587accbd748a556ea4e832145cebfbaa9c2
                            • Instruction ID: 51246a1571945511f48fbf7bf71522c47897c9c2edcca2c283700fcb0e7c1baf
                            • Opcode Fuzzy Hash: e436639836644fe6613d6f1364b63587accbd748a556ea4e832145cebfbaa9c2
                            • Instruction Fuzzy Hash: A8213AB1D043099FDB10DFAAC4857EEBBF4EF89324F108429D459A7240CB78A945CFA5
                            Function 0225D6A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 664 225d6a8-225d744 DuplicateHandle 665 225d746-225d74c 664->665 666 225d74d-225d76a 664->666 665->666
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0225D737
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: b4aed5f0611699b270872d1d2c8e86d92cbfabc07b728168afd0f29291216e28
                            • Instruction ID: e365e473f5784ae463e9ba0a555e8311a122b06439543cd34766ce0df02199c2
                            • Opcode Fuzzy Hash: b4aed5f0611699b270872d1d2c8e86d92cbfabc07b728168afd0f29291216e28
                            • Instruction Fuzzy Hash: FB2112B5900219DFDB10CFAAD984ADEFFF4EB48320F10802AE958A7310C374A941CFA4
                            Function 07A332CA Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A33350
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: 53a0ef546b681d5497ecc4bdf5db33cc8f0f076ba81cbcaf8a7a15d116b27f3b
                            • Instruction ID: 2ea784a0bc76ab6c353c982ec285bb8823b9615f91cdf9101639f6c57cd9368a
                            • Opcode Fuzzy Hash: 53a0ef546b681d5497ecc4bdf5db33cc8f0f076ba81cbcaf8a7a15d116b27f3b
                            • Instruction Fuzzy Hash: 252119B1D002599FCB10DFAAC885ADEBBF5FF48310F108429E558A7250CB789544CBA5
                            Function 07A332D0 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            APIs
                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 07A33350
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: MemoryProcessRead
                            • String ID:
                            • API String ID: 1726664587-0
                            • Opcode ID: bef3ee00846dbc49b8deb9c2d784e167cfe911652b852f0869b40dc0197c5ae5
                            • Instruction ID: 83809993b0ca4c55971f1b12c5c6305ddcbc819cf535e60162af4b60b3e12135
                            • Opcode Fuzzy Hash: bef3ee00846dbc49b8deb9c2d784e167cfe911652b852f0869b40dc0197c5ae5
                            • Instruction Fuzzy Hash: AD2125B18002599FCB10DFAAC885BEEFBF5FF48320F10842AE558A7250C7789944CBA4
                            Function 07A33048 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                            Download Yara Rule
                            APIs
                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 07A330C6
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: ContextThreadWow64
                            • String ID:
                            • API String ID: 983334009-0
                            • Opcode ID: c47df7354278a834b6aa3b250522147935afc5e5aedb81902b8369c8705eb55d
                            • Instruction ID: c6c338a0d57f71bc3af5044f87664b3776b7e37d726c66454b7448e28374a3bf
                            • Opcode Fuzzy Hash: c47df7354278a834b6aa3b250522147935afc5e5aedb81902b8369c8705eb55d
                            • Instruction Fuzzy Hash: 5D2149B1D043098FDB10DFAAC4857EEBBF4EF89324F108429D459A7240C778A944CFA4
                            Function 0225D6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0225D737
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 52fdec362da86cbca979f0ca01737637d56923d04874962eda0155a7e3d11e61
                            • Instruction ID: 1c7b0d36d366e4c5919da1f21974da1767b75a1ef0a471d0af94359edce709ef
                            • Opcode Fuzzy Hash: 52fdec362da86cbca979f0ca01737637d56923d04874962eda0155a7e3d11e61
                            • Instruction Fuzzy Hash: A721E2B5900258DFDB10CFAAD984ADEBFF8EB48320F14801AE958A3310C374A940CFA4
                            Function 07A33118 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A3318E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 11c1b6c5eaf95cae0917b5694fb6a17b0109c55dc65611f72645702fba3d352b
                            • Instruction ID: c46927e28f47baa5f554691a1149972559f89b034ffd17b522a705e902ae4bc1
                            • Opcode Fuzzy Hash: 11c1b6c5eaf95cae0917b5694fb6a17b0109c55dc65611f72645702fba3d352b
                            • Instruction Fuzzy Hash: 3A1144B69002499FCF10DFAAC845BDEBFF5EB88324F108819E519A7250CB75A940CFA5
                            Function 0225A150 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0225B099,00000800,00000000,00000000), ref: 0225B2AA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 444fe8298971f597660a98915b24cd8e3f87ba78da555a46b43e5c67861b889e
                            • Instruction ID: 49e942741755e0c12417ce8c8ea62d6ac0d85172285fe7124b683ab8e6676b3a
                            • Opcode Fuzzy Hash: 444fe8298971f597660a98915b24cd8e3f87ba78da555a46b43e5c67861b889e
                            • Instruction Fuzzy Hash: 121126B69003199FDB10CF9AC444BDEFBF4EB48324F10842AE819B7214C3B5A545CFA5
                            Function 0225B238 Relevance: 1.6, APIs: 1, Instructions: 53libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,0225B099,00000800,00000000,00000000), ref: 0225B2AA
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 4d8ecab84bcdafb06223254983c5d8d18cc7c2aa49e391ba50bf6d1bbcbec69e
                            • Instruction ID: 18bb1e4d10885619dcc09378c557f842726e39ffed1569b1419d47137200baf2
                            • Opcode Fuzzy Hash: 4d8ecab84bcdafb06223254983c5d8d18cc7c2aa49e391ba50bf6d1bbcbec69e
                            • Instruction Fuzzy Hash: 0B1126B69003198FDB10CFAAC944ADEFBF4EB48324F14842AD859A7254C374A545CFA5
                            Function 07A33120 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                            Download Yara Rule
                            APIs
                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07A3318E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: AllocVirtual
                            • String ID:
                            • API String ID: 4275171209-0
                            • Opcode ID: 5b2775aca7225d1366d7cdb609ffc4c105720e60966f0426686ac7dbd57e4ae3
                            • Instruction ID: 29fe59e165efa607a3e8b2b2c12392ff088a22bca566009def3f528b7b0b58b2
                            • Opcode Fuzzy Hash: 5b2775aca7225d1366d7cdb609ffc4c105720e60966f0426686ac7dbd57e4ae3
                            • Instruction Fuzzy Hash: 6E1126B19002499FCF10DFAAC845BDEBFF5EF88324F108819E559A7250C775A544CFA4
                            Function 07A32B60 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 3d6930efec68f8f43a87bdfac4e90b08988a2b00cd1151bfd2c2e36c792f1d4b
                            • Instruction ID: 7de759aab3da75eb98ebd289451412fbb3c27dbc2902d26bd60478b4fa299fa9
                            • Opcode Fuzzy Hash: 3d6930efec68f8f43a87bdfac4e90b08988a2b00cd1151bfd2c2e36c792f1d4b
                            • Instruction Fuzzy Hash: F21136B19003598FCB20DFAAC4457DEFBF5EB88324F208829D459A7250CB75A944CFA4
                            Function 07A32B58 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                            Download Yara Rule
                            APIs
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: ResumeThread
                            • String ID:
                            • API String ID: 947044025-0
                            • Opcode ID: 6e6cdce407d6223d83172a041a214599af2486c9acd2768775bd59e6542695d4
                            • Instruction ID: b63395212595b223e4d9206d666e2cbaf3109c0bbea293a1697c789db84684b0
                            • Opcode Fuzzy Hash: 6e6cdce407d6223d83172a041a214599af2486c9acd2768775bd59e6542695d4
                            • Instruction Fuzzy Hash: 431158B59002988FCB10DFA9C4457DEFFF5AF88324F24881AD459AB250C7746545CFA5
                            Function 0225AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 0225B01E
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 56b888ddb0209993021aae191680305ff215d112144bcd0a9790e444a562fc04
                            • Instruction ID: c15bc3bfb19b9243fc46bc9c0d89797af6a85acaef5e333af585fd82c7c39d58
                            • Opcode Fuzzy Hash: 56b888ddb0209993021aae191680305ff215d112144bcd0a9790e444a562fc04
                            • Instruction Fuzzy Hash: 5B11DFB5D002598FCB10CF9AD444BDEFBF4AF88328F10846AD869A7214D375A545CFA5
                            Function 07A34F00 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A376DD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: e6b45264f8983daee5e9d14c059083ee8d0c632d32e12161a6e1900abd9b33f2
                            • Instruction ID: 420232c8a21d94fd47cea80efeb91042a6c03668dc5dda0141c744bf377f1845
                            • Opcode Fuzzy Hash: e6b45264f8983daee5e9d14c059083ee8d0c632d32e12161a6e1900abd9b33f2
                            • Instruction Fuzzy Hash: E01103B5800349DFDB10DF9AC889BDEBBF8EB48324F10845AE568A7210C375A944CFA5
                            Function 07A37678 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                            Download Yara Rule
                            APIs
                            • PostMessageW.USER32(?,00000010,00000000,?), ref: 07A376DD
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: MessagePost
                            • String ID:
                            • API String ID: 410705778-0
                            • Opcode ID: 32c108ff3f8361303bbf0c4e92cd4115354545d16e55f62adfd5d7387c016824
                            • Instruction ID: 0de7819f4d953a3c5b0df93ae73517eacc2333848d7714299e969514b39af193
                            • Opcode Fuzzy Hash: 32c108ff3f8361303bbf0c4e92cd4115354545d16e55f62adfd5d7387c016824
                            • Instruction Fuzzy Hash: 751122B5800309DFCB10DF9AD885BDEBBF8FB48320F10841AE568A7250C374A980CFA5
                            Function 021CD01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706498363.00000000021CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_21cd000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ae7a76453647f740ce582719f761cd8637130460f39e50ee2e8402a38f52a47c
                            • Instruction ID: dd0011e26bf3aeb28e845ac0ae878868c7bfb5942c53d485678feb60ea6be8c8
                            • Opcode Fuzzy Hash: ae7a76453647f740ce582719f761cd8637130460f39e50ee2e8402a38f52a47c
                            • Instruction Fuzzy Hash: B3212279684200DFDB14DF18E9C4B26BBA5FB94324F30C5BDD80A4B256C33AD467CA62
                            Function 021CD1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706498363.00000000021CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_21cd000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 602888caf7cbd8d1e2b4b0eb42bedc9c2ad00a6e1c868d2cd306d721fea457e4
                            • Instruction ID: ebd46ebb42b2a01f9062a21e885e1c25083e047caa707214d6c168133385e6a5
                            • Opcode Fuzzy Hash: 602888caf7cbd8d1e2b4b0eb42bedc9c2ad00a6e1c868d2cd306d721fea457e4
                            • Instruction Fuzzy Hash: 25212679584200EFDB05DF14E9C4B26BBA5FB98314F30C67DE84A4B35AC336D446CA61
                            Function 021CD006 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706498363.00000000021CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_21cd000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 62ae0a2c18488926eb0b070f53427434caf823783c13ae30c35fda129c28c2a6
                            • Instruction ID: 7cfa8c8c2f72660bfa66c340b168056b062daa01609af0c2dbcb05c6a3b3ca1d
                            • Opcode Fuzzy Hash: 62ae0a2c18488926eb0b070f53427434caf823783c13ae30c35fda129c28c2a6
                            • Instruction Fuzzy Hash: ED2192755483809FCB02CF14D994715BF71EB56324F28C5EAD8498F2A7C33A981ACB62
                            Function 021CD1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706498363.00000000021CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 021CD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_21cd000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                            • Instruction ID: 00b8bc631aad8e09992f0b16d07d2d9a70bd4de80c0b66e6eec30526075bda38
                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                            • Instruction Fuzzy Hash: 5A11BB7A544280DFCB02CF10D9C4B15BBA1FB84218F24C6AED8494B29AC33AD40ACB62

                            Non-executed Functions

                            Function 07A357B8 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e0c40de017462ae904103bcd77b461adea149043352642e123e070da3aa4c90a
                            • Instruction ID: 90d6f64b666de3812a84bbb5744414f90377130b430c694c3db087f414181253
                            • Opcode Fuzzy Hash: e0c40de017462ae904103bcd77b461adea149043352642e123e070da3aa4c90a
                            • Instruction Fuzzy Hash: 6BE1E9B4E102198FCB14DFA9D5809AEFBF2FF89305F248169E415AB356D731A941CFA0
                            Function 07A30C90 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ece92d604c911652cadfb94d1f826715cea4186fa19a4f1c1557e3ef4f980a97
                            • Instruction ID: 6baccd450f77523ded0b42a25534dbdf712ba03acfd10dc7f936a04266131fed
                            • Opcode Fuzzy Hash: ece92d604c911652cadfb94d1f826715cea4186fa19a4f1c1557e3ef4f980a97
                            • Instruction Fuzzy Hash: 6EE1F9B4E112198FCB14DFA9D5809AEFBB2FF89304F248169E415AB356D731A941CFA0
                            Function 07A32C10 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fcd23beed57725d7520ae99fb1c4bd6d944806eb683ac69faee45c1d9263fb9b
                            • Instruction ID: 2ca415287d282ac46e90c0101e5c93425b7549d93cfed0e7629274c6f76f568e
                            • Opcode Fuzzy Hash: fcd23beed57725d7520ae99fb1c4bd6d944806eb683ac69faee45c1d9263fb9b
                            • Instruction Fuzzy Hash: A5E11BB4E011198FCB14DFA9D580AAEFBF2FF89305F248169E415AB356D731A941CFA0
                            Function 07A32338 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: fb5a16562dfd4c08a9fa925dcb30caf8735835e5a393d8dddecfee42cfac768b
                            • Instruction ID: fd242b648f445799e7cb9f94905af73ec77ff71cf8114aeec3a3e3c87c24595a
                            • Opcode Fuzzy Hash: fb5a16562dfd4c08a9fa925dcb30caf8735835e5a393d8dddecfee42cfac768b
                            • Instruction Fuzzy Hash: 9CE10DB4E011198FCB14DFA9D580AAEFBF2FF89304F248159E415AB395D730A941CFA1
                            Function 07A30858 Relevance: .3, Instructions: 312COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0d4534e303b8597d3b5a644bb757163de65d4bacebd57da3af82ff17323dc9ec
                            • Instruction ID: 1cf77a92e2b99d814b44da14c925b144958d27894c70ad9596adb418dfadec0c
                            • Opcode Fuzzy Hash: 0d4534e303b8597d3b5a644bb757163de65d4bacebd57da3af82ff17323dc9ec
                            • Instruction Fuzzy Hash: CEE1F9B4E102198FDB14DFA9D5809AEFBB2FF89304F248169E415AB356D730AD41CFA0
                            Function 0225D5DC Relevance: .3, Instructions: 264COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1706718541.0000000002250000.00000040.00000800.00020000.00000000.sdmp, Offset: 02250000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_2250000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b5ce7ad1dcee3c60ff5f43585909bc5dcf8e1726c4ab81829852387e9874442f
                            • Instruction ID: 6b8b5c9f75bcea9f901332457af043a2671a55774f9ede8f35378888c8d9eb14
                            • Opcode Fuzzy Hash: b5ce7ad1dcee3c60ff5f43585909bc5dcf8e1726c4ab81829852387e9874442f
                            • Instruction Fuzzy Hash: 65A18136E1021A8FCF05DFB4C94459EBBB2FF86304B25856AEC01AB269DB71E915CF40
                            Function 07A32327 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c07f6c9f6f800efe506ee21a40e21a7ba78956640abe136f52eede60081371be
                            • Instruction ID: 025f5d6f969ddd7cf8c18633810cb388cc0ece8c8373b40bfbe70e5d64515635
                            • Opcode Fuzzy Hash: c07f6c9f6f800efe506ee21a40e21a7ba78956640abe136f52eede60081371be
                            • Instruction Fuzzy Hash: DD510DB4E052198FDB14CFA9D5805AEFBF2BF89304F24C169E418AB356D730A941CFA1
                            Function 07A357AA Relevance: .1, Instructions: 128COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000000.00000002.1725519883.0000000007A30000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_0_2_7a30000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cba7e9fee4c0a915e29e431a71473a010221b8bc5dd15280a19b00b5eba31a9c
                            • Instruction ID: 675423b2cd39fd41c252a781b3e1cd229f02add262e1f5088950ecc90e497b8f
                            • Opcode Fuzzy Hash: cba7e9fee4c0a915e29e431a71473a010221b8bc5dd15280a19b00b5eba31a9c
                            • Instruction Fuzzy Hash: 565109B4E012198FDB14CFA9D5805AEFBF2BF89305F24C169E418AB356D731A941CFA1

                            Execution Graph

                            Execution Coverage:7.2%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:52
                            Total number of Limit Nodes:9
                            execution_graph 15221 2bed0b8 15222 2bed0fe GetCurrentProcess 15221->15222 15224 2bed149 15222->15224 15225 2bed150 GetCurrentThread 15222->15225 15224->15225 15226 2bed18d GetCurrentProcess 15225->15226 15227 2bed186 15225->15227 15228 2bed1c3 15226->15228 15227->15226 15229 2bed1eb GetCurrentThreadId 15228->15229 15230 2bed21c 15229->15230 15231 2bead38 15235 2beae2f 15231->15235 15243 2beae30 15231->15243 15232 2bead47 15236 2beae41 15235->15236 15237 2beae64 15235->15237 15236->15237 15251 2beb0c8 15236->15251 15255 2beb0c7 15236->15255 15237->15232 15238 2beae5c 15238->15237 15239 2beb068 GetModuleHandleW 15238->15239 15240 2beb095 15239->15240 15240->15232 15244 2beae41 15243->15244 15245 2beae64 15243->15245 15244->15245 15249 2beb0c8 LoadLibraryExW 15244->15249 15250 2beb0c7 LoadLibraryExW 15244->15250 15245->15232 15246 2beb068 GetModuleHandleW 15248 2beb095 15246->15248 15247 2beae5c 15247->15245 15247->15246 15248->15232 15249->15247 15250->15247 15252 2beb0dc 15251->15252 15254 2beb101 15252->15254 15259 2bea870 15252->15259 15254->15238 15256 2beb0dc 15255->15256 15257 2bea870 LoadLibraryExW 15256->15257 15258 2beb101 15256->15258 15257->15258 15258->15238 15260 2beb2a8 LoadLibraryExW 15259->15260 15262 2beb321 15260->15262 15262->15254 15263 2be4668 15264 2be4684 15263->15264 15265 2be4696 15264->15265 15267 2be47a0 15264->15267 15268 2be47c5 15267->15268 15272 2be48b0 15268->15272 15276 2be48a1 15268->15276 15274 2be48d7 15272->15274 15273 2be49b4 15273->15273 15274->15273 15280 2be4248 15274->15280 15277 2be48b0 15276->15277 15278 2be4248 CreateActCtxA 15277->15278 15279 2be49b4 15277->15279 15278->15279 15281 2be5940 CreateActCtxA 15280->15281 15283 2be5a03 15281->15283 15284 2bed300 DuplicateHandle 15285 2bed396 15284->15285

                            Executed Functions

                            Function 02BED0A8 Relevance: 6.1, APIs: 4, Instructions: 130threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 526 2bed0a8-2bed147 GetCurrentProcess 530 2bed149-2bed14f 526->530 531 2bed150-2bed184 GetCurrentThread 526->531 530->531 532 2bed18d-2bed1c1 GetCurrentProcess 531->532 533 2bed186-2bed18c 531->533 535 2bed1ca-2bed1e5 call 2bed297 532->535 536 2bed1c3-2bed1c9 532->536 533->532 539 2bed1eb-2bed21a GetCurrentThreadId 535->539 536->535 540 2bed21c-2bed222 539->540 541 2bed223-2bed285 539->541 540->541
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 02BED136
                            • GetCurrentThread.KERNEL32 ref: 02BED173
                            • GetCurrentProcess.KERNEL32 ref: 02BED1B0
                            • GetCurrentThreadId.KERNEL32 ref: 02BED209
                            Memory Dump Source
                            • Source File: 00000007.00000002.1821285868.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2be0000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 33fac9375df7d8ecd26007f9c3697577996e339cf8636cef3a2551fcf2f16489
                            • Instruction ID: b14afd6b715ed9512e70c3317f8779a2c2b1a8c535c1a58aa06ed8af007086f8
                            • Opcode Fuzzy Hash: 33fac9375df7d8ecd26007f9c3697577996e339cf8636cef3a2551fcf2f16489
                            • Instruction Fuzzy Hash: 325166B090024ACFDB04CFA9D548BDEBBF5EF48304F208599E059A73A0D7749984CF65
                            Function 02BED0B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 548 2bed0b8-2bed147 GetCurrentProcess 552 2bed149-2bed14f 548->552 553 2bed150-2bed184 GetCurrentThread 548->553 552->553 554 2bed18d-2bed1c1 GetCurrentProcess 553->554 555 2bed186-2bed18c 553->555 557 2bed1ca-2bed1e5 call 2bed297 554->557 558 2bed1c3-2bed1c9 554->558 555->554 561 2bed1eb-2bed21a GetCurrentThreadId 557->561 558->557 562 2bed21c-2bed222 561->562 563 2bed223-2bed285 561->563 562->563
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 02BED136
                            • GetCurrentThread.KERNEL32 ref: 02BED173
                            • GetCurrentProcess.KERNEL32 ref: 02BED1B0
                            • GetCurrentThreadId.KERNEL32 ref: 02BED209
                            Memory Dump Source
                            • Source File: 00000007.00000002.1821285868.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2be0000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 74f1027eaa249b54f4faa121ae4195b5c57fd458a7bcb31a8643e0576cfe0e28
                            • Instruction ID: d7ba146f0644ff8e352d52eb4a7b177a5ae7fc5a097c3656a4b68a7ce4cf11d9
                            • Opcode Fuzzy Hash: 74f1027eaa249b54f4faa121ae4195b5c57fd458a7bcb31a8643e0576cfe0e28
                            • Instruction Fuzzy Hash: 015155B090024ACFDB14DFAAD548BDEBBF5EF48314F2085A9E019A7360DB749984CF65
                            Function 02BEAE30 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 592 2beae30-2beae3f 593 2beae6b-2beae6f 592->593 594 2beae41-2beae4e call 2be9838 592->594 595 2beae83-2beaec4 593->595 596 2beae71-2beae7b 593->596 601 2beae64 594->601 602 2beae50 594->602 603 2beaec6-2beaece 595->603 604 2beaed1-2beaedf 595->604 596->595 601->593 651 2beae56 call 2beb0c8 602->651 652 2beae56 call 2beb0c7 602->652 603->604 605 2beaf03-2beaf05 604->605 606 2beaee1-2beaee6 604->606 609 2beaf08-2beaf0f 605->609 610 2beaee8-2beaeef call 2bea814 606->610 611 2beaef1 606->611 607 2beae5c-2beae5e 607->601 608 2beafa0-2beafb7 607->608 625 2beafb9-2beb018 608->625 613 2beaf1c-2beaf23 609->613 614 2beaf11-2beaf19 609->614 612 2beaef3-2beaf01 610->612 611->612 612->609 616 2beaf25-2beaf2d 613->616 617 2beaf30-2beaf39 call 2bea824 613->617 614->613 616->617 623 2beaf3b-2beaf43 617->623 624 2beaf46-2beaf4b 617->624 623->624 626 2beaf4d-2beaf54 624->626 627 2beaf69-2beaf76 624->627 643 2beb01a-2beb01c 625->643 626->627 628 2beaf56-2beaf66 call 2bea834 call 2bea844 626->628 632 2beaf78-2beaf96 627->632 633 2beaf99-2beaf9f 627->633 628->627 632->633 644 2beb01e-2beb046 643->644 645 2beb048-2beb060 643->645 644->645 646 2beb068-2beb093 GetModuleHandleW 645->646 647 2beb062-2beb065 645->647 648 2beb09c-2beb0b0 646->648 649 2beb095-2beb09b 646->649 647->646 649->648 651->607 652->607
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02BEB086
                            Memory Dump Source
                            • Source File: 00000007.00000002.1821285868.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2be0000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 62c6b2418545e785299eefbd40cad1885eefae65f0ac2fdec80772e4e6f0227e
                            • Instruction ID: 5ec6d2771329b7273e8ba06e17621fc522278992aba19361f827abfc160e8e57
                            • Opcode Fuzzy Hash: 62c6b2418545e785299eefbd40cad1885eefae65f0ac2fdec80772e4e6f0227e
                            • Instruction Fuzzy Hash: FA8145B0A00B058FDB24DF69C14079ABBF5FF88304F108A6ED09AD7A51D775E94ACB91
                            Function 02BE5935 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 653 2be5935-2be593c 654 2be5944-2be5a01 CreateActCtxA 653->654 656 2be5a0a-2be5a64 654->656 657 2be5a03-2be5a09 654->657 664 2be5a66-2be5a69 656->664 665 2be5a73-2be5a77 656->665 657->656 664->665 666 2be5a88-2be5ab8 665->666 667 2be5a79-2be5a85 665->667 671 2be5a6a 666->671 672 2be5aba-2be5b3c 666->672 667->666 671->665
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 02BE59F1
                            Memory Dump Source
                            • Source File: 00000007.00000002.1821285868.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2be0000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: e6d69befb8f94b053beaa60a242473ced2411edbd4fd2abd0f4e05a7370b22f3
                            • Instruction ID: bdb60856f66e1a09275db58e6d2348461913f7c6c38aa6945a130c99f9af067b
                            • Opcode Fuzzy Hash: e6d69befb8f94b053beaa60a242473ced2411edbd4fd2abd0f4e05a7370b22f3
                            • Instruction Fuzzy Hash: 7D41F1B0C00629CFDB24CFA9C8847DDBBB5FF48304F2480AAD419AB251DB755989CF90
                            Function 02BE4248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 674 2be4248-2be5a01 CreateActCtxA 677 2be5a0a-2be5a64 674->677 678 2be5a03-2be5a09 674->678 685 2be5a66-2be5a69 677->685 686 2be5a73-2be5a77 677->686 678->677 685->686 687 2be5a88-2be5ab8 686->687 688 2be5a79-2be5a85 686->688 692 2be5a6a 687->692 693 2be5aba-2be5b3c 687->693 688->687 692->686
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 02BE59F1
                            Memory Dump Source
                            • Source File: 00000007.00000002.1821285868.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2be0000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: f1779a790011792bc46cda6dccc6904d05cb8a4ae59dc2ccd6f14b4f5a21beaa
                            • Instruction ID: e5b6b6863c1d39d25b9f0b81c8185bc83539e6ab444eedb2accbd7e703c97c53
                            • Opcode Fuzzy Hash: f1779a790011792bc46cda6dccc6904d05cb8a4ae59dc2ccd6f14b4f5a21beaa
                            • Instruction Fuzzy Hash: 5341E2B0C0062DCBDB24CFA9C884BDEBBB5FF44304F2080AAD409AB251DB756949CF90
                            Function 02BED300 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 695 2bed300-2bed394 DuplicateHandle 696 2bed39d-2bed3ba 695->696 697 2bed396-2bed39c 695->697 697->696
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BED387
                            Memory Dump Source
                            • Source File: 00000007.00000002.1821285868.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2be0000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: cf2e56737c4d736fad66c1d291237524f3e7306fe0f3d545dc678c0bcdc79af5
                            • Instruction ID: b8b94d6b343e0e7dc483da5f929d93ec6a88b6b5ff1c54e10c4a1d445b66e195
                            • Opcode Fuzzy Hash: cf2e56737c4d736fad66c1d291237524f3e7306fe0f3d545dc678c0bcdc79af5
                            • Instruction Fuzzy Hash: 3121E2B5900249DFDB10CFAAD984ADEBBF8EB48320F14805AE918A3350D374A940CFA4
                            Function 02BED2F9 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 700 2bed2f9-2bed394 DuplicateHandle 701 2bed39d-2bed3ba 700->701 702 2bed396-2bed39c 700->702 702->701
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02BED387
                            Memory Dump Source
                            • Source File: 00000007.00000002.1821285868.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2be0000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 9bfd8a6101572339937697dbbfc70d5236c80bebcdc44b1bb8bd21678922002e
                            • Instruction ID: ac98c54dc292dee34101cdd6487216a2efbb23572f321accaaa8869fe81599ad
                            • Opcode Fuzzy Hash: 9bfd8a6101572339937697dbbfc70d5236c80bebcdc44b1bb8bd21678922002e
                            • Instruction Fuzzy Hash: BC2112B5900259DFDB10CFA9D584ADEBBF4FB48320F14805AE958A3310C378A940CFA4
                            Function 02BEA870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 705 2bea870-2beb2e8 707 2beb2ea-2beb2ed 705->707 708 2beb2f0-2beb31f LoadLibraryExW 705->708 707->708 709 2beb328-2beb345 708->709 710 2beb321-2beb327 708->710 710->709
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BEB101,00000800,00000000,00000000), ref: 02BEB312
                            Memory Dump Source
                            • Source File: 00000007.00000002.1821285868.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2be0000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 419a7d8fcec1117744aa55776b86fefadd6678fc25658cd682d014ee9f7e52c0
                            • Instruction ID: 8eb0da3ccde2ea64369fb0f9bddddedddf0c80e63763389de6fefd587468e952
                            • Opcode Fuzzy Hash: 419a7d8fcec1117744aa55776b86fefadd6678fc25658cd682d014ee9f7e52c0
                            • Instruction Fuzzy Hash: 6611D0B69003499FDB10DF9AC444ADEFBF4EF88314F10846AE969A7210C375A545CFA5
                            Function 02BEB2A0 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 713 2beb2a0-2beb2e8 714 2beb2ea-2beb2ed 713->714 715 2beb2f0-2beb31f LoadLibraryExW 713->715 714->715 716 2beb328-2beb345 715->716 717 2beb321-2beb327 715->717 717->716
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02BEB101,00000800,00000000,00000000), ref: 02BEB312
                            Memory Dump Source
                            • Source File: 00000007.00000002.1821285868.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2be0000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 7012835810ea702a0a63e990f579bb8fc9eeb68e387332ad0f506e02291bbbd9
                            • Instruction ID: cde9d6ec60cc415973655c84b3e5d06a0ffd9ad32989a39042ea18bab6c1d2cb
                            • Opcode Fuzzy Hash: 7012835810ea702a0a63e990f579bb8fc9eeb68e387332ad0f506e02291bbbd9
                            • Instruction Fuzzy Hash: E41112B69002598FDB10DFAAC444ADEFBF4FF88314F10846AD869A7210C375A545CFA0
                            Function 02BEB020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 720 2beb020-2beb060 721 2beb068-2beb093 GetModuleHandleW 720->721 722 2beb062-2beb065 720->722 723 2beb09c-2beb0b0 721->723 724 2beb095-2beb09b 721->724 722->721 724->723
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02BEB086
                            Memory Dump Source
                            • Source File: 00000007.00000002.1821285868.0000000002BE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02BE0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_2be0000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 6ed95fa9679305db2ee154afb24e76d873a7b8dbcb41127d6ca91c401cc1f0e4
                            • Instruction ID: 3edba260f11ac2f35f75e5031ddc4f4cce27865c6dd1fc78a4c77ffe662dace5
                            • Opcode Fuzzy Hash: 6ed95fa9679305db2ee154afb24e76d873a7b8dbcb41127d6ca91c401cc1f0e4
                            • Instruction Fuzzy Hash: 21110FB6C003498FCB20DF9AC444ADEFBF4FB88224F10846AD469A7210C375A545CFA1
                            Function 00E1D654 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1819911874.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_e1d000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf0ad5ae83df17c728d5cdb812a36f8d130ba763902e579ab7470b01fa6604df
                            • Instruction ID: 4e4eb6c2c0420078243b92f07c338ba8109d5cdfea998f497883b6bcf6fd7347
                            • Opcode Fuzzy Hash: bf0ad5ae83df17c728d5cdb812a36f8d130ba763902e579ab7470b01fa6604df
                            • Instruction Fuzzy Hash: 07214B71508240DFCB05DF14DDC0B5BBFA5FB88314F20C269E9091B296C336D896CB61
                            Function 00F7D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1820057211.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_f7d000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 925d1a98d7f6f12aa257b9c1da72de3276da837a059fcbad23aa2e14cb523b86
                            • Instruction ID: 3f697da5f892a4d06e000d8926302160071cb9bd0712f06ec524119d3c4c7a62
                            • Opcode Fuzzy Hash: 925d1a98d7f6f12aa257b9c1da72de3276da837a059fcbad23aa2e14cb523b86
                            • Instruction Fuzzy Hash: 3C21F275604200DFCB14DF14D984B26BBB5EF84324F64C56ED80E4B29AC33AD847DA62
                            Function 00F7D005 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1820057211.0000000000F7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F7D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_f7d000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cbe7accfc92fead2c2f56afe6b4b8cfcee0aa9644e8d1ae2608d17e1fca25d5a
                            • Instruction ID: 161440c7dbc6ca4b015b47a9ab090ce4feb6728793bb0217cc39854d57c630f9
                            • Opcode Fuzzy Hash: cbe7accfc92fead2c2f56afe6b4b8cfcee0aa9644e8d1ae2608d17e1fca25d5a
                            • Instruction Fuzzy Hash: 21214F755093808FDB12CF24D994715BF71EF46214F28C5EBD8498B6A7C33A980ADB62
                            Function 00E1D64F Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1819911874.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_e1d000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                            • Instruction ID: b68d3b7dc5b6d0c472a3125dff9261413685cb0d55571e6bedf2e507fc663682
                            • Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                            • Instruction Fuzzy Hash: CE21D276404280DFCB06CF00D9C4B5ABF72FB88318F24C2AADD481B296C33AD466CB91
                            Function 00E1DA81 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1819911874.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_e1d000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3f3b415e62a3f6489f662f6915cbaf886c186d06ec041888b53efcd6f6c78011
                            • Instruction ID: 980cd97ddc6d6d2c57487b1638fea345021e923468edee77d14fc5fa429d022a
                            • Opcode Fuzzy Hash: 3f3b415e62a3f6489f662f6915cbaf886c186d06ec041888b53efcd6f6c78011
                            • Instruction Fuzzy Hash: 7001D63110C3449AE710DA2ACD847E7BF9CEF41724F18C56AED096A286C279DC80C6B1
                            Function 00E1DA80 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000007.00000002.1819911874.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_7_2_e1d000_aS4XS9m23e.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 78739bf5083d7cc9afec94674e393b966606825373bfc2ea37d29663277d3492
                            • Instruction ID: 5032b0b735131cdfe119a1b544dc9c1a9a6e9267d2c74bd7373e41e3abe6171c
                            • Opcode Fuzzy Hash: 78739bf5083d7cc9afec94674e393b966606825373bfc2ea37d29663277d3492
                            • Instruction Fuzzy Hash: 64F0627150C3449EE7108A1ACDC4BA7FFA8EF51738F18C55AED085E286C2799C84CA71

                            Execution Graph

                            Execution Coverage:11.6%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:56
                            Total number of Limit Nodes:3
                            execution_graph 22699 e6d060 22700 e6d0a6 GetCurrentProcess 22699->22700 22702 e6d0f1 22700->22702 22703 e6d0f8 GetCurrentThread 22700->22703 22702->22703 22704 e6d135 GetCurrentProcess 22703->22704 22705 e6d12e 22703->22705 22706 e6d16b 22704->22706 22705->22704 22707 e6d193 GetCurrentThreadId 22706->22707 22708 e6d1c4 22707->22708 22730 e6acd0 22731 e6acd4 22730->22731 22735 e6adb7 22731->22735 22743 e6adc8 22731->22743 22732 e6acdf 22736 e6adbc 22735->22736 22737 e6adfc 22736->22737 22751 e6b060 22736->22751 22755 e6b051 22736->22755 22737->22732 22738 e6b000 GetModuleHandleW 22740 e6b02d 22738->22740 22739 e6adf4 22739->22737 22739->22738 22740->22732 22744 e6adcc 22743->22744 22745 e6adfc 22744->22745 22749 e6b060 LoadLibraryExW 22744->22749 22750 e6b051 2 API calls 22744->22750 22745->22732 22746 e6b000 GetModuleHandleW 22748 e6b02d 22746->22748 22747 e6adf4 22747->22745 22747->22746 22748->22732 22749->22747 22750->22747 22752 e6b074 22751->22752 22753 e6b099 22752->22753 22763 e6a150 22752->22763 22753->22739 22756 e6b054 22755->22756 22757 e6aff9 GetModuleHandleW 22756->22757 22760 e6b05a 22756->22760 22759 e6b02d 22757->22759 22759->22739 22761 e6b099 22760->22761 22762 e6a150 LoadLibraryExW 22760->22762 22761->22739 22762->22761 22764 e6b240 LoadLibraryExW 22763->22764 22766 e6b2b9 22764->22766 22766->22753 22767 e6d6b0 DuplicateHandle 22768 e6d746 22767->22768 22709 e64668 22710 e6467a 22709->22710 22711 e64686 22710->22711 22713 e64779 22710->22713 22714 e6477c 22713->22714 22718 e64888 22714->22718 22722 e64879 22714->22722 22720 e648af 22718->22720 22719 e6498c 22720->22719 22726 e644b0 22720->22726 22724 e6487c 22722->22724 22723 e6498c 22723->22723 22724->22723 22725 e644b0 CreateActCtxA 22724->22725 22725->22723 22727 e65918 CreateActCtxA 22726->22727 22729 e659db 22727->22729

                            Executed Functions

                            Function 05A07388 Relevance: 5.6, Strings: 4, Instructions: 564COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 345 5a07388-5a073b0 346 5a073b2 345->346 347 5a073b7-5a074de 345->347 346->347 356 5a074e0-5a074ed 347->356 357 5a07486-5a07503 347->357 356->357 359 5a07509-5a07c47 357->359 360 5a07a2d-5a07a6f 357->360 364 5a07a72-5a07a76 360->364 365 5a075da-5a075de 364->365 366 5a07a7c-5a07a82 364->366 368 5a075e0-5a075ee 365->368 369 5a075f3-5a075f9 365->369 366->360 367 5a07a84-5a07adf 366->367 387 5a07ae1-5a07b14 367->387 388 5a07b16-5a07b40 367->388 370 5a07673-5a076a5 368->370 371 5a07644-5a07648 369->371 391 5a076a7-5a076b3 370->391 392 5a076cf 370->392 372 5a0764a-5a07661 371->372 373 5a075fb-5a07607 371->373 375 5a07663-5a07666 372->375 376 5a07616-5a0761c 372->376 378 5a07609 373->378 379 5a0760e-5a07613 373->379 380 5a07669-5a0766d 375->380 382 5a07641 376->382 383 5a0761e-5a07622 376->383 378->379 379->376 380->370 385 5a075c0-5a075d7 380->385 382->371 384 5a07625-5a07632 383->384 389 5a07597-5a075bb 384->389 390 5a07638-5a0763f 384->390 385->365 399 5a07b49-5a07bc8 387->399 388->399 389->380 390->372 396 5a076b5-5a076bb 391->396 397 5a076bd-5a076c3 391->397 394 5a076d5-5a076fb 392->394 405 5a076fe-5a07702 394->405 401 5a076cd 396->401 397->401 414 5a07bcf-5a07be2 399->414 401->394 406 5a07751-5a07787 405->406 407 5a07704-5a0773c 405->407 406->384 412 5a0778d-5a07806 406->412 415 5a07bf1-5a07bf6 407->415 427 5a07808 412->427 428 5a0780f-5a07810 412->428 414->415 417 5a07bf8-5a07c06 415->417 418 5a07c0d-5a07c2c 415->418 417->418 423 5a07c32-5a07c39 418->423 424 5a0754f-5a07550 418->424 424->389 425 5a07c99-5a07ca0 424->425 427->428 429 5a07867-5a0786d 428->429 430 5a07812-5a07834 429->430 431 5a0786f-5a07931 429->431 432 5a07836 430->432 433 5a0783b-5a07864 430->433 442 5a07972-5a07976 431->442 443 5a07933-5a0796c 431->443 432->433 433->429 444 5a079b7-5a079bb 442->444 445 5a07978-5a079b1 442->445 443->442 447 5a079fc-5a07a00 444->447 448 5a079bd-5a079f6 444->448 445->444 447->367 450 5a07a06-5a07a1e 447->450 448->447 450->405 452 5a07a24-5a07a2b 450->452 452->364
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: 4'^q$:$pbq$~
                            • API String ID: 0-999388165
                            • Opcode ID: 84c6cd1970e87d151aa72f310139cc36beeed016e4bd8d75de1305ea721f210b
                            • Instruction ID: b278b47ae4219137b43d3964abc66896379cbebd62a293a06be9e2ea762748df
                            • Opcode Fuzzy Hash: 84c6cd1970e87d151aa72f310139cc36beeed016e4bd8d75de1305ea721f210b
                            • Instruction Fuzzy Hash: 52420375A00219DFCB25CFA9D980E99BBB2FF48304F1190E9E509AB261DB31ED91DF40
                            Function 05A052BA Relevance: 2.7, Strings: 2, Instructions: 215COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 519 5a052ba-5a052f1 585 5a052f1 call 5a05700 519->585 586 5a052f1 call 5a05710 519->586 521 5a052f7-5a05357 call 5a039c4 530 5a0535a-5a0536f 521->530 532 5a05371 530->532 533 5a05376-5a0538b 532->533 534 5a05391 533->534 535 5a05426-5a0543f 533->535 534->532 534->535 536 5a05441 534->536 537 5a054c2-5a054d6 534->537 538 5a05464-5a05478 534->538 539 5a05405-5a05421 534->539 540 5a055e9-5a05607 call 5a088cc 534->540 541 5a056ab 534->541 542 5a053b2-5a053cc 534->542 543 5a053f3-5a053f5 534->543 544 5a05398-5a0539a 534->544 545 5a054d8 534->545 546 5a0547a 534->546 547 5a055bc 534->547 548 5a0549f 534->548 549 5a0561f-5a05693 534->549 535->536 535->546 553 5a05446-5a0545b 536->553 551 5a054a4-5a054b9 537->551 538->553 539->533 581 5a05609 call 5a09f00 540->581 582 5a05609 call 5a09f10 540->582 566 5a056b2-5a056b9 541->566 571 5a053d7-5a053f1 542->571 543->530 552 5a053fb-5a05400 543->552 554 5a053a3 544->554 555 5a0539c-5a053a1 544->555 545->547 546->548 556 5a055c1-5a055d0 547->556 548->551 583 5a05695 call 5a0a4f8 549->583 584 5a05695 call 5a0a4e9 549->584 551->545 559 5a054bb 551->559 552->533 553->546 563 5a0545d 553->563 564 5a053a8-5a053b0 554->564 555->564 556->541 567 5a055d6 556->567 559->537 559->540 559->541 559->545 559->547 559->548 559->549 563->536 563->537 563->538 563->540 563->541 563->545 563->546 563->547 563->548 563->549 564->533 567->540 567->541 567->547 567->549 571->533 572 5a0560f-5a0561d 572->556 580 5a0569b-5a056a6 580->556 581->572 582->572 583->580 584->580 585->521 586->521
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 1c02df6ecedc22b2c09782f08a235203aaa2adc2ad3a6057eaba49e774dd00e6
                            • Instruction ID: 1cf03d9b044d9a89538a0f4524e2121980b7a4bb667780175c21a3aca5d7f205
                            • Opcode Fuzzy Hash: 1c02df6ecedc22b2c09782f08a235203aaa2adc2ad3a6057eaba49e774dd00e6
                            • Instruction Fuzzy Hash: 7181A334F202048FDB44DB79E598B6EBBB3FB88711F249425E506EB3A4DA70DD028B41
                            Function 05A052C8 Relevance: 2.7, Strings: 2, Instructions: 211COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 588 5a052c8-5a052f1 652 5a052f1 call 5a05700 588->652 653 5a052f1 call 5a05710 588->653 590 5a052f7-5a05357 call 5a039c4 599 5a0535a-5a0536f 590->599 601 5a05371 599->601 602 5a05376-5a0538b 601->602 603 5a05391 602->603 604 5a05426-5a0543f 602->604 603->601 603->604 605 5a05441 603->605 606 5a054c2-5a054d6 603->606 607 5a05464-5a05478 603->607 608 5a05405-5a05421 603->608 609 5a055e9-5a05607 call 5a088cc 603->609 610 5a056ab 603->610 611 5a053b2-5a053cc 603->611 612 5a053f3-5a053f5 603->612 613 5a05398-5a0539a 603->613 614 5a054d8 603->614 615 5a0547a 603->615 616 5a055bc 603->616 617 5a0549f 603->617 618 5a0561f-5a05693 603->618 604->605 604->615 622 5a05446-5a0545b 605->622 620 5a054a4-5a054b9 606->620 607->622 608->602 655 5a05609 call 5a09f00 609->655 656 5a05609 call 5a09f10 609->656 635 5a056b2-5a056b9 610->635 640 5a053d7-5a053f1 611->640 612->599 621 5a053fb-5a05400 612->621 623 5a053a3 613->623 624 5a0539c-5a053a1 613->624 614->616 615->617 625 5a055c1-5a055d0 616->625 617->620 650 5a05695 call 5a0a4f8 618->650 651 5a05695 call 5a0a4e9 618->651 620->614 628 5a054bb 620->628 621->602 622->615 632 5a0545d 622->632 633 5a053a8-5a053b0 623->633 624->633 625->610 636 5a055d6 625->636 628->606 628->609 628->610 628->614 628->616 628->617 628->618 632->605 632->606 632->607 632->609 632->610 632->614 632->615 632->616 632->617 632->618 633->602 636->609 636->610 636->616 636->618 640->602 641 5a0560f-5a0561d 641->625 649 5a0569b-5a056a6 649->625 650->649 651->649 652->590 653->590 655->641 656->641
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 68472d7b41efb28f5904f084e093adf46e4835085d037749185230d5f61ad514
                            • Instruction ID: 56683bbd01228c51bfa5a6d78d924f6cf8dd03754a1ec900b74e44dd192f1df6
                            • Opcode Fuzzy Hash: 68472d7b41efb28f5904f084e093adf46e4835085d037749185230d5f61ad514
                            • Instruction Fuzzy Hash: FA718334F202048FDB44DB79E598B6EBBA3FB88711F259425E506EB3A4DE70DD028B41
                            Function 05A03C15 Relevance: .3, Instructions: 260COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a83256e8b7c38e05a80eae6e6b99ef2e7c10910bb811d4b96a0f8644f3b28d49
                            • Instruction ID: 4ac5c221f91eddd6c5012d91223f30ce8f69b1ab8f80b5a8239df14a3ec5da94
                            • Opcode Fuzzy Hash: a83256e8b7c38e05a80eae6e6b99ef2e7c10910bb811d4b96a0f8644f3b28d49
                            • Instruction Fuzzy Hash: 6BA180303106008FC705EF39D59499ABBF2EF8A304B51986ED05ADF3A5DA34ED46CB51
                            Function 05A03C50 Relevance: .2, Instructions: 231COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 063ae07a10747a79cbad66475292882b05fc1d122378c3e7ae87f84d4b75690a
                            • Instruction ID: aabb796544bcb6bd877825f499ec91c7f1d44863de7f700537a2c8d7baf6fa79
                            • Opcode Fuzzy Hash: 063ae07a10747a79cbad66475292882b05fc1d122378c3e7ae87f84d4b75690a
                            • Instruction Fuzzy Hash: 85915E303206008FC759EF39D588AAABBE6FF89304B51986DD41ADF3A5DA30ED45CB51
                            Function 05A09F00 Relevance: .1, Instructions: 121COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 034110749436d33b01d6d8d7cffee5fc7120277969354fb6adcc722e4b8b630f
                            • Instruction ID: 7a8c3a788ace606f08d547ddb1704b576479e07811d639451a6b723a83edf57b
                            • Opcode Fuzzy Hash: 034110749436d33b01d6d8d7cffee5fc7120277969354fb6adcc722e4b8b630f
                            • Instruction Fuzzy Hash: 52413F31F242058FD708CBB65951ABFB7BBABC9700F10E42AD546BB2D5DA34DD028791
                            Function 05A09F10 Relevance: .1, Instructions: 119COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5ceb50647b8af56774fd8203a871132a7141d7b94e27a32a57988d5aafe2397c
                            • Instruction ID: 9656895d110e5fc599f454addc35d1a0de066bba39cf71bfd314756e85eec2b1
                            • Opcode Fuzzy Hash: 5ceb50647b8af56774fd8203a871132a7141d7b94e27a32a57988d5aafe2397c
                            • Instruction Fuzzy Hash: 65414B31F242058FD708CAB699519BFB6BBABC9700F10E42AD542BB2D5DA34DD028791
                            Function 00E6D050 Relevance: 6.1, APIs: 4, Instructions: 137threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 297 e6d050-e6d052 298 e6d054-e6d056 297->298 299 e6d058-e6d05a 297->299 298->299 300 e6d060-e6d0ef GetCurrentProcess 299->300 301 e6d05c-e6d05d 299->301 305 e6d0f1-e6d0f7 300->305 306 e6d0f8-e6d12c GetCurrentThread 300->306 301->300 305->306 307 e6d135-e6d169 GetCurrentProcess 306->307 308 e6d12e-e6d134 306->308 310 e6d172-e6d18d call e6d638 307->310 311 e6d16b-e6d171 307->311 308->307 313 e6d193-e6d1c2 GetCurrentThreadId 310->313 311->310 315 e6d1c4-e6d1ca 313->315 316 e6d1cb-e6d22d 313->316 315->316
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 00E6D0DE
                            • GetCurrentThread.KERNEL32 ref: 00E6D11B
                            • GetCurrentProcess.KERNEL32 ref: 00E6D158
                            • GetCurrentThreadId.KERNEL32 ref: 00E6D1B1
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 418611b0855a7aa0d2045abac218e2dc87ac9c3c05c56b072930615d6ef5c98b
                            • Instruction ID: d4c8b355fc21eace661e87a6437018a71f6a709dae8d0b9652b5b83932c9eb71
                            • Opcode Fuzzy Hash: 418611b0855a7aa0d2045abac218e2dc87ac9c3c05c56b072930615d6ef5c98b
                            • Instruction Fuzzy Hash: 6C5175B4E012098FDB14DFAAD948B9EBBF1FB89304F208069D019B7361C774A885CB65
                            Function 00E6D060 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 323 e6d060-e6d0ef GetCurrentProcess 327 e6d0f1-e6d0f7 323->327 328 e6d0f8-e6d12c GetCurrentThread 323->328 327->328 329 e6d135-e6d169 GetCurrentProcess 328->329 330 e6d12e-e6d134 328->330 332 e6d172-e6d18d call e6d638 329->332 333 e6d16b-e6d171 329->333 330->329 335 e6d193-e6d1c2 GetCurrentThreadId 332->335 333->332 337 e6d1c4-e6d1ca 335->337 338 e6d1cb-e6d22d 335->338 337->338
                            APIs
                            • GetCurrentProcess.KERNEL32 ref: 00E6D0DE
                            • GetCurrentThread.KERNEL32 ref: 00E6D11B
                            • GetCurrentProcess.KERNEL32 ref: 00E6D158
                            • GetCurrentThreadId.KERNEL32 ref: 00E6D1B1
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: Current$ProcessThread
                            • String ID:
                            • API String ID: 2063062207-0
                            • Opcode ID: 93b6ca8d0952f1afce4108493953fd4c7bab45e78c9f293fa4d360a73ecbc048
                            • Instruction ID: f0cf94ff509be529a59a60ec75dce762a86be28faf9efadfe4f23d2d2d9f9427
                            • Opcode Fuzzy Hash: 93b6ca8d0952f1afce4108493953fd4c7bab45e78c9f293fa4d360a73ecbc048
                            • Instruction Fuzzy Hash: 035165B4E012098FDB14DFAAD948BDEBBF1FB88304F208059E419B7360D774A984CB65
                            Function 05A054DB Relevance: 5.1, Strings: 4, Instructions: 138COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 453 5a054db-5a05537 460 5a05539-5a0553f 453->460 461 5a0554f-5a055a1 453->461 462 5a05541 460->462 463 5a05543-5a05545 460->463 469 5a055a3-5a055a9 461->469 470 5a055b9 461->470 462->461 463->461 471 5a055ab 469->471 472 5a055ad-5a055af 469->472 473 5a055bc 470->473 471->470 472->470 474 5a055c1-5a055d0 473->474 475 5a055d6 474->475 476 5a056ab 474->476 475->473 475->476 477 5a055e9-5a05607 call 5a088cc 475->477 478 5a0561f-5a05693 475->478 479 5a056b2-5a056b9 476->479 495 5a05609 call 5a09f00 477->495 496 5a05609 call 5a09f10 477->496 492 5a05695 call 5a0a4f8 478->492 493 5a05695 call 5a0a4e9 478->493 484 5a0560f-5a0561d 484->474 491 5a0569b-5a056a6 491->474 492->491 493->491 495->484 496->484
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: $^q$$^q$$^q$$^q
                            • API String ID: 0-2125118731
                            • Opcode ID: c9b783c52847605f4fa8631a0bd58c8602416bddac72322c4cff15164a66d259
                            • Instruction ID: 16d139fe8fb4cc77343c69fb09a07ce41a9b0ea056d516951b1e58c615bcaee1
                            • Opcode Fuzzy Hash: c9b783c52847605f4fa8631a0bd58c8602416bddac72322c4cff15164a66d259
                            • Instruction Fuzzy Hash: 81418F34B412089FDB18DB7AD858B6E7AB3FF88700F245469E506EB398DE35DC418B51
                            Function 05A0CB60 Relevance: 2.7, Strings: 2, Instructions: 176COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 657 5a0cb60-5a0cb83 658 5a0cb85 657->658 659 5a0cb8a-5a0cce1 call 5a0d360 657->659 658->659 675 5a0cc38-5a0cc3c 659->675 676 5a0cc4a-5a0cc75 call 5a0cb30 675->676 677 5a0cc3e-5a0cd55 call 5a0d9e0 675->677 683 5a0cbc7-5a0cbcc 676->683 684 5a0cc7b-5a0cc81 676->684 692 5a0cd5b-5a0cd65 677->692 686 5a0cbd1-5a0cc48 683->686 687 5a0cbce-5a0cbcf 683->687 684->683 686->675 687->686
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 3157b24787f5cdfbd7a4987fff75fc37179c902b60006899cbbaced23869ef43
                            • Instruction ID: c053ff84a8c62f46efc9f497e086a3ddfe12689f1088c43790e1d3732e3b64e9
                            • Opcode Fuzzy Hash: 3157b24787f5cdfbd7a4987fff75fc37179c902b60006899cbbaced23869ef43
                            • Instruction Fuzzy Hash: 4A61D474E142088BDB08DFAAD494AEDFBF6BF89310F209129E419AB395DB345945CF50
                            Function 05A00B60 Relevance: 2.6, Strings: 2, Instructions: 124COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 695 5a00b60-5a00bd0 701 5a00bd6 695->701 702 5a00bdb-5a00bea 701->702 703 5a00bf0 702->703 704 5a00c97-5a00cd9 702->704 703->701 703->704 705 5a00c10-5a00c22 703->705 706 5a00c51-5a00c6c 703->706 707 5a00c71-5a00c74 703->707 708 5a00c24-5a00c4f 703->708 709 5a00c87-5a00c92 703->709 710 5a00bf7-5a00bfa 703->710 722 5a00cdb call 5a01760 704->722 723 5a00cdb call 5a019f7 704->723 724 5a00cdb call 5a01508 704->724 725 5a00cdb call 5a01518 704->725 726 5a00cdb call 5a01a7e 704->726 705->702 706->702 711 5a00c76-5a00c7b 707->711 712 5a00c7d 707->712 708->702 709->702 714 5a00c03-5a00c0e 710->714 717 5a00c82 711->717 712->717 714->702 717->702 721 5a00ce1-5a00cea 722->721 723->721 724->721 725->721 726->721
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: 2fff5f0f0f83ead59d8b2eb97f78ce2a9e74167215c1d1ca9a9b9ee308ce47b8
                            • Instruction ID: 9c6822bd2039580e1e59dfc900213002a9f1eda208944e8c66ced7c7817ecd2f
                            • Opcode Fuzzy Hash: 2fff5f0f0f83ead59d8b2eb97f78ce2a9e74167215c1d1ca9a9b9ee308ce47b8
                            • Instruction Fuzzy Hash: 6D41D475B101198FCB04DFA9D885ABEBBF6FB88700F51441AE506EB3A5CA749D02CB91
                            Function 05A00B70 Relevance: 2.6, Strings: 2, Instructions: 116COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 727 5a00b70-5a00bd0 733 5a00bd6 727->733 734 5a00bdb-5a00bea 733->734 735 5a00bf0 734->735 736 5a00c97-5a00cd9 734->736 735->733 735->736 737 5a00c10-5a00c22 735->737 738 5a00c51-5a00c6c 735->738 739 5a00c71-5a00c74 735->739 740 5a00c24-5a00c4f 735->740 741 5a00c87-5a00c92 735->741 742 5a00bf7-5a00bfa 735->742 754 5a00cdb call 5a01760 736->754 755 5a00cdb call 5a019f7 736->755 756 5a00cdb call 5a01508 736->756 757 5a00cdb call 5a01518 736->757 758 5a00cdb call 5a01a7e 736->758 737->734 738->734 743 5a00c76-5a00c7b 739->743 744 5a00c7d 739->744 740->734 741->734 746 5a00c03-5a00c0e 742->746 749 5a00c82 743->749 744->749 746->734 749->734 753 5a00ce1-5a00cea 754->753 755->753 756->753 757->753 758->753
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Te^q$Te^q
                            • API String ID: 0-3743469327
                            • Opcode ID: a187c517664c10a1a0ae11dc80e46d1f6ac5fa7516874a1305be0779ff4904ef
                            • Instruction ID: 62ae56434ad8077bd479fc3bcb4ecbe3ea6ed1d877f81fdffb53cdd9a3c3132c
                            • Opcode Fuzzy Hash: a187c517664c10a1a0ae11dc80e46d1f6ac5fa7516874a1305be0779ff4904ef
                            • Instruction Fuzzy Hash: 0041A075B101198FCB04DFAAD885A7EBAF6FB88700F51441AE506EB3A5CA749E01CB91
                            Function 00E6ADC8 Relevance: 1.7, APIs: 1, Instructions: 209COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 759 e6adc8-e6add7 761 e6ae03-e6ae07 759->761 762 e6add9-e6ade6 call e6a0ec 759->762 764 e6ae1b-e6ae5c 761->764 765 e6ae09-e6ae13 761->765 767 e6adfc 762->767 768 e6ade8 762->768 771 e6ae5e-e6ae66 764->771 772 e6ae69-e6ae77 764->772 765->764 767->761 821 e6adee call e6b060 768->821 822 e6adee call e6b051 768->822 771->772 773 e6ae9b-e6ae9d 772->773 774 e6ae79-e6ae7e 772->774 779 e6aea0-e6aea7 773->779 776 e6ae80-e6ae87 call e6a0f8 774->776 777 e6ae89 774->777 775 e6adf4-e6adf6 775->767 778 e6af38-e6af4f 775->778 781 e6ae8b-e6ae99 776->781 777->781 791 e6af51-e6afb0 778->791 782 e6aeb4-e6aebb 779->782 783 e6aea9-e6aeb1 779->783 781->779 785 e6aebd-e6aec5 782->785 786 e6aec8-e6aeca call e6a108 782->786 783->782 785->786 789 e6aecf-e6aed1 786->789 792 e6aed3-e6aedb 789->792 793 e6aede-e6aee3 789->793 811 e6afb2 791->811 792->793 794 e6aee5-e6aeec 793->794 795 e6af01-e6af0e 793->795 794->795 796 e6aeee-e6aefe call e6a118 call e6a128 794->796 802 e6af10-e6af2e 795->802 803 e6af31-e6af37 795->803 796->795 802->803 812 e6afb4 811->812 813 e6afb8-e6afde 811->813 814 e6afb6 812->814 815 e6afe0-e6aff8 812->815 813->815 814->813 816 e6b000-e6b02b GetModuleHandleW 815->816 817 e6affa-e6affd 815->817 818 e6b034-e6b048 816->818 819 e6b02d-e6b033 816->819 817->816 819->818 821->775 822->775
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00E6B01E
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 547845a2339dd6ae9024fbd7cf309cb70b7c52570d56c325d0d146dd83eca5e2
                            • Instruction ID: 22361dfd090f7067603eee7125b23dbbf29ad1e22b0276fd0f0e747fddaa71f2
                            • Opcode Fuzzy Hash: 547845a2339dd6ae9024fbd7cf309cb70b7c52570d56c325d0d146dd83eca5e2
                            • Instruction Fuzzy Hash: C58145B0A00B058FD724DF29E04579ABBF1FF88344F04992DD086A7A51D735E885CF92
                            Function 00E644B0 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 823 e644b0-e659d9 CreateActCtxA 826 e659e2-e65a3c 823->826 827 e659db-e659e1 823->827 834 e65a3e-e65a41 826->834 835 e65a4b-e65a4f 826->835 827->826 834->835 836 e65a60 835->836 837 e65a51-e65a5d 835->837 839 e65a61 836->839 837->836 839->839
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00E659C9
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: c4bb026c980ed2a8db7f2577056605d06d9cb52216afe040223303481596b467
                            • Instruction ID: 6abae9ca330a8fde7f6ad23520ea6e3cf2e1c8d0771c38a990eed49769a4b117
                            • Opcode Fuzzy Hash: c4bb026c980ed2a8db7f2577056605d06d9cb52216afe040223303481596b467
                            • Instruction Fuzzy Hash: 4F410FB1D00619CBDB24DFA9D884BCEBBB5BF89304F20806AD408BB251DB756945CF90
                            Function 00E6590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 840 e6590c-e6590e 841 e65914 840->841 842 e65910 840->842 843 e6591c-e659d9 CreateActCtxA 841->843 842->841 845 e659e2-e65a3c 843->845 846 e659db-e659e1 843->846 853 e65a3e-e65a41 845->853 854 e65a4b-e65a4f 845->854 846->845 853->854 855 e65a60 854->855 856 e65a51-e65a5d 854->856 858 e65a61 855->858 856->855 858->858
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 00E659C9
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 7f8643871594232a3f8922ae903e81495f3e7f47cc080841bbedd3ba334447f1
                            • Instruction ID: fc0841f8c72037e4cd7166d0f27e280233f648a384cc74b198150fdc44a2e6f1
                            • Opcode Fuzzy Hash: 7f8643871594232a3f8922ae903e81495f3e7f47cc080841bbedd3ba334447f1
                            • Instruction Fuzzy Hash: F8410FB1D00719CBDB24DFA9D884BCDBBB5BF88308F24816AD418BB251DB756946CF90
                            Function 00E6D6A8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 859 e6d6a8-e6d6ae 860 e6d6b0-e6d744 DuplicateHandle 859->860 861 e6d746-e6d74c 860->861 862 e6d74d-e6d76a 860->862 861->862
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6D737
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: b7cb62417f45f1b818352dabc68fe92616e93e49af4baa09ff81d04c972cf10a
                            • Instruction ID: 0ffbb4b3ff0a411e42e7c5aa857bd7a09ac0b99b2de5e9d665a2209a88404e81
                            • Opcode Fuzzy Hash: b7cb62417f45f1b818352dabc68fe92616e93e49af4baa09ff81d04c972cf10a
                            • Instruction Fuzzy Hash: 5C21E3B5900259DFDB10CF9AD984ADEBFF5EB48314F14842AE958B3310C378A954CFA5
                            Function 00E6B051 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 26ac6557baa2a41248657083637933f991e592a16344b751c9e6c03f39c5bbb6
                            • Instruction ID: 3a4aea0b1e2eb7ad3dafa74dfbe7591b9f4fc15d60a03fb03aad26b12c926c18
                            • Opcode Fuzzy Hash: 26ac6557baa2a41248657083637933f991e592a16344b751c9e6c03f39c5bbb6
                            • Instruction Fuzzy Hash: 8311D0B5A442048FD700DF5AE800B9BBFE9ABC5394F14906AD018F7252C77598458BA1
                            Function 00E6D6B0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00E6D737
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: dc02fa3b70061ee0445349dae6708579a5efabef94be551eba953dbc20c56e93
                            • Instruction ID: 60492d717b0b5d53a3a4f45f9e50a65f73251bbb8f4a4f45c4d83ddb55c8c1b5
                            • Opcode Fuzzy Hash: dc02fa3b70061ee0445349dae6708579a5efabef94be551eba953dbc20c56e93
                            • Instruction Fuzzy Hash: 1221E4B5D00258DFDB10CF9AD984ADEBBF5EB48310F14841AE954B3310C374A940CFA5
                            Function 00E6A150 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E6B099,00000800,00000000,00000000), ref: 00E6B2AA
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: ec8d4dd1ca275ee98bb0b78bd5be962eca47c919e115d3f84bf57f820b96ad06
                            • Instruction ID: a3d2c39524086096df9707bb445c5314043af99cdce11e88a435ca7bb28fd78d
                            • Opcode Fuzzy Hash: ec8d4dd1ca275ee98bb0b78bd5be962eca47c919e115d3f84bf57f820b96ad06
                            • Instruction Fuzzy Hash: 191114B69002499FDB10CF9AD444ADEFBF4EB88364F10842AE519B7210C375A985CFA5
                            Function 00E6B238 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,00E6B099,00000800,00000000,00000000), ref: 00E6B2AA
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 8329cf40b841ed14cd09aa4f6035a9d4a1338271606e74dce5677248280a9936
                            • Instruction ID: f19bf8726a29781ce96f28fe96a5b4e0f5f6e2968556572057c9faf826d25547
                            • Opcode Fuzzy Hash: 8329cf40b841ed14cd09aa4f6035a9d4a1338271606e74dce5677248280a9936
                            • Instruction Fuzzy Hash: D71126B6900249DFCB10DF9AD444ADEFBF4EB88760F10842ED559B7210C375A585CFA5
                            Function 00E6AFB8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 00E6B01E
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750478921.0000000000E60000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E60000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e60000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 52d9588194c8211f456d4fcf9ac29df5b25b5c1803ec62f6bf79174ff9b77152
                            • Instruction ID: 6e73e04488096db5f1c9d6aca05eee07498c805b3cbfdda3a04110c46e0b7dd1
                            • Opcode Fuzzy Hash: 52d9588194c8211f456d4fcf9ac29df5b25b5c1803ec62f6bf79174ff9b77152
                            • Instruction Fuzzy Hash: 68110FB5C00249CFCB10CF9AD444ADEFBF5AB88324F10842AD829B7210D379A585CFA5
                            Function 05A04DD0 Relevance: 1.4, Strings: 1, Instructions: 198COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hbq
                            • API String ID: 0-1245868
                            • Opcode ID: 3ec9d6bddfb47dd2e28392f47fc0c5bed357a4c56e71b0ad62a49d48b73faedf
                            • Instruction ID: a32fd80cce76d8514f0214f9caa3bf8c9cbd73475e3580bd71f9849b02f18782
                            • Opcode Fuzzy Hash: 3ec9d6bddfb47dd2e28392f47fc0c5bed357a4c56e71b0ad62a49d48b73faedf
                            • Instruction Fuzzy Hash: 5361EF35A001058FCF10DF64D4449EEBBB2FF88710B2490A9E919EB691DB35ED52CB91
                            Function 05A071B9 Relevance: 1.3, Strings: 1, Instructions: 34COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: B
                            • API String ID: 0-1255198513
                            • Opcode ID: 833fe9b477072302b7374f6730e22a0fb9391a3d6f17ebeeef41629a64d32472
                            • Instruction ID: 8a1c1dfd4cebe77095b7cf6e6b0f40b4d448949168f9c8d29576a077bb0aa5a6
                            • Opcode Fuzzy Hash: 833fe9b477072302b7374f6730e22a0fb9391a3d6f17ebeeef41629a64d32472
                            • Instruction Fuzzy Hash: 22F0A03004E7889BD3029B71BC09AA97FB4EB07301F0414C5E04A5B0E3867A2955D69A
                            Function 05A071E0 Relevance: 1.3, Strings: 1, Instructions: 17COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: B
                            • API String ID: 0-1255198513
                            • Opcode ID: 741be20bb07fcd7252d76e951b1f362a5c499b47e965a260fe0967c68e686cdb
                            • Instruction ID: d8812b045debd029b54c223d868f55a991856eb0fe4dd23c1aad9b67f2612a46
                            • Opcode Fuzzy Hash: 741be20bb07fcd7252d76e951b1f362a5c499b47e965a260fe0967c68e686cdb
                            • Instruction Fuzzy Hash: A3D05E7010910CD7C200DBA2F809E6D77BDE706312F002144B41B531D18B752E50E599
                            Function 05A06588 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2701dcbe62a25d3b22c68e876464efe5d25649c8f0af6604aa2966ddd5e9327b
                            • Instruction ID: 42b779c1fef56372e90135febfd580569a94f0cca0d1ff83494061c14721b501
                            • Opcode Fuzzy Hash: 2701dcbe62a25d3b22c68e876464efe5d25649c8f0af6604aa2966ddd5e9327b
                            • Instruction Fuzzy Hash: 7D41AF74909685DFC306CF6AE554948BFB0EF8A301B2681D6D484DF2B3D7399E15CB12
                            Function 05A0D360 Relevance: .1, Instructions: 126COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 741635d2efa7d4fc451c45a4d2da7e9022e78ff53408e9affa318176ece17e24
                            • Instruction ID: c2e37591874b2e7365648b0373b6966a97b14cdfc7af965fcbb30f1533eec745
                            • Opcode Fuzzy Hash: 741635d2efa7d4fc451c45a4d2da7e9022e78ff53408e9affa318176ece17e24
                            • Instruction Fuzzy Hash: F7411775E18208CFDB48CFEAE440AAEFBF6AB8C301F14E06AE519A7295D7345941CB54
                            Function 05A066E1 Relevance: .1, Instructions: 120COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4d4c4ea3dc41b5dad6975d8cce013d1a5caada399054f80a5ccd03b27078583a
                            • Instruction ID: 69777d619f58c1cb8e4c68586be260796122e807ff3ef05daa4e756103ecd950
                            • Opcode Fuzzy Hash: 4d4c4ea3dc41b5dad6975d8cce013d1a5caada399054f80a5ccd03b27078583a
                            • Instruction Fuzzy Hash: 0C41E474E1921ADFCB00CFAAE884CBEBBB5FB0D305B006855E456AB355D730A960CB60
                            Function 05A044E8 Relevance: .1, Instructions: 118COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e84c1bad4586ca46233d56b7e4ad4bfba0cc579b5cf1737e632fcafee7c4a35e
                            • Instruction ID: cfb0920aca9e8e9e092cae933f9ab0e53ab2e1b8c1559f71a909172ddf499e81
                            • Opcode Fuzzy Hash: e84c1bad4586ca46233d56b7e4ad4bfba0cc579b5cf1737e632fcafee7c4a35e
                            • Instruction Fuzzy Hash: 6F41D534B542188FDF14EB68D884F9DB7B1BF8C714F114069E605AB3A1DB79E805CB60
                            Function 05A066F0 Relevance: .1, Instructions: 117COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8ab1666b7937f7f93558c2ef84161f8897d667ba9cb483372a99bdeb684ad651
                            • Instruction ID: ae4bdef86967a7a0e2394a4897b2c10abaaf1d15741d523cf3bf60d0d01f202b
                            • Opcode Fuzzy Hash: 8ab1666b7937f7f93558c2ef84161f8897d667ba9cb483372a99bdeb684ad651
                            • Instruction Fuzzy Hash: 3D412874E1921ADFCB00CFAAE884CFEBBB5FB0D305B006855E456AB355D7309860CB60
                            Function 05A04DC0 Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 41f7c54433124014036223270cf121bd7faaec44a090e409fc7e4f1c20e7a593
                            • Instruction ID: 363b7413cacbfe8db23e6f0c190c3de045ed5ce5ed6190ceb2675b9311bed43f
                            • Opcode Fuzzy Hash: 41f7c54433124014036223270cf121bd7faaec44a090e409fc7e4f1c20e7a593
                            • Instruction Fuzzy Hash: 8B417835A101088FDF00DF64D984EEA7BF6FF89304F1580A9E905AB7A6DA35ED06CB50
                            Function 05A0686E Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a0246b458c202ef67560bfd2b75d6131f56ff2f2b5c517c2b8c9fa3193b0c657
                            • Instruction ID: 4284d5af12096e87d8d9e1c5d890f525a4aeeeb7f9535e82cc5add3ea963a551
                            • Opcode Fuzzy Hash: a0246b458c202ef67560bfd2b75d6131f56ff2f2b5c517c2b8c9fa3193b0c657
                            • Instruction Fuzzy Hash: 4E41F174E1921ADFCB00CFA9F884CFDBBB1FB0D305B00A855E456AB295D731A964CB24
                            Function 05A0547D Relevance: .1, Instructions: 92COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 99a92c0c74fa81585b83130763147b5de3bab2a9c59bc023b8ae18f77593698b
                            • Instruction ID: 92d5861c43b206db2e73ff52bd1ce9b79d723ae7442a9845ae5a3322974036a9
                            • Opcode Fuzzy Hash: 99a92c0c74fa81585b83130763147b5de3bab2a9c59bc023b8ae18f77593698b
                            • Instruction Fuzzy Hash: 6531CF35F102089FDB44DB76E599B6EBAA3FB88711F208426F506EB794CA75CD018F80
                            Function 05A0D9E0 Relevance: .1, Instructions: 87COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a41267f18ff4f27a8208e7bcb805094289d24df0cced653d2c508f2e52258125
                            • Instruction ID: 5937c4f0dc82bd0d318cfb5241117767666980835769574a23715dfa291dbe0b
                            • Opcode Fuzzy Hash: a41267f18ff4f27a8208e7bcb805094289d24df0cced653d2c508f2e52258125
                            • Instruction Fuzzy Hash: 3F410770D04258CBDB18CF96D844BDEBBF6BF88300F14D4AAD40AB6294DB750985CF50
                            Function 05A07009 Relevance: .1, Instructions: 85COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ba32c488943071f53b6c6a57f3cca90f2d6b7ae7c2b493addf0d35d4cefe7f5a
                            • Instruction ID: cae2c73ce9c16cb900090b730bf8820938f014eefa8320ca707dd6a79701b668
                            • Opcode Fuzzy Hash: ba32c488943071f53b6c6a57f3cca90f2d6b7ae7c2b493addf0d35d4cefe7f5a
                            • Instruction Fuzzy Hash: 5331AE74A001199FDB00CFA5D984EEDBBB2FB49312F20A055E806BB259C739AE85CF10
                            Function 05A08D29 Relevance: .1, Instructions: 82COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 71df6d6c315a338996a98c70be73d6edf2c227b27e676a57567244b099f0355e
                            • Instruction ID: 662d0ac50eca00b8c3c238b2ad73ce1cc66311829f87104ece78e8cf78b31ea5
                            • Opcode Fuzzy Hash: 71df6d6c315a338996a98c70be73d6edf2c227b27e676a57567244b099f0355e
                            • Instruction Fuzzy Hash: 21316DB5E1021A8FCB40CFA9D880AEDBBF1BB48314F149566E815F7245D338AA45CF64
                            Function 05A047A8 Relevance: .1, Instructions: 78COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b1a8e7f623cc94a90afa0f3542eba0b466997ef2e859137bc8ec106f2bd8260c
                            • Instruction ID: e41bc0b82f165b867407d4dd775780288e907ebb9d03a69fdf948248ee068667
                            • Opcode Fuzzy Hash: b1a8e7f623cc94a90afa0f3542eba0b466997ef2e859137bc8ec106f2bd8260c
                            • Instruction Fuzzy Hash: 96218E303206008FCB259B38D455E297BE9FF8A714B1094AEE506CB3B1DB71DC46CB50
                            Function 00E0D4C4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750322661.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e0d000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 45bbcd6230670b2e361979a7491d073c97c619922b1b95eed13c5c5fe94dc306
                            • Instruction ID: 09c5c597f165f542d36177be75b1b7270db80f5a7e24e2d37559e73c308c8e66
                            • Opcode Fuzzy Hash: 45bbcd6230670b2e361979a7491d073c97c619922b1b95eed13c5c5fe94dc306
                            • Instruction Fuzzy Hash: EC212271508240DFCB05DF54DDC0B2ABF65FB98328F20C569EC096B296C336D896CBA2
                            Function 00E0D3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750322661.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e0d000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1065b2698fb7af6328dc6b63f3323e544f2ed1af737c9c1dac3c8322c2e8c1ea
                            • Instruction ID: 97966e426c9a78737c908cde9b24ea0a7e98aa372bc7a5c0d8f0673ab6b2f24a
                            • Opcode Fuzzy Hash: 1065b2698fb7af6328dc6b63f3323e544f2ed1af737c9c1dac3c8322c2e8c1ea
                            • Instruction Fuzzy Hash: DB213A71508204DFDB05DF54DDC0B2BBF65FB94324F20C169E9095B296C336E896C7A2
                            Function 05A03FF0 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ffceaa5ddb1201b38737fe912ec04790cbb7d401c16f5c4201d1fc9c4f7f6c9d
                            • Instruction ID: 7599f1af0773bb98bd62d6bc2bb478744329fde0d03c6deea8a13aad549ad7ed
                            • Opcode Fuzzy Hash: ffceaa5ddb1201b38737fe912ec04790cbb7d401c16f5c4201d1fc9c4f7f6c9d
                            • Instruction Fuzzy Hash: 1F21CC75A007018FC720DF69C8809ABBBBAFF89700B018569E819DB720E735ED06C790
                            Function 05A088F4 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 78ecbdf1aefc9d860bac01fa6b763eeeb48a1643c53d49b93781db40bd8db10c
                            • Instruction ID: 82ec1afad821a94eac82c328c4282a792994f1b2c8d7b79eb1d0d4bb13f4f5bd
                            • Opcode Fuzzy Hash: 78ecbdf1aefc9d860bac01fa6b763eeeb48a1643c53d49b93781db40bd8db10c
                            • Instruction Fuzzy Hash: A5212B31A041096FCF04EB7AEC049EFBBBAEFC5310F04C466E514EB155DA349905C791
                            Function 05A047B8 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a969076766f111c59ff93b185e3dc2867b49a0fb5109234db63f1de923cc4a01
                            • Instruction ID: 12de96248aefd40c50514bbd222401b620778cbd33888b6d4a3b20e4c9a7be93
                            • Opcode Fuzzy Hash: a969076766f111c59ff93b185e3dc2867b49a0fb5109234db63f1de923cc4a01
                            • Instruction Fuzzy Hash: 00213A303106008FCB18DB39E454E2977EAFF89715B109469E506CB3B1DB71EC46CB90
                            Function 00E1D1D4 Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750369381.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e1d000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: aef4ce3f0a2f7c63077845dfdac6dabc60fea700f3ffc9c4e91c9dda259d160c
                            • Instruction ID: 61839bca044ae0997616f96b89a26d6b0649ea9a65d08bb5d8c6f5201447fb2d
                            • Opcode Fuzzy Hash: aef4ce3f0a2f7c63077845dfdac6dabc60fea700f3ffc9c4e91c9dda259d160c
                            • Instruction Fuzzy Hash: BD212971508204EFDB05DF54DDC0BA6BBA5FB84318F30C66DD8195B265C336D886CA61
                            Function 00E1D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750369381.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e1d000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd20d98d1a94a628e2ad89daa78c8ae46fde52b46f820a6c97621cdaf9c1cc16
                            • Instruction ID: e6829c89f28ddae1079c16fe15ad21d89ffb9bd4cd8dd5931ce59f50b5180aef
                            • Opcode Fuzzy Hash: cd20d98d1a94a628e2ad89daa78c8ae46fde52b46f820a6c97621cdaf9c1cc16
                            • Instruction Fuzzy Hash: 7021F275608200DFCB14DF14D984BA6BBA6FB88318F20C56DD80A5B296C33AD887CA61
                            Function 05A04000 Relevance: .1, Instructions: 66COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 296ccc4d42205f796865bd8b744d79d49605a7bfcdb56e0082a13383ba130f4f
                            • Instruction ID: 2be90fd956d5abee37edd3c47ca6e630d7dd4c7a7a44a0bdc458555c88afbac7
                            • Opcode Fuzzy Hash: 296ccc4d42205f796865bd8b744d79d49605a7bfcdb56e0082a13383ba130f4f
                            • Instruction Fuzzy Hash: A2215875A007158BC320DF69C8809BBBBF9FF89714B018969E9199B320E771ED45CBA0
                            Function 00E1D005 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750369381.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e1d000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5825c6d758e1d13bc63352b8c9e7ac253d9a083241403e4d83d42bb2068160f6
                            • Instruction ID: 22c56f20ab42a7dfb13f27a0e6bc4467c639958e5e63e1651520e10f5e8703ed
                            • Opcode Fuzzy Hash: 5825c6d758e1d13bc63352b8c9e7ac253d9a083241403e4d83d42bb2068160f6
                            • Instruction Fuzzy Hash: 1221837550D3808FC702CF24D994755BF71EB46318F28C5DAD8498F2A7C33A984ACB62
                            Function 05A06620 Relevance: .1, Instructions: 60COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6872edb5269b0bf01a4f740789fceeef6ef48cfaae3503d89c9f09166421de5
                            • Instruction ID: cf46e93a038efc93364675c2edb06db4695883a6c57196e09fb6ab58c27c081b
                            • Opcode Fuzzy Hash: d6872edb5269b0bf01a4f740789fceeef6ef48cfaae3503d89c9f09166421de5
                            • Instruction Fuzzy Hash: B5215274A00909DFC704CF5AE684D99BBF1FF88311B6281D5E4489B369DB36EE51DB04
                            Function 05A0D508 Relevance: .1, Instructions: 59COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: af5ba4a4275ab429e071d96e41fb66f688db87713f30622cf626db2e2faaa6b4
                            • Instruction ID: 9b63a3e2a8f15571119204dfb0b5c824570026d37630683a9424fae45de88460
                            • Opcode Fuzzy Hash: af5ba4a4275ab429e071d96e41fb66f688db87713f30622cf626db2e2faaa6b4
                            • Instruction Fuzzy Hash: 5321D8B4E08209DFCB40CF99D1809AEBBF5FB49304F60A055D809A7351D730AA41CF51
                            Function 00E0D4BF Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750322661.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e0d000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction ID: 11ccf721b183ea25ae79bf024e65870d30a7539c6f012213c827c6b192f4f20b
                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction Fuzzy Hash: F2110372404280CFCB02CF54D9C4B16BF71FB98328F24C6A9DC091B296C336D85ACBA1
                            Function 00E0D3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750322661.0000000000E0D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E0D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e0d000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction ID: 916f635bd7cd2d98ae01a33fdfe6744ad54c245a30d9070ba44cf28ce6bc104a
                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction Fuzzy Hash: EF112672404240CFCB12CF44D9C4B16BF71FB94328F24C2A9DC090B256C33AE85ACBA1
                            Function 05A08904 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9efad5d6df3505f837523e38cb754b1571c958ba45f211c7a58bf4dd89b36694
                            • Instruction ID: 9e107f58e68b4a85ac757378137165a6ba2c26296f43f2506c33203e4a8744c6
                            • Opcode Fuzzy Hash: 9efad5d6df3505f837523e38cb754b1571c958ba45f211c7a58bf4dd89b36694
                            • Instruction Fuzzy Hash: F62100B5D042499FCB10DF9AD884ADFBBF4FB48320F10842AE919A7251C378A944CFA5
                            Function 05A09BA9 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b8273c91f35eed756beba67d6816931e84b1c41b57206a03940d2db6fa66cbbf
                            • Instruction ID: 696afe320eec692731ab45ab856a242d25275edd8f5b29efa1a68591544d32ff
                            • Opcode Fuzzy Hash: b8273c91f35eed756beba67d6816931e84b1c41b57206a03940d2db6fa66cbbf
                            • Instruction Fuzzy Hash: 5C2114B5C002499FCB10CFAAD944ADFBFF4FB48320F10841AE959A7210C379A544CFA5
                            Function 00E1D1CF Relevance: .1, Instructions: 53COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1750369381.0000000000E1D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E1D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_e1d000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                            • Instruction ID: a86d3681f018002109fd5a0f7730aefa8e05aa1bee66a596bc9d1b48906352c9
                            • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                            • Instruction Fuzzy Hash: C211BB75508280DFCB02CF54C9C4B55BBA1FB84318F24C6AAD8494B6A6C33AD89ACB61
                            Function 05A02E98 Relevance: .1, Instructions: 51COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d07f190522c851d401ef6f40dd76d1e18f2f1295922a03716258b7791130c407
                            • Instruction ID: 1faaf8798a90a376b2d41b6a348325530088c559e29b6f2979fce170e6a16719
                            • Opcode Fuzzy Hash: d07f190522c851d401ef6f40dd76d1e18f2f1295922a03716258b7791130c407
                            • Instruction Fuzzy Hash: 8901F9332186905FC3058A1DEC148A57F65AAC622131981A7F5A8C7643C238AD1287E1
                            Function 05A02170 Relevance: .0, Instructions: 50COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1a857307ddc982cabb3d3041ab6fd59b683f2cc4bc19b370aa91470f0593fbc7
                            • Instruction ID: 5b18aaf890cba1c59762b002a982aeaa706ed77d5b3cbc8f8446bb2fe1a35b6a
                            • Opcode Fuzzy Hash: 1a857307ddc982cabb3d3041ab6fd59b683f2cc4bc19b370aa91470f0593fbc7
                            • Instruction Fuzzy Hash: 770128793246519BC304862AAC8596AEFA7FFC43003058137D515CAAD1EA20C9178A81
                            Function 05A088E0 Relevance: .0, Instructions: 49COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e8f3bf1c250f1b9cde0445aec3648f92eb4c22b2b55e03cb30d8cebc928a384b
                            • Instruction ID: 72190d1cb54ae410064f287c7077306b6bbab0dd5f2e6f7b8579a5279a9d707d
                            • Opcode Fuzzy Hash: e8f3bf1c250f1b9cde0445aec3648f92eb4c22b2b55e03cb30d8cebc928a384b
                            • Instruction Fuzzy Hash: 970126326141146FDB00FF6DE840CEE7BBAEFC4364704C066E454DB269D634C8468B94
                            Function 05A042E7 Relevance: .0, Instructions: 48COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 3abc38e2ecd20b56a74e1a4ad48dab1ea1695e5b807b0b7087925ed46e77924e
                            • Instruction ID: 1449c6b0760e82ee94e227f164e1e2b5fec0008dd530e17e3948d56016d759d0
                            • Opcode Fuzzy Hash: 3abc38e2ecd20b56a74e1a4ad48dab1ea1695e5b807b0b7087925ed46e77924e
                            • Instruction Fuzzy Hash: E101F5302193008FCB14D729E454D2AB7A6FF89320B54D5BDD1168B7A1CB31DC4ACB52
                            Function 05A0A4F8 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5c814acb2d30bb6948602a892d3e270f6fae795d830660f445986614271d1e97
                            • Instruction ID: ce6303a3c1554d071a6f81515f4c84aec0b521ce04ade3cd2b64ed10299cbeb9
                            • Opcode Fuzzy Hash: 5c814acb2d30bb6948602a892d3e270f6fae795d830660f445986614271d1e97
                            • Instruction Fuzzy Hash: 7D014C30B587448FD3158B29D855F257BB2BF86700F5A90E6E1158F2B2DA26E844CB11
                            Function 05A02220 Relevance: .0, Instructions: 47COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 988e316a3c4325d099165914952e18f6a7ea98c68fd49d807b663d5ba68f48bc
                            • Instruction ID: 868bb45d94346c3aab05e55eae3c32b15adb06ee9c3e07add34c11ec6aa8f85b
                            • Opcode Fuzzy Hash: 988e316a3c4325d099165914952e18f6a7ea98c68fd49d807b663d5ba68f48bc
                            • Instruction Fuzzy Hash: 0501497A3142009FD300CEBAAC94A66EFABFBDD310314C637E005C7661CA24DC038741
                            Function 05A05751 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 84f8800d26c1811e6533681327724341c07be6fd5e30f99bbc3b52f3e7aa678a
                            • Instruction ID: 3a1456895d40ebf24a5b255fe3c0b1e024aed272b9520462f2bfa298b0db259e
                            • Opcode Fuzzy Hash: 84f8800d26c1811e6533681327724341c07be6fd5e30f99bbc3b52f3e7aa678a
                            • Instruction Fuzzy Hash: 580124347501418FE3049B3AA614B2A7FE6EBC9341F145869E00ACB768EA38EC438B41
                            Function 05A09AB0 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 472716c1e6d5681e81953359a2c51d29edc9375479ec20bd5258dc451d8ef270
                            • Instruction ID: ff2ef994e5f0a2bd8a924890f94820d9676e6d6097d5c66a8b88b215c8ef68e1
                            • Opcode Fuzzy Hash: 472716c1e6d5681e81953359a2c51d29edc9375479ec20bd5258dc451d8ef270
                            • Instruction Fuzzy Hash: BF01F4326041056FDF05EB69E880DEA7FBAEFC5394B08C065E828DB265D63599038B50
                            Function 05A02180 Relevance: .0, Instructions: 44COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0de1f83eb4acf5c0c20fe6cc5d8dd7bb5a65a15a62c6fb15bc244ce047600ffb
                            • Instruction ID: 19e6dde8f675f8852e9fb2219c31df6f279571a38b8aeb1b489b838f5525f141
                            • Opcode Fuzzy Hash: 0de1f83eb4acf5c0c20fe6cc5d8dd7bb5a65a15a62c6fb15bc244ce047600ffb
                            • Instruction Fuzzy Hash: 26014979334351978308862BEC44E2BEAEBBFC4310300C5379615CAAC0EA20CD238691
                            Function 05A05760 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 159d39cbafedd573829da9c8d15394230840ff398690229ed607269cc7ef7ad2
                            • Instruction ID: 462b8e346655a54e297a539576391ee4efb25b6023af8cfa5199f5b91c54c200
                            • Opcode Fuzzy Hash: 159d39cbafedd573829da9c8d15394230840ff398690229ed607269cc7ef7ad2
                            • Instruction Fuzzy Hash: 5C0186347601058FD704E63AA544A2A7BD7FBC8355B145435E10AC7768EA38DC478B55
                            Function 05A042F8 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cd43e7bb22ffb4ec8caeff128777f9dbfcc96886f13e1aabc2ac68de38e8a8fe
                            • Instruction ID: e3bdb5284e5c5a3ecafbf805014ad3484395de7e41bad93cca088eb8d6258317
                            • Opcode Fuzzy Hash: cd43e7bb22ffb4ec8caeff128777f9dbfcc96886f13e1aabc2ac68de38e8a8fe
                            • Instruction Fuzzy Hash: 450162303242008FCB18DB29E444D2AB3E6FF89320B64E479D519C73A4DB71EC46CB51
                            Function 05A02230 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 911ec218eaee5f337598d7a9cd5e32e28945461ba8efb82788b7c5e6b061484f
                            • Instruction ID: f67402b439f2acec794e8321c3c3b797c5b7d09f2544e4df76220524380b37bd
                            • Opcode Fuzzy Hash: 911ec218eaee5f337598d7a9cd5e32e28945461ba8efb82788b7c5e6b061484f
                            • Instruction Fuzzy Hash: 4BF0F67A3142046BD6049EBAAC84A26FB9AFBCD720714C536E409C7260CA21EC128681
                            Function 05A0E810 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 69bddbac382fd44b5f92e7deaeb3297a704509f6494e959b33f14b7e1fdb4b7a
                            • Instruction ID: 4a17cfd778007c2e872e0a0bb21b638504d0709212d052ed434feaa0dc212005
                            • Opcode Fuzzy Hash: 69bddbac382fd44b5f92e7deaeb3297a704509f6494e959b33f14b7e1fdb4b7a
                            • Instruction Fuzzy Hash: AFF03C70D19208DBC704CF66E540DB9BFBEAB59300F14B9A9D4095B296DB309A48EB80
                            Function 05A04370 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a8da4b50efa0ce30d601f861e8fbd881dfcf0d3b58e35f41d37ca50f5687e569
                            • Instruction ID: 55c1e32df2ecb72c45fd2927a0b36009f373da71140d0c1ee254a1b963940b66
                            • Opcode Fuzzy Hash: a8da4b50efa0ce30d601f861e8fbd881dfcf0d3b58e35f41d37ca50f5687e569
                            • Instruction Fuzzy Hash: 22F0C8303187108FD7199B28D445A5ABBF1FF46714B09546DD25AC73A2CB35DC05CBC2
                            Function 05A09AD9 Relevance: .0, Instructions: 39COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: cb936fbdc3815b1dc98257ec90976358ce61784ecce2b0c698902d5293ef0679
                            • Instruction ID: 12c37c1d97d072c7efff82c95aca1d71209f5117b0173b14dcee3c15aef29cde
                            • Opcode Fuzzy Hash: cb936fbdc3815b1dc98257ec90976358ce61784ecce2b0c698902d5293ef0679
                            • Instruction Fuzzy Hash: 77F0C2727041086FDF01EF6AEC40EAB7BBFEBC4364B04C165E818EB265D630E9018B94
                            Function 05A0F7C0 Relevance: .0, Instructions: 37COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a41c474b797f84d7c6ca0e99ff49ec13378fe461bf451ddac91bfc5461b88af6
                            • Instruction ID: 4d0779e795c6bea90b935b8bacdcc933eb7ea51606a0627a61eadcb69de08589
                            • Opcode Fuzzy Hash: a41c474b797f84d7c6ca0e99ff49ec13378fe461bf451ddac91bfc5461b88af6
                            • Instruction Fuzzy Hash: E301E974D00249AFCB50DFA9D5409AEBFF4BB08300F20819AE954E7341D7349A40CF91
                            Function 05A01508 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ce560e24e483598bffcadbaf065f6387239b751fbd06d96293f2105fecf5da86
                            • Instruction ID: fd78e37a98beac41dafe92b3d7ca5acd90193137bb7a147cde324e1a0cc4c951
                            • Opcode Fuzzy Hash: ce560e24e483598bffcadbaf065f6387239b751fbd06d96293f2105fecf5da86
                            • Instruction Fuzzy Hash: 25F05971A150005BD7095A2B48180AF7FABEBD5350F19053BE402C7242ED708E1387C2
                            Function 05A0A4E9 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac7165ca0f67570583fa219b6270249ab5370436f8a803508a1b659c734ca6f9
                            • Instruction ID: f0e32055981c91f69b83ec607316711de2caf9d6fde56b1f81481c4155489818
                            • Opcode Fuzzy Hash: ac7165ca0f67570583fa219b6270249ab5370436f8a803508a1b659c734ca6f9
                            • Instruction Fuzzy Hash: 96013C34B54640CFE714CB29D859F647BB2BF89B10F5980A9E15A8F2B2CB72E800CB00
                            Function 05A01518 Relevance: .0, Instructions: 34COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac98afd88ecf5c621ba8c3c3eed0ac4528c7548a1c12ae9960da9c93103534da
                            • Instruction ID: 953e5a42ce262c1cd56af17dee7a65a526d3b0ce9784a88f97d6f113dbe36c25
                            • Opcode Fuzzy Hash: ac98afd88ecf5c621ba8c3c3eed0ac4528c7548a1c12ae9960da9c93103534da
                            • Instruction Fuzzy Hash: 34F0A731B10018579B088A6F9C144AFBBABEBC4361F144137E512D7250DE719D2686D1
                            Function 05A04380 Relevance: .0, Instructions: 31COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2c45c1522d86e88a54edc98602c9d3b0e6e713241db1b510785628a09a03f391
                            • Instruction ID: 668e66e8aec313cb88a476fa4351eab5fb96649c686357b4fb26298940be706e
                            • Opcode Fuzzy Hash: 2c45c1522d86e88a54edc98602c9d3b0e6e713241db1b510785628a09a03f391
                            • Instruction Fuzzy Hash: 8DF05E30314710CFCB288B29E449A6AB7E5FF89711B09A46DD65B87360CB32EC40CBC2
                            Function 05A0EA18 Relevance: .0, Instructions: 29COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 53416d8763c04579b8ed5f4bb714a556e6e8b2fe057927d1b256ba223001e426
                            • Instruction ID: 9030c9367f0d07ba2df94794dce7bf85c1e5a082d1153d6f22ee8643d001b05b
                            • Opcode Fuzzy Hash: 53416d8763c04579b8ed5f4bb714a556e6e8b2fe057927d1b256ba223001e426
                            • Instruction Fuzzy Hash: F9F0DAB0E1421A9FDB44DFA9E941AAEBFF8FB4C301F1049A9D918E7240E77499008BD1
                            Function 05A04490 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 710a199cdef80eda54c99ac2ab38229e63d3d245d17fe8205f7cf0dceae649df
                            • Instruction ID: c12215ba5af3a206029e5ceec41a518373d5080b8917adb2541f51e2c2059bde
                            • Opcode Fuzzy Hash: 710a199cdef80eda54c99ac2ab38229e63d3d245d17fe8205f7cf0dceae649df
                            • Instruction Fuzzy Hash: 9CE068322483400FC711931DE85088FEFA6EFC1360704A62BE1158B3A7DA109D4B4394
                            Function 05A02E8A Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 55cec57ada1c958a0e09615255e4c92704c9e1e424ed948ab3fe9cfd2a98f546
                            • Instruction ID: 149b901212060560cb5effa2c5b60750bff7ce8b9484d2267f3f364e62e4297b
                            • Opcode Fuzzy Hash: 55cec57ada1c958a0e09615255e4c92704c9e1e424ed948ab3fe9cfd2a98f546
                            • Instruction Fuzzy Hash: 95F0E5361045D0AFC301CF1AE4488FA7F75EB963113158266F499C7952C239DD13CBA0
                            Function 05A05700 Relevance: .0, Instructions: 25COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e9656894bd0a954cc16b652ba9ff2857d02c38787a5aabe8cf0246047058b4c1
                            • Instruction ID: ae161e2c7d61f62f3e2320dce721b6cf540f13c506ec6ec53e09abedce269599
                            • Opcode Fuzzy Hash: e9656894bd0a954cc16b652ba9ff2857d02c38787a5aabe8cf0246047058b4c1
                            • Instruction Fuzzy Hash: 7FE092393100504FD348AF6AD5146657BFAFB8C611B2080A4EC49CB358DA35DC029791
                            Function 05A01A7E Relevance: .0, Instructions: 24COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f825055514e69910594994e3660fd4662f899eb7ac42be75e3bdcce02c4c8ea8
                            • Instruction ID: deedaa7c8d255e18da2a2d17b53b915099481c2563edb04ea111c39c309370ef
                            • Opcode Fuzzy Hash: f825055514e69910594994e3660fd4662f899eb7ac42be75e3bdcce02c4c8ea8
                            • Instruction Fuzzy Hash: 0BE09270254301EFC7499B76A851CB6BF7AEB9632A724677DA007CF294C637D446CB01
                            Function 05A05710 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f46675e091e2693f3f3ad8e646ecc49d8f083ae784208e9dcb649d39c9924f7c
                            • Instruction ID: 7477b4cd905baa5f82a30a42a2d9581457620bbcd5057378e387168d429800ce
                            • Opcode Fuzzy Hash: f46675e091e2693f3f3ad8e646ecc49d8f083ae784208e9dcb649d39c9924f7c
                            • Instruction Fuzzy Hash: DDE08C357100104F9248EBAEE6449267BEAEB8C62133080A5F90ACB328DA31EC028795
                            Function 05A06F5C Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c2f010cd04fa0d978712a6327e04a2dfca1538d54ff97cd4cbc878314abb550
                            • Instruction ID: 5e18cc4a48701e37c9dad07a491cb59817cc59c2556322c3d39b70f235066960
                            • Opcode Fuzzy Hash: 6c2f010cd04fa0d978712a6327e04a2dfca1538d54ff97cd4cbc878314abb550
                            • Instruction Fuzzy Hash: 52E05278A15344DFCB54CFA4D99089DBBF2BF49714B249599D80AAB352D736A902CF00
                            Function 05A019F7 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1340e09c7422fa9cbc88598ca897c691671cb6d6beecdd4730c1a8933f5c23da
                            • Instruction ID: 5fd12d512cc3ff1726bd891dbc69340a3058d57f1b5cb3af4e923740e6219aa2
                            • Opcode Fuzzy Hash: 1340e09c7422fa9cbc88598ca897c691671cb6d6beecdd4730c1a8933f5c23da
                            • Instruction Fuzzy Hash: 9DE0C275A00208DFCB64CFB1D5808AEBBB2FB4C301B60552DE40AA7650C736E881CF00
                            Function 05A0E9C0 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1d21e69b58b6aaa30f13fa847a05c844e0ae00e5e429b83f1197a77c769c33b2
                            • Instruction ID: c507fb9ae4c5e8ea87056d1e7911124c0b99086934709a1ba2145a0b28caf0c7
                            • Opcode Fuzzy Hash: 1d21e69b58b6aaa30f13fa847a05c844e0ae00e5e429b83f1197a77c769c33b2
                            • Instruction Fuzzy Hash: E1E046B0D00219EFCB80EFB9C904A5EBBF4BF08300F1089A9C019E7251EBB486008F80
                            Function 05A06976 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 644c4f85f90cf4c538108a8b567bbd16f54a60b63435b92831aafdc908d39d92
                            • Instruction ID: 7e38f8ef409fc033440ddaa190c8f115363124feba14733e18670c6a6f806cae
                            • Opcode Fuzzy Hash: 644c4f85f90cf4c538108a8b567bbd16f54a60b63435b92831aafdc908d39d92
                            • Instruction Fuzzy Hash: 54D0A735E15019DFCF00EBE5F844CECBBB5F74A356B006422D513EB544C3301825CA04
                            Function 05A049E4 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9f8285f894ab369e28c6cb1124cb7f4b3c74185fb319d03c40710b743502b667
                            • Instruction ID: ea419b2e8c0870877f961261b2ca4b661924ec25103efd09fdf970ae2e28ca4d
                            • Opcode Fuzzy Hash: 9f8285f894ab369e28c6cb1124cb7f4b3c74185fb319d03c40710b743502b667
                            • Instruction Fuzzy Hash: 69D0229150808003E30CE23A548C3E67B8387BB048B5C80A8CA0988107D42A000B82C3
                            Function 05A0EAB8 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ec30af97e8f735890b94379030047c27dc1b8f73c37e0e66d7ed5ecfb82e6527
                            • Instruction ID: 3bac344abeb659c74c821021f03e6c6dbdf55e57423de925af5145500d6f78f6
                            • Opcode Fuzzy Hash: ec30af97e8f735890b94379030047c27dc1b8f73c37e0e66d7ed5ecfb82e6527
                            • Instruction Fuzzy Hash: DCD0123225020C5F8B40EF95F940C7777EDFB187007408862F504C7130E621E928E751
                            Function 05A01760 Relevance: .0, Instructions: 12COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 075ea2f80f5a42d86d0fe2c6cbf64723dd9f4c9801310ab39c9f0ce8aa9557e6
                            • Instruction ID: 45a1705dad3bbde6ff0e230e7d075123951be831484cb428ff47dca346fbe266
                            • Opcode Fuzzy Hash: 075ea2f80f5a42d86d0fe2c6cbf64723dd9f4c9801310ab39c9f0ce8aa9557e6
                            • Instruction Fuzzy Hash: 0FD092B5200704CFC3249B6BE209519B7B2FB4970A740066EE8834A790EB3AAD12CB42
                            Function 05A0C188 Relevance: .0, Instructions: 10COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0a2ad1d79382e0dc14100d7bc9a826bd4a5c3cefed9ff515110d9c953c3610de
                            • Instruction ID: 7224ca3971874b221ea68ef464ee1a1c20703fa9d641f85a078ebec04b3e616f
                            • Opcode Fuzzy Hash: 0a2ad1d79382e0dc14100d7bc9a826bd4a5c3cefed9ff515110d9c953c3610de
                            • Instruction Fuzzy Hash: 3FC08C3000120487C2252796B80C3A87BA8EB44323F101214F00E000A18BA98D90C652
                            Function 05A06D18 Relevance: .0, Instructions: 9COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: f9127d64e7c146701203bdcde155571b8e151f3861ecb544a2059a19911fe56b
                            • Instruction ID: cbfb323e53c1fbfebdd56497430cfddf05e5277e13f9414a29700597dc625dd4
                            • Opcode Fuzzy Hash: f9127d64e7c146701203bdcde155571b8e151f3861ecb544a2059a19911fe56b
                            • Instruction Fuzzy Hash: 00D0CA30E0820ACBCB00CF81E844AADBBBAEB08309F209004E41AA7280C3386D028F00
                            Function 05A088CC Relevance: .0, Instructions: 8COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d6a545b3ce50ba35fd277971cd27f71746407574cb03eb7f5e47bbca00227d7e
                            • Instruction ID: 8c88b5ae6e065a4d84eda79117147401ea9a0501b5f6fbab3f075f06811519ed
                            • Opcode Fuzzy Hash: d6a545b3ce50ba35fd277971cd27f71746407574cb03eb7f5e47bbca00227d7e
                            • Instruction Fuzzy Hash: 4AB012753F4211F5A841A3647E45D2BD812EBE1740F44BC12734750099C424D87FD12F
                            Function 05A00421 Relevance: .0, Instructions: 7COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9d4cb1d10660eceeae4138a2ac77c10f7e1a704c9350417fa3874aae8b86b51b
                            • Instruction ID: d74b51759bd5817d4845c8666115f1514f86f43eace5bd9b1bc7f390f07cdfcf
                            • Opcode Fuzzy Hash: 9d4cb1d10660eceeae4138a2ac77c10f7e1a704c9350417fa3874aae8b86b51b
                            • Instruction Fuzzy Hash: 63C08C30840109CFCF04DF69E2848AEBB76FF44301B00502990019A9AAEB38A9868B02
                            Function 05A05FF1 Relevance: .0, Instructions: 6COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000008.00000002.1756488876.0000000005A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 05A00000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_8_2_5a00000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9dac86067472deedd956f77fce8962e9986c389f50af953fddaa3af95f0dc1ca
                            • Instruction ID: 4673af5fc7ea89c643e0f6c16e04aa53b5e382d9a855e4ee28ad88d63e7139ac
                            • Opcode Fuzzy Hash: 9dac86067472deedd956f77fce8962e9986c389f50af953fddaa3af95f0dc1ca
                            • Instruction Fuzzy Hash: 25B0110C0282E388CAAA23322E383EA2F20B302000F882880C0C202A2288082C028320

                            Execution Graph

                            Execution Coverage:8.3%
                            Dynamic/Decrypted Code Coverage:100%
                            Signature Coverage:0%
                            Total number of Nodes:87
                            Total number of Limit Nodes:7
                            execution_graph 50943 2e34668 50944 2e34684 50943->50944 50945 2e34696 50944->50945 50947 2e347a0 50944->50947 50948 2e347c5 50947->50948 50952 2e348a1 50948->50952 50956 2e348b0 50948->50956 50953 2e348b0 50952->50953 50955 2e349b4 50953->50955 50960 2e34248 50953->50960 50958 2e348d7 50956->50958 50957 2e349b4 50957->50957 50958->50957 50959 2e34248 CreateActCtxA 50958->50959 50959->50957 50961 2e35940 CreateActCtxA 50960->50961 50963 2e35a03 50961->50963 51017 2e3d0b8 51018 2e3d0fe 51017->51018 51022 2e3d289 51018->51022 51025 2e3d298 51018->51025 51019 2e3d1eb 51028 2e3c9a0 51022->51028 51026 2e3d2c6 51025->51026 51027 2e3c9a0 DuplicateHandle 51025->51027 51026->51019 51027->51026 51029 2e3d300 DuplicateHandle 51028->51029 51030 2e3d2c6 51029->51030 51030->51019 51031 2e3ad38 51032 2e3ad47 51031->51032 51034 2e3ae30 51031->51034 51035 2e3ae41 51034->51035 51036 2e3ae64 51034->51036 51035->51036 51042 2e3b0c8 51035->51042 51046 2e3b0b8 51035->51046 51036->51032 51037 2e3ae5c 51037->51036 51038 2e3b068 GetModuleHandleW 51037->51038 51039 2e3b095 51038->51039 51039->51032 51043 2e3b0dc 51042->51043 51045 2e3b101 51043->51045 51050 2e3a870 51043->51050 51045->51037 51047 2e3b0dc 51046->51047 51048 2e3a870 LoadLibraryExW 51047->51048 51049 2e3b101 51047->51049 51048->51049 51049->51037 51051 2e3b2a8 LoadLibraryExW 51050->51051 51053 2e3b321 51051->51053 51053->51045 50964 150d01c 50965 150d034 50964->50965 50966 150d08e 50965->50966 50969 54c2c08 50965->50969 50978 54c0ad4 50965->50978 50971 54c2c18 50969->50971 50970 54c2c79 51003 54c0bfc 50970->51003 50971->50970 50973 54c2c69 50971->50973 50987 54c2d90 50973->50987 50992 54c2e6c 50973->50992 50998 54c2da0 50973->50998 50974 54c2c77 50979 54c0adf 50978->50979 50980 54c2c79 50979->50980 50982 54c2c69 50979->50982 50981 54c0bfc CallWindowProcW 50980->50981 50983 54c2c77 50981->50983 50984 54c2e6c CallWindowProcW 50982->50984 50985 54c2d90 CallWindowProcW 50982->50985 50986 54c2da0 CallWindowProcW 50982->50986 50984->50983 50985->50983 50986->50983 50988 54c2da0 50987->50988 51007 54c2e48 50988->51007 51011 54c2e58 50988->51011 50989 54c2e40 50989->50974 50993 54c2e2a 50992->50993 50994 54c2e7a 50992->50994 50996 54c2e48 CallWindowProcW 50993->50996 50997 54c2e58 CallWindowProcW 50993->50997 50995 54c2e40 50995->50974 50996->50995 50997->50995 50999 54c2db4 50998->50999 51001 54c2e48 CallWindowProcW 50999->51001 51002 54c2e58 CallWindowProcW 50999->51002 51000 54c2e40 51000->50974 51001->51000 51002->51000 51004 54c0c07 51003->51004 51005 54c435a CallWindowProcW 51004->51005 51006 54c4309 51004->51006 51005->51006 51006->50974 51008 54c2e58 51007->51008 51009 54c2e69 51008->51009 51014 54c4292 51008->51014 51009->50989 51012 54c2e69 51011->51012 51013 54c4292 CallWindowProcW 51011->51013 51012->50989 51013->51012 51015 54c0bfc CallWindowProcW 51014->51015 51016 54c42aa 51015->51016 51016->51009

                            Executed Functions

                            Function 067AC848 Relevance: 2.7, Strings: 2, Instructions: 201COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 548 67ac848-67ac873 549 67ac87a-67ac8cc 548->549 550 67ac875 548->550 552 67ac8ce-67ac8ee 549->552 553 67ac8f0-67ac8f2 549->553 550->549 554 67ac8f5-67ac900 552->554 553->554 556 67acacf-67acaf3 554->556 557 67ac906-67aca23 554->557 562 67acaf4-67acb22 556->562 585 67aca25 call 67acbbb 557->585 586 67aca25 call 67acbc8 557->586 576 67aca2b-67aca3d 587 67aca42 call 67ad7b3 576->587 588 67aca42 call 67ad7c0 576->588 577 67aca48-67acab3 call 67a8c20 * 2 589 67acab6 call 67ae0d0 577->589 590 67acab6 call 67ae0a7 577->590 584 67acabc-67acacd 584->562 585->576 586->576 587->577 588->577 589->584 590->584
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: 1$v
                            • API String ID: 0-2456183578
                            • Opcode ID: 81968a31c98a9e622feeaf6a1d0377a0540e1a1a87c86f773f126a81b4175ce6
                            • Instruction ID: 425380e3898cb79e1ebd29404697054f250f62f89b2f8601a478ddced6a562ae
                            • Opcode Fuzzy Hash: 81968a31c98a9e622feeaf6a1d0377a0540e1a1a87c86f773f126a81b4175ce6
                            • Instruction Fuzzy Hash: A791B274E01218DFDB58DFA9D894A9DBBF2FF89300F1481AAD819AB354DB319981CF50
                            Function 067AC838 Relevance: 2.7, Strings: 2, Instructions: 198COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 591 67ac838-67ac873 593 67ac87a-67ac8cc 591->593 594 67ac875 591->594 596 67ac8ce-67ac8ee 593->596 597 67ac8f0-67ac8f2 593->597 594->593 598 67ac8f5-67ac900 596->598 597->598 600 67acacf-67acaf3 598->600 601 67ac906-67ac970 598->601 606 67acaf4-67acb22 600->606 613 67ac976-67ac994 601->613 614 67ac99b-67aca09 613->614 619 67aca0f-67aca23 614->619 633 67aca25 call 67acbbb 619->633 634 67aca25 call 67acbc8 619->634 620 67aca2b-67aca3d 629 67aca42 call 67ad7b3 620->629 630 67aca42 call 67ad7c0 620->630 621 67aca48-67aca99 call 67a8c20 * 2 627 67aca9e-67acab3 621->627 631 67acab6 call 67ae0d0 627->631 632 67acab6 call 67ae0a7 627->632 628 67acabc-67acacd 628->606 629->621 630->621 631->628 632->628 633->620 634->620
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: 1$v
                            • API String ID: 0-2456183578
                            • Opcode ID: 796d62b6644aaa84a38bb9e2698328702f1bc613a2b0b19586dc9e39840defcd
                            • Instruction ID: 3170c0d3794395274e9151e95b001bc178339f8b6e7b73186c7e7776253a05e5
                            • Opcode Fuzzy Hash: 796d62b6644aaa84a38bb9e2698328702f1bc613a2b0b19586dc9e39840defcd
                            • Instruction Fuzzy Hash: DB91C274E01218DFDB58DFA9D894A9DBBF2BF89300F1481AAD819AB355DB305981CF50
                            Function 05AD96C8 Relevance: 1.1, Instructions: 1085COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 0c9cd3b4a102cfbe519a90650e8a394b3a1efd7b77f099e4e5198c7671ed3b8e
                            • Instruction ID: 70d44e70794ad972f6d379618a0e171e0610b4e3f6fd73de7afcfa9e2fccb14a
                            • Opcode Fuzzy Hash: 0c9cd3b4a102cfbe519a90650e8a394b3a1efd7b77f099e4e5198c7671ed3b8e
                            • Instruction Fuzzy Hash: 20928074B002059FCB14EF69D884A6EBBF2FF88310F148969E5169B3A5DB35EC45CB90
                            Function 067AB228 Relevance: 1.0, Instructions: 991COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d7c75870eb3c0794a7cdb59a673d9d7272e6ecf0b12c4a8c8e889083bc08f660
                            • Instruction ID: caccee5ca76afb05c70808a7b73e4a12b225417cc1676c5ab2fdad76119c8d49
                            • Opcode Fuzzy Hash: d7c75870eb3c0794a7cdb59a673d9d7272e6ecf0b12c4a8c8e889083bc08f660
                            • Instruction Fuzzy Hash: 4BA28274E012298FDB64DF69C984BDDB7B2BF88300F5482A9D509AB355DB30AE85CF50
                            Function 05AD7660 Relevance: .8, Instructions: 753COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ac82af5d16ee8cd9a50c9263218dd29bd7498b4deaec70c63173216d3cec7364
                            • Instruction ID: d058cc7095bbe9967c8b7ba8807f20ae24d10fbb18726c6dfe87c096f3acb606
                            • Opcode Fuzzy Hash: ac82af5d16ee8cd9a50c9263218dd29bd7498b4deaec70c63173216d3cec7364
                            • Instruction Fuzzy Hash: FF62D774B002188FCB55EF64D999B6DBBB2BF88300F1484A9E50AAB395DF349D85CF50
                            Function 05ADB5B0 Relevance: .4, Instructions: 367COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a74d900e3284d53dca6da43f1b8fbeebcf926f183d2dbe9740fce768b00d678e
                            • Instruction ID: 1e32a0fac77123e6180b004ed20c18a111ead9430fab9e6f3b38d4e201f01d69
                            • Opcode Fuzzy Hash: a74d900e3284d53dca6da43f1b8fbeebcf926f183d2dbe9740fce768b00d678e
                            • Instruction Fuzzy Hash: 00D19035B002099FCB05EFB5C854AAEBBB6FF89350B15806AE506DB365DB35DC06CB60
                            Function 05ADB170 Relevance: .3, Instructions: 339COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 09a389cdbbd49cc925f53654a3556a2e29763e25b3dd3de44b4f86bbfda9a74f
                            • Instruction ID: 297c52321d9a4604ec9c2988f0d53b54feb5ea7bbe48702a6b7811093954dfc6
                            • Opcode Fuzzy Hash: 09a389cdbbd49cc925f53654a3556a2e29763e25b3dd3de44b4f86bbfda9a74f
                            • Instruction Fuzzy Hash: 6CD14834A01209DFCB14DF69D58496EBBF2FF88310B158469E8169B364DB35EC42CFA0
                            Function 067AA908 Relevance: .3, Instructions: 320COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 96fed974e69162580f2e0bab76d807f9363e734617b50660976db80981365e3f
                            • Instruction ID: b041de1c1da514981e0991eb20df4f96291a42365cbbb7887067e23e2433dc9f
                            • Opcode Fuzzy Hash: 96fed974e69162580f2e0bab76d807f9363e734617b50660976db80981365e3f
                            • Instruction Fuzzy Hash: D0E1C574E01218DFDB54DFA9C984B9DFBB2BF88310F2482A9D409A7356DB31A985CF50
                            Function 067AE918 Relevance: 5.5, Strings: 4, Instructions: 465COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 294 67ae918-67ae943 295 67ae94a-67ae9bb 294->295 296 67ae945 294->296 298 67ae9c1-67ae9c6 295->298 299 67aeb64-67aeb81 295->299 296->295 300 67ae9c8-67ae9d1 298->300 301 67ae9e7 298->301 306 67aeb83-67aebba 299->306 307 67aebc5-67aebc9 299->307 304 67ae9d8-67ae9db 300->304 305 67ae9d3-67ae9d6 300->305 302 67ae9ea-67ae9fb 301->302 309 67aea01-67aea61 302->309 308 67ae9e5 304->308 305->308 306->307 310 67aebea 307->310 311 67aebcb-67aebd4 307->311 308->302 331 67aea63-67aea6a 309->331 332 67aea85 309->332 312 67aebed-67aec3c 310->312 314 67aebdb-67aebde 311->314 315 67aebd6-67aebd9 311->315 325 67aec3e-67aec47 312->325 326 67aec5d 312->326 316 67aebe8 314->316 315->316 316->312 329 67aec49-67aec4c 325->329 330 67aec4e-67aec51 325->330 328 67aec60-67aec6b 326->328 339 67aec6c-67aec72 328->339 334 67aec5b 329->334 330->334 331->332 335 67aea6c-67aea83 331->335 333 67aea8c-67aea97 332->333 336 67aeb1e-67aeb5f 333->336 337 67aea9d-67aeb13 333->337 334->328 335->333 336->339 337->336 341 67aec83 339->341 342 67aec74-67aec81 339->342 344 67aec8a-67aecbb 341->344 342->344 351 67aecbd-67aecd1 344->351 352 67aecd3 344->352 353 67aecda-67aece5 351->353 352->353 355 67aed29-67aed3d 353->355 356 67aece7-67aed1e 353->356 357 67aed3f-67aed6f 355->357 358 67aed70-67aed88 355->358 356->355 357->358 391 67aed8d call 67af4c8 358->391 392 67aed8d call 67af1fc 358->392 393 67aed8d call 67af1bc 358->393 394 67aed8d call 67af145 358->394 395 67aed8d call 67af185 358->395 361 67aed93-67aede2 389 67aede8 call 67afcf3 361->389 390 67aede8 call 67afd00 361->390 367 67aedee-67aedfb 368 67aee04-67aee42 367->368 371 67aeebe-67aef47 368->371 372 67aee44-67aeeac 368->372 381 67aef48-67aefc1 371->381 379 67aeeae 372->379 380 67aeeb3-67aeeb9 372->380 379->380 380->381 389->367 390->367 391->361 392->361 393->361 394->361 395->361
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hbq$Hbq$Hbq$`
                            • API String ID: 0-4250499658
                            • Opcode ID: 4434f5eb176f56d53ec42993f0b79912cb17787f4f128d7dcf9f597dd3ae0bd5
                            • Instruction ID: f5bc4d0c9ca804cb858457dc3a3bdfebc8094e482b8f02999ad911e37e74131e
                            • Opcode Fuzzy Hash: 4434f5eb176f56d53ec42993f0b79912cb17787f4f128d7dcf9f597dd3ae0bd5
                            • Instruction Fuzzy Hash: DE227274A01219CFDB54DFA9C994B9DBBF2BF88300F1085A9D509AB365D730AE85CF50
                            Function 067AF185 Relevance: 4.2, Strings: 3, Instructions: 454COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 396 67af185-67af19a 398 67af19c-67af1a7 396->398 399 67af20d-67af4ed 396->399 398->399 402 67af4ef 399->402 403 67af4f4-67af518 399->403 402->403 405 67af51a-67af56d 403->405 406 67af575-67af585 403->406 405->406 407 67af5a8 406->407 408 67af587-67af590 406->408 412 67af5ab-67af5be 407->412 409 67af592-67af595 408->409 410 67af597-67af5a4 408->410 413 67af5a6 409->413 410->413 418 67af5c7-67af5e8 412->418 413->412
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hbq$P!tq$sqq
                            • API String ID: 0-800823276
                            • Opcode ID: 34c806491d302e233111607feb9c95dccd9f3062346dabdefd771d8e137fec51
                            • Instruction ID: ebf736103b80205c8379d44fce50d9acdc8dfac3f714c46907d1a9d5493ac367
                            • Opcode Fuzzy Hash: 34c806491d302e233111607feb9c95dccd9f3062346dabdefd771d8e137fec51
                            • Instruction Fuzzy Hash: 99418D74E052099FCB45DFA8D854AEEBFB1FF89310F10816AE405AB351CB349A85CBA1
                            Function 067AE907 Relevance: 4.1, Strings: 3, Instructions: 355COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 423 67ae907-67ae943 425 67ae94a-67ae9bb 423->425 426 67ae945 423->426 428 67ae9c1-67ae9c6 425->428 429 67aeb64-67aeb81 425->429 426->425 430 67ae9c8-67ae9d1 428->430 431 67ae9e7 428->431 436 67aeb83-67aebba 429->436 437 67aebc5-67aebc9 429->437 434 67ae9d8-67ae9db 430->434 435 67ae9d3-67ae9d6 430->435 432 67ae9ea-67ae9fb 431->432 439 67aea01-67aea61 432->439 438 67ae9e5 434->438 435->438 436->437 440 67aebea 437->440 441 67aebcb-67aebd4 437->441 438->432 461 67aea63-67aea6a 439->461 462 67aea85 439->462 442 67aebed-67aec3c 440->442 444 67aebdb-67aebde 441->444 445 67aebd6-67aebd9 441->445 455 67aec3e-67aec47 442->455 456 67aec5d 442->456 446 67aebe8 444->446 445->446 446->442 459 67aec49-67aec4c 455->459 460 67aec4e-67aec51 455->460 458 67aec60-67aec6b 456->458 469 67aec6c-67aec72 458->469 464 67aec5b 459->464 460->464 461->462 465 67aea6c-67aea83 461->465 463 67aea8c-67aea97 462->463 466 67aeb1e-67aeb5f 463->466 467 67aea9d-67aeb13 463->467 464->458 465->463 466->469 467->466 471 67aec83 469->471 472 67aec74-67aec81 469->472 474 67aec8a-67aecbb 471->474 472->474 481 67aecbd-67aecd1 474->481 482 67aecd3 474->482 483 67aecda-67aece5 481->483 482->483 485 67aed29-67aed3d 483->485 486 67aece7-67aed1e 483->486 487 67aed3f-67aed6f 485->487 488 67aed70-67aed88 485->488 486->485 487->488 521 67aed8d call 67af4c8 488->521 522 67aed8d call 67af1fc 488->522 523 67aed8d call 67af1bc 488->523 524 67aed8d call 67af145 488->524 525 67aed8d call 67af185 488->525 491 67aed93-67aede2 519 67aede8 call 67afcf3 491->519 520 67aede8 call 67afd00 491->520 497 67aedee-67aedfb 498 67aee04-67aee42 497->498 501 67aeebe-67aef47 498->501 502 67aee44-67aeeac 498->502 511 67aef48-67aefc1 501->511 509 67aeeae 502->509 510 67aeeb3-67aeeb9 502->510 509->510 510->511 519->497 520->497 521->491 522->491 523->491 524->491 525->491
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hbq$Hbq$`
                            • API String ID: 0-1535830117
                            • Opcode ID: f83fabcf19fd5e1566769e287da5140118dffa1ac1dd639caa6abd3aaa6e54b7
                            • Instruction ID: 7b5341d5c2d732cb813171aa5f13b744d99369a4d9c75834a789f1ded3479052
                            • Opcode Fuzzy Hash: f83fabcf19fd5e1566769e287da5140118dffa1ac1dd639caa6abd3aaa6e54b7
                            • Instruction Fuzzy Hash: 3FF18374E012198FDB54CFA9C984B9DBBF2BF88300F1085A9E509AB365D730AE85CF51
                            Function 067ACE78 Relevance: 2.7, Strings: 2, Instructions: 174COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 635 67ace78-67ace97 636 67ace9d-67acea6 635->636 637 67ad052-67ad077 635->637 640 67ad07e-67ad0bf 636->640 641 67aceac-67acf01 636->641 637->640 650 67acf2b-67acf34 641->650 651 67acf03-67acf28 641->651 653 67acf39-67acf49 650->653 654 67acf36 650->654 651->650 685 67acf4b call 67ad4bb 653->685 686 67acf4b call 67ad4c8 653->686 654->653 657 67acf51-67acf53 658 67acfad-67acffa 657->658 659 67acf55-67acf5a 657->659 670 67ad001-67ad006 658->670 661 67acf5c-67acf91 659->661 662 67acf93-67acfa6 659->662 661->670 662->658 671 67ad008 670->671 672 67ad010-67ad015 670->672 671->672 673 67ad01f-67ad024 672->673 674 67ad017 672->674 676 67ad039 673->676 677 67ad026-67ad034 call 67ab184 call 67ab19c 673->677 674->673 676->637 677->676 685->657 686->657
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: (&^q$(bq
                            • API String ID: 0-1294341849
                            • Opcode ID: 269316f3639c0b417a61eb08a12a4f37b85b66155542909e5ca22bd79bf86a09
                            • Instruction ID: 1129442fb258f957fca6c08865f3b3221020bfc72d5b1881ad1d21600166e0a4
                            • Opcode Fuzzy Hash: 269316f3639c0b417a61eb08a12a4f37b85b66155542909e5ca22bd79bf86a09
                            • Instruction Fuzzy Hash: 41516E31F102199FDB59EFB9C4506AEBBF2AFD4740F248529D406AB384DE30AD46CB91
                            Function 02E3AE30 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1118 2e3ae30-2e3ae3f 1119 2e3ae41-2e3ae4e call 2e39838 1118->1119 1120 2e3ae6b-2e3ae6f 1118->1120 1127 2e3ae50 1119->1127 1128 2e3ae64 1119->1128 1121 2e3ae83-2e3aec4 1120->1121 1122 2e3ae71-2e3ae7b 1120->1122 1129 2e3aed1-2e3aedf 1121->1129 1130 2e3aec6-2e3aece 1121->1130 1122->1121 1176 2e3ae56 call 2e3b0c8 1127->1176 1177 2e3ae56 call 2e3b0b8 1127->1177 1128->1120 1132 2e3af03-2e3af05 1129->1132 1133 2e3aee1-2e3aee6 1129->1133 1130->1129 1131 2e3ae5c-2e3ae5e 1131->1128 1134 2e3afa0-2e3afb7 1131->1134 1135 2e3af08-2e3af0f 1132->1135 1136 2e3aef1 1133->1136 1137 2e3aee8-2e3aeef call 2e3a814 1133->1137 1151 2e3afb9-2e3b018 1134->1151 1139 2e3af11-2e3af19 1135->1139 1140 2e3af1c-2e3af23 1135->1140 1138 2e3aef3-2e3af01 1136->1138 1137->1138 1138->1135 1139->1140 1142 2e3af30-2e3af39 call 2e3a824 1140->1142 1143 2e3af25-2e3af2d 1140->1143 1149 2e3af46-2e3af4b 1142->1149 1150 2e3af3b-2e3af43 1142->1150 1143->1142 1152 2e3af69-2e3af76 1149->1152 1153 2e3af4d-2e3af54 1149->1153 1150->1149 1169 2e3b01a-2e3b060 1151->1169 1159 2e3af99-2e3af9f 1152->1159 1160 2e3af78-2e3af96 1152->1160 1153->1152 1154 2e3af56-2e3af66 call 2e3a834 call 2e3a844 1153->1154 1154->1152 1160->1159 1171 2e3b062-2e3b065 1169->1171 1172 2e3b068-2e3b093 GetModuleHandleW 1169->1172 1171->1172 1173 2e3b095-2e3b09b 1172->1173 1174 2e3b09c-2e3b0b0 1172->1174 1173->1174 1176->1131 1177->1131
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02E3B086
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1852912571.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_2e30000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: 375d3a9055382312468154e16fb7dd3c6aecfac558d6bb13cfd8b4b53f9bfdc5
                            • Instruction ID: 34b283a46814e9bf68f6347e607780d027de189eb881f1a87e4f644cb191fddf
                            • Opcode Fuzzy Hash: 375d3a9055382312468154e16fb7dd3c6aecfac558d6bb13cfd8b4b53f9bfdc5
                            • Instruction Fuzzy Hash: 4D7104B0A40B058FD725DF2AD54875ABBF1FF48209F00892DD48AD7B50D775E885CB91
                            Function 067AF1FC Relevance: 1.7, Strings: 1, Instructions: 447COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1178 67af1fc-67af4ed 1180 67af4ef 1178->1180 1181 67af4f4-67af518 1178->1181 1180->1181 1183 67af51a-67af56d 1181->1183 1184 67af575-67af585 1181->1184 1183->1184 1185 67af5a8 1184->1185 1186 67af587-67af590 1184->1186 1190 67af5ab-67af5be 1185->1190 1187 67af592-67af595 1186->1187 1188 67af597-67af5a4 1186->1188 1191 67af5a6 1187->1191 1188->1191 1196 67af5c7-67af5e8 1190->1196 1191->1190
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hbq
                            • API String ID: 0-1245868
                            • Opcode ID: 4a6ef5afefb7ffa87df4f1f97641fe31e8bdf179fcce8c4a88352481f04c0f42
                            • Instruction ID: 7c58ecaba8d08aa71ccc98b92a7cae426d6cf845f520a6e9f7cd200fae85f155
                            • Opcode Fuzzy Hash: 4a6ef5afefb7ffa87df4f1f97641fe31e8bdf179fcce8c4a88352481f04c0f42
                            • Instruction Fuzzy Hash: A7415D74E012199FCB45DFA8D844AEEBBB1FF89310F10816AE505AB391C7349E85CFA1
                            Function 067AF145 Relevance: 1.7, Strings: 1, Instructions: 437COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1201 67af145-67af148 1202 67af14a 1201->1202 1203 67af108-67af118 1201->1203 1204 67af14c-67af14e 1202->1204 1205 67af1bd-67af1bf 1202->1205 1203->1201 1204->1205 1206 67af232-67af4ed 1205->1206 1207 67af1c1-67af1c7 1205->1207 1210 67af4ef 1206->1210 1211 67af4f4-67af518 1206->1211 1207->1206 1210->1211 1213 67af51a-67af56d 1211->1213 1214 67af575-67af585 1211->1214 1213->1214 1215 67af5a8 1214->1215 1216 67af587-67af590 1214->1216 1220 67af5ab 1215->1220 1217 67af592-67af595 1216->1217 1218 67af597-67af5a4 1216->1218 1221 67af5a6 1217->1221 1218->1221 1224 67af5b3-67af5be 1220->1224 1221->1220 1226 67af5c7-67af5e8 1224->1226
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hbq
                            • API String ID: 0-1245868
                            • Opcode ID: 04dcfdcb4263d3c793b3c96f7539172a8bdcf29a94cb7361582cdafbd24d999e
                            • Instruction ID: 2e6f33968ee30c18c5edefe113735efa0d1372f4a0c0d26c3113a4d33b2ca817
                            • Opcode Fuzzy Hash: 04dcfdcb4263d3c793b3c96f7539172a8bdcf29a94cb7361582cdafbd24d999e
                            • Instruction Fuzzy Hash: 6E41AE74D052499FCB45CFA8D840AEEBFB1FF89300F10856AE505AB361C7349A85CBA1
                            Function 054C0BFC Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1231 54c0bfc-54c42fc 1234 54c43ac-54c43cc call 54c0ad4 1231->1234 1235 54c4302-54c4307 1231->1235 1243 54c43cf-54c43dc 1234->1243 1237 54c4309-54c4340 1235->1237 1238 54c435a-54c4392 CallWindowProcW 1235->1238 1245 54c4349-54c4358 1237->1245 1246 54c4342-54c4348 1237->1246 1240 54c439b-54c43aa 1238->1240 1241 54c4394-54c439a 1238->1241 1240->1243 1241->1240 1245->1243 1246->1245
                            APIs
                            • CallWindowProcW.USER32(?,?,?,?,?), ref: 054C4381
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1862696461.00000000054C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 054C0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_54c0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: CallProcWindow
                            • String ID:
                            • API String ID: 2714655100-0
                            • Opcode ID: 253cb924f75f99d5e78111788a19e7a82a36c943d70415c9b7dfa0a9cb2921f5
                            • Instruction ID: 6fff8054674ee260ce0ac707ef3f6ef2580534a90226ec388f389e69b5fab45a
                            • Opcode Fuzzy Hash: 253cb924f75f99d5e78111788a19e7a82a36c943d70415c9b7dfa0a9cb2921f5
                            • Instruction Fuzzy Hash: 2C4108B8A00205CFDB54CF99C548AEABBF5FB88314F14C59AD519AB321D775A841CFA0
                            Function 02E34248 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                            Download Yara Rule

                            Control-flow Graph

                            • Executed
                            • Not Executed
                            control_flow_graph 1248 2e34248-2e35a01 CreateActCtxA 1251 2e35a03-2e35a09 1248->1251 1252 2e35a0a-2e35a64 1248->1252 1251->1252 1259 2e35a73-2e35a77 1252->1259 1260 2e35a66-2e35a69 1252->1260 1261 2e35a79-2e35a85 1259->1261 1262 2e35a88-2e35ab8 1259->1262 1260->1259 1261->1262 1266 2e35a6a 1262->1266 1267 2e35aba-2e35b3c 1262->1267 1266->1259
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 02E359F1
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1852912571.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_2e30000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: 286352a3c117b1408857b4eda64f1de947be7f91f7bfbb7e149f7cbc6104cbb9
                            • Instruction ID: a3c14beba80a9ad7adf48463ff55ff4fc4d4c6daf72d464ebbb0cc90be0a6b37
                            • Opcode Fuzzy Hash: 286352a3c117b1408857b4eda64f1de947be7f91f7bfbb7e149f7cbc6104cbb9
                            • Instruction Fuzzy Hash: 7241D1B0D00619CFDB24CFA9C888BDDBBB5FF49304F64806AD408AB255DB756949CF90
                            Function 02E35935 Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                            Download Yara Rule
                            APIs
                            • CreateActCtxA.KERNEL32(?), ref: 02E359F1
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1852912571.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_2e30000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: Create
                            • String ID:
                            • API String ID: 2289755597-0
                            • Opcode ID: b7cfd86bd53360c076e054f41513e6b22a9f86aaa342d3eeb765481101f19fa7
                            • Instruction ID: 9f1ecec536c5aaabcc7fe7ac9a234284c5917425683ed8420534284934b3092d
                            • Opcode Fuzzy Hash: b7cfd86bd53360c076e054f41513e6b22a9f86aaa342d3eeb765481101f19fa7
                            • Instruction Fuzzy Hash: 9B41F0B0C40619CEDB24CFA9C888BDDBBB5FF49304F24806AD418AB255DB756989CF90
                            Function 02E3A858 Relevance: 1.6, APIs: 1, Instructions: 79libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E3B101,00000800,00000000,00000000), ref: 02E3B312
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1852912571.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_2e30000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 7eed07eb0521d502f8af86b7e0fa261fb7c850eeecd6eb2741c094ab7de1a483
                            • Instruction ID: 6e3d5d0e358e7cdacc7593fe4710a5e1dc8e245c87b45de152f68b0ac1709edb
                            • Opcode Fuzzy Hash: 7eed07eb0521d502f8af86b7e0fa261fb7c850eeecd6eb2741c094ab7de1a483
                            • Instruction Fuzzy Hash: 6F318CB68043988FDB11DFA9C8587DEBFF4EF59314F04806AD499AB211C3749545CFA1
                            Function 02E3C9A0 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E3D2C6,?,?,?,?,?), ref: 02E3D387
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1852912571.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_2e30000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: a06b76cd71d57be6ff731608effe6274224826f6d77ca5146811535634d81f56
                            • Instruction ID: 7f18e6a44db405a7c5f9d37368e45fe7ec8a541fd2797ba69847887a3a8080da
                            • Opcode Fuzzy Hash: a06b76cd71d57be6ff731608effe6274224826f6d77ca5146811535634d81f56
                            • Instruction Fuzzy Hash: 2F21E4B5900208DFDB10CF9AD984AEEBBF4FB48310F14845AE958A7310D374A954CFA4
                            Function 02E3D2F9 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                            Download Yara Rule
                            APIs
                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02E3D2C6,?,?,?,?,?), ref: 02E3D387
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1852912571.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_2e30000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: DuplicateHandle
                            • String ID:
                            • API String ID: 3793708945-0
                            • Opcode ID: 957704a9f6157f5a5a4c9f71d069f49520025aa67ae9eb9a3582d9410d9882c5
                            • Instruction ID: 7e0dd58810c8f453bf04345f9ea08a5cb27772a4d2b41e90f724486bdc384df2
                            • Opcode Fuzzy Hash: 957704a9f6157f5a5a4c9f71d069f49520025aa67ae9eb9a3582d9410d9882c5
                            • Instruction Fuzzy Hash: 2121E2B5D00218DFDB10CFA9D985AEEBBF5FB48324F14841AE958A3310D374A954CFA0
                            Function 02E3B2A0 Relevance: 1.6, APIs: 1, Instructions: 56libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E3B101,00000800,00000000,00000000), ref: 02E3B312
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1852912571.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_2e30000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: 06966df71a470105013ae0c9e86372d78b0cef4308af728a74ed5f4df665cedb
                            • Instruction ID: 26c420cf48cc75cdc1a4f5b3a838daa2c0ff94cf173643a233a23399128705c3
                            • Opcode Fuzzy Hash: 06966df71a470105013ae0c9e86372d78b0cef4308af728a74ed5f4df665cedb
                            • Instruction Fuzzy Hash: 6411F6B69003599FDB10CF9AC848BDEFBF4EB48714F14842ED869A7210C375A545CFA5
                            Function 02E3A870 Relevance: 1.6, APIs: 1, Instructions: 55libraryCOMMON
                            Download Yara Rule
                            APIs
                            • LoadLibraryExW.KERNELBASE(00000000,00000000,?,?,?,?,00000000,?,02E3B101,00000800,00000000,00000000), ref: 02E3B312
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1852912571.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_2e30000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: LibraryLoad
                            • String ID:
                            • API String ID: 1029625771-0
                            • Opcode ID: a63a68ab3851ea945b01ecfe7c71414c61cd2015855a56cd5e68ceb3add4e9bf
                            • Instruction ID: 4f17ae9e90fc8a28eda1a379830f93575dbed10df80e54dd8b9b16c6d6cf957b
                            • Opcode Fuzzy Hash: a63a68ab3851ea945b01ecfe7c71414c61cd2015855a56cd5e68ceb3add4e9bf
                            • Instruction Fuzzy Hash: B31114B69003498FDB10CF9AC448ADEFBF4EB48314F10842ED819A7210C375A544CFA4
                            Function 02E3B020 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                            Download Yara Rule
                            APIs
                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02E3B086
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1852912571.0000000002E30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E30000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_2e30000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID: HandleModule
                            • String ID:
                            • API String ID: 4139908857-0
                            • Opcode ID: c24f80e6b320a6be4d257e9a95a162692e80be4f2c39ec78346aec534eb636bd
                            • Instruction ID: 8468515aaca81bd6bcfb7c631e6bd6588913c3f5d5240456b96825aa68d797fa
                            • Opcode Fuzzy Hash: c24f80e6b320a6be4d257e9a95a162692e80be4f2c39ec78346aec534eb636bd
                            • Instruction Fuzzy Hash: 0E11DFB5D00349CFDB20DF9AC848ADEFBF4EB89228F10846AD469A7210D375A545CFA5
                            Function 067AF4C8 Relevance: 1.3, Strings: 1, Instructions: 92COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: Hbq
                            • API String ID: 0-1245868
                            • Opcode ID: 8dae36508ff14cfa3b014e31066b583b6a8ef013d6dc3cbbc376e6cfcbc69db0
                            • Instruction ID: bece1cc2cb9e76df910293b5c823ab1f87d8d77b158905b0316a22ae1ad63108
                            • Opcode Fuzzy Hash: 8dae36508ff14cfa3b014e31066b583b6a8ef013d6dc3cbbc376e6cfcbc69db0
                            • Instruction Fuzzy Hash: 5E411B74E01219DFCB44DFA8D444AEEBBB2FF88310F108529E505AB350DB349A85CFA0
                            Function 067AD7C0 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: (bq
                            • API String ID: 0-149360118
                            • Opcode ID: 05f079191bbf31cb6df6e415872ca3934f40e887a6dbbcfcfbe4db0f5f4867ba
                            • Instruction ID: 0874f9416f5bf81cb0396fe4a6b092801f6045ebb5c79a94cbd62255357c72ba
                            • Opcode Fuzzy Hash: 05f079191bbf31cb6df6e415872ca3934f40e887a6dbbcfcfbe4db0f5f4867ba
                            • Instruction Fuzzy Hash: AE01453160A3849FC3159F7A9C1045FBFBAEF8626171446AFD10AD7792CE309D09CBA2
                            Function 05AD6D88 Relevance: .4, Instructions: 409COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5ea5346c4a7eceac4f410b720481138aa8fdda8751eb14f6afed12751966cdeb
                            • Instruction ID: b730f7f69c34b66f50a396b530b57a45b653d307880e095a15957c59149723a9
                            • Opcode Fuzzy Hash: 5ea5346c4a7eceac4f410b720481138aa8fdda8751eb14f6afed12751966cdeb
                            • Instruction Fuzzy Hash: 05E16B747002158FC714EF79C894A6ABBF6FF89210B1544AAE506CB3A6DF31DC45CBA1
                            Function 05AD6098 Relevance: .4, Instructions: 356COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4bdf660ac60518d8784d4463306cd12e5585b813042869d74365d6e5c499336b
                            • Instruction ID: 39de1f47e7ef6e228f45aec0ba0393cdc29e6d10ff398b143a3106d0b553b8c8
                            • Opcode Fuzzy Hash: 4bdf660ac60518d8784d4463306cd12e5585b813042869d74365d6e5c499336b
                            • Instruction Fuzzy Hash: BFE13B74A00205DFCB14DF65D598AAEBBB2FF88310F158529E9169B3A5DB30EC45CF90
                            Function 05AD7C89 Relevance: .3, Instructions: 298COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c341ef03e2c3fe37a122ac75452a0db3f1c09378fa711d31e9e5061a515f852c
                            • Instruction ID: 557bb82a2b939958bba5928126d2d8b9e208584b7f9fbca2c596c33930712fc3
                            • Opcode Fuzzy Hash: c341ef03e2c3fe37a122ac75452a0db3f1c09378fa711d31e9e5061a515f852c
                            • Instruction Fuzzy Hash: 2DD1FA34A00219CFDB29DF64D954BADBBB2FB88311F1088A9E90AA7354DF359D85CF50
                            Function 05ADB15F Relevance: .2, Instructions: 195COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 62b66e1fe367229350385dd8a9b466884843d39b0060ce5f0b47d92a55821f26
                            • Instruction ID: 12ebf30b71e90941f30202842c1fb53ae9f1383cd989a6136afbbce5727c9f14
                            • Opcode Fuzzy Hash: 62b66e1fe367229350385dd8a9b466884843d39b0060ce5f0b47d92a55821f26
                            • Instruction Fuzzy Hash: 6A716C74A05209DFCB18DF69D58496DBBF2FF88304B254469E806DB3A0DB31ED42CB61
                            Function 05AD6078 Relevance: .2, Instructions: 192COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 47e80f7eb5bdfb6402b19c6a63858a9f6265326323843e8c3b51b0b702803be7
                            • Instruction ID: 54d5c94ae310b948daf064bba9f661bb1bfb7df558e557f9bd1c0650a4bfd1a5
                            • Opcode Fuzzy Hash: 47e80f7eb5bdfb6402b19c6a63858a9f6265326323843e8c3b51b0b702803be7
                            • Instruction Fuzzy Hash: 58810974A00209DFCB14DF65D598AADFBB2FF88310B158569E8169B365DB30EC85CF90
                            Function 05ADE570 Relevance: .2, Instructions: 161COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8cc77d3b2783d31c4f8bdae09b1651a3b72a918c589760f0102edc9cf38aadc4
                            • Instruction ID: 705bc51815cd9bb91cec7363df097212ceb4aa177e97b3d651495e8abb92f4f9
                            • Opcode Fuzzy Hash: 8cc77d3b2783d31c4f8bdae09b1651a3b72a918c589760f0102edc9cf38aadc4
                            • Instruction Fuzzy Hash: 58514A34B002448FDB55EB69C498EAEBFF6BF88250F184469E8069B3A5DE35DC45CB60
                            Function 05ADE4D1 Relevance: .2, Instructions: 158COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 46d5e9f4a119cc0e9f6b0d76363b153748566ba1a8f7526686304720a83e9037
                            • Instruction ID: 9a827ecd141b0528e42371ffff414564e51772ec94aa00568fa1a8d73aed5923
                            • Opcode Fuzzy Hash: 46d5e9f4a119cc0e9f6b0d76363b153748566ba1a8f7526686304720a83e9037
                            • Instruction Fuzzy Hash: 71517A74A042849FDB45DB69C494EADBFF6BF89250F1840AAE406EB3A1DA31DC45CB60
                            Function 05ADD113 Relevance: .1, Instructions: 146COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d650116b5dbb03bde28982ec34c1a43b9f7fb2775867ec920f9e51374feefc25
                            • Instruction ID: 8fa7075d6cb38057e4d6751787d006846ed1d05a4d45c4a03dcd2455eff47f0f
                            • Opcode Fuzzy Hash: d650116b5dbb03bde28982ec34c1a43b9f7fb2775867ec920f9e51374feefc25
                            • Instruction Fuzzy Hash: B4410171B002069FDB14EF29D890FAEBFB2FF91250F04806AD9458B365EE30D80AC791
                            Function 05AD6459 Relevance: .1, Instructions: 140COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d9464c44008ce15217c57d3b77b8951bc3941584b89b437373ee8ed214a7fd83
                            • Instruction ID: 6cde1bf2e65da017cdfcea0e438630692c313051fb1586250355f05aa4e38017
                            • Opcode Fuzzy Hash: d9464c44008ce15217c57d3b77b8951bc3941584b89b437373ee8ed214a7fd83
                            • Instruction Fuzzy Hash: FB51C534A00209DFCB15DFA4D988EADBBB2FF88310F558554E916AB265CB31EC86DF50
                            Function 05ADF868 Relevance: .1, Instructions: 134COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2514b2bd7c838fe47aebbf037883085e9bd33eb0e7e59172274f956490653d9c
                            • Instruction ID: f6743f5992c5a866aa71aa1a6b7ce8c6cedbba682068371b0f5cbbd1bff81117
                            • Opcode Fuzzy Hash: 2514b2bd7c838fe47aebbf037883085e9bd33eb0e7e59172274f956490653d9c
                            • Instruction Fuzzy Hash: 1F41B834B043459FDB15ABB8D425A6EBFB2BB85300F14446AE407CB385EE309D05CB92
                            Function 05AD6D77 Relevance: .1, Instructions: 133COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 86094d2e4930e84ffc156fbf6a7ec9fb389a501594c9184104f8f4454b31306a
                            • Instruction ID: 679e51b91dc2e151026880f80dd4199a94d8c368acf6356c59bbe9e3992cc03e
                            • Opcode Fuzzy Hash: 86094d2e4930e84ffc156fbf6a7ec9fb389a501594c9184104f8f4454b31306a
                            • Instruction Fuzzy Hash: 1A41E830A082459FCB15EF74C855AAEBFB2FF85200F14449AE8528B3A1DB35D905CB71
                            Function 067AE0D0 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bb2022a7ffcbc14391f4ae3ca4e91d83febe8b036515dae6cc3572eeb1f0f763
                            • Instruction ID: ce993a19028eede3d5442bebd40eb1e5b08db02232c8bc1340553cb1779060e3
                            • Opcode Fuzzy Hash: bb2022a7ffcbc14391f4ae3ca4e91d83febe8b036515dae6cc3572eeb1f0f763
                            • Instruction Fuzzy Hash: BD51A574E01618DFCB48DFA5D89499DBBF2FF89310F20812AE909AB364DB31A945CF40
                            Function 067ACE68 Relevance: .1, Instructions: 130COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 46c6ede8270b70454d11f2eb0935832c85c068d018c875a0df11ea3d2d82468c
                            • Instruction ID: 7bf1caa30355acbd81bfff14c0165f08ac15c876ceb7ab7da0a6596cfcb7d5e4
                            • Opcode Fuzzy Hash: 46c6ede8270b70454d11f2eb0935832c85c068d018c875a0df11ea3d2d82468c
                            • Instruction Fuzzy Hash: 4A417531E103099BDB65DFA5C880AEFBBB5AFC8700F148229E415B7340DB70AD46CB91
                            Function 067AFD00 Relevance: .1, Instructions: 127COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 28b230fbcaaccef7ae150422bf65ab457815a0909f1deb7c63194df414df9472
                            • Instruction ID: 2b76704b96d5b0687decc98e360fd36fe142004412ac8b53460921daa0c0e831
                            • Opcode Fuzzy Hash: 28b230fbcaaccef7ae150422bf65ab457815a0909f1deb7c63194df414df9472
                            • Instruction Fuzzy Hash: FB511371E01219DFCB04DFA9D458AEEBBB2FB89300F108529E515B7390CB389A45CF94
                            Function 067AFCF3 Relevance: .1, Instructions: 125COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e13fb3530d5596fd95c2a2358bb91952dd9dd2cde11d3e4ae5a62f6c525ef2a8
                            • Instruction ID: 28754989e3008852a08047bc565a10c3713734ce1bf0ce41705af1c2b642eb79
                            • Opcode Fuzzy Hash: e13fb3530d5596fd95c2a2358bb91952dd9dd2cde11d3e4ae5a62f6c525ef2a8
                            • Instruction Fuzzy Hash: 67512570E012199FDB44DFA9D454AEEBBB2FF89300F108569E515BB391CB389A45CF90
                            Function 05ADF878 Relevance: .1, Instructions: 113COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c2b98c1233b2c6579787f46f71ead91cb1386d5f6456312a487207bacd0e9c29
                            • Instruction ID: fc2c76a704a5ea0cee0da798180745d8b75856165d97dafc58d7a133121964a1
                            • Opcode Fuzzy Hash: c2b98c1233b2c6579787f46f71ead91cb1386d5f6456312a487207bacd0e9c29
                            • Instruction Fuzzy Hash: 2B419A34B003599FDB15AFB89469B6EBFF2BB85340F14446AE406DB385EE309D05CB92
                            Function 067AC1D8 Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 48d6c8323660f67df482890bee562b263bad34bb0c679a92268fc6b3e903a4ac
                            • Instruction ID: 27d771bf34610fcc07bd06c416d79842ccd581c64a0297f75a6b4ef20c323157
                            • Opcode Fuzzy Hash: 48d6c8323660f67df482890bee562b263bad34bb0c679a92268fc6b3e903a4ac
                            • Instruction Fuzzy Hash: 1731FE71B04259AFDB45EFF9A8406AEBBBAEBC4310F10866AD518DB384DA709C01C7D1
                            Function 05ADEB97 Relevance: .1, Instructions: 106COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6eb51b83c8da818e68bbaf4da71e07399045364b4eac00e0196b653c9eb0a3d9
                            • Instruction ID: f9f9c02c754b0a33d668851988aa8c25d6458cbb19b8b5cf2f4c731387622f70
                            • Opcode Fuzzy Hash: 6eb51b83c8da818e68bbaf4da71e07399045364b4eac00e0196b653c9eb0a3d9
                            • Instruction Fuzzy Hash: BA41E874A10608CFDB44EFA8C959A9DBBB2FF88304F148169E506AB3B1DF30AD45DB54
                            Function 067AE0A7 Relevance: .1, Instructions: 104COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea25779f2cbfc3005ff2c701ce4659831e1f204ae3a5f205a8177b4bc0d5c310
                            • Instruction ID: ebfbc8c25eb08a02b551276a9be8815fb0838e843fc2df4abd02c17cf2d2eb2b
                            • Opcode Fuzzy Hash: ea25779f2cbfc3005ff2c701ce4659831e1f204ae3a5f205a8177b4bc0d5c310
                            • Instruction Fuzzy Hash: 5341A278E01208DFCB44DFA4D594A9DBBB2FF48314F208159E909AB368DB31AD46CF40
                            Function 05ADF6F8 Relevance: .1, Instructions: 99COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b6cf544320c8d4408bf67bc5d1731884d3046b1afbce5c65a1fb4bbf4ff2eeb4
                            • Instruction ID: cf8f16436d8780076bf756be808ee209348c899a2d5772302fcc828ea5414941
                            • Opcode Fuzzy Hash: b6cf544320c8d4408bf67bc5d1731884d3046b1afbce5c65a1fb4bbf4ff2eeb4
                            • Instruction Fuzzy Hash: F4318C34B042059FDB54ABB8D459B6EBFF6BF88210F14446AE54BC7391EE309846CB91
                            Function 067AC2F8 Relevance: .1, Instructions: 95COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 943c47e4d92a07ee9715b7925a5bb25d3f8bb7a53c059515211c27c4ae70f2af
                            • Instruction ID: 4ac35ec9021586ff11fa48b595c9bc101f9e9cdefcd3105b274e24895d9d0585
                            • Opcode Fuzzy Hash: 943c47e4d92a07ee9715b7925a5bb25d3f8bb7a53c059515211c27c4ae70f2af
                            • Instruction Fuzzy Hash: 87214831B05399AFCB46AB79985067E7BBAEBC1710F24456AD1448B354DE309C01C3D2
                            Function 014FD654 Relevance: .1, Instructions: 77COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1851431473.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_14fd000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 491faa8944022fda2a8d6f1b9ab781a0a5bdcc3a0fa6d94ad41b2bcf6c139700
                            • Instruction ID: babc92ebdbfd9f0fc6409d15009817bec4472f6505b74dcbbc60e39b3f0f68bf
                            • Opcode Fuzzy Hash: 491faa8944022fda2a8d6f1b9ab781a0a5bdcc3a0fa6d94ad41b2bcf6c139700
                            • Instruction Fuzzy Hash: 3621E275904240DFDB059F94D9C4B2BBFA5FB88314F24866EEA4D0E366C336D416CBA1
                            Function 05ADD690 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 79b0f73ba819f67926bcf1930aafaa4c6e697a0a827086e2ca4defe25d2b55d3
                            • Instruction ID: 4faeecf8c65764e19ada3e6437d5a76bee5673ff52a507e17ca452c6d1885b36
                            • Opcode Fuzzy Hash: 79b0f73ba819f67926bcf1930aafaa4c6e697a0a827086e2ca4defe25d2b55d3
                            • Instruction Fuzzy Hash: EF21F2317143446FC725AB70E81EFAEBFB6FB81710F0404AAE5468B2D1DE74980687A1
                            Function 014FD3D8 Relevance: .1, Instructions: 75COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1851431473.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_14fd000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 1241ee33b5d6e811cae5a225118739160bc4f65fe52ee4a3415c06657287eeea
                            • Instruction ID: 9dc4fe6c5bf662164ccf2072303b9130094b0d20c4b58b16256a407696091b19
                            • Opcode Fuzzy Hash: 1241ee33b5d6e811cae5a225118739160bc4f65fe52ee4a3415c06657287eeea
                            • Instruction Fuzzy Hash: EA21E271900204DFDB05DF58D984B57BF65FB94314F20C17EDA094A366C336E456CAA2
                            Function 05AD6E13 Relevance: .1, Instructions: 73COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: dea8063478c6659ceb91edbd50105ecdd403b5690cc3b6626c4a33e8af36ebbb
                            • Instruction ID: 511f0bf237e0911a664a1478c7b20d07689be9515de4ca94010b071a72b713ae
                            • Opcode Fuzzy Hash: dea8063478c6659ceb91edbd50105ecdd403b5690cc3b6626c4a33e8af36ebbb
                            • Instruction Fuzzy Hash: 2A213235700215DFDB14EF64C844EAABBB2FF88350F148469E9169B361DF31D941CBA0
                            Function 0150D01C Relevance: .1, Instructions: 72COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1851588551.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_150d000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35b938fd174e04ca896428517fd19080d7b0ebbf7aa6804af16d1f16efef1ae1
                            • Instruction ID: 1eedf33098e4dfaf4c0442d0b7409a0d85085998618073d47ebfa28a68580744
                            • Opcode Fuzzy Hash: 35b938fd174e04ca896428517fd19080d7b0ebbf7aa6804af16d1f16efef1ae1
                            • Instruction Fuzzy Hash: DC210071604200DFDB16DFD8D994B2ABBB5FB84314F20C969D80E4F296D33AD446CA61
                            Function 05ADD0D7 Relevance: .1, Instructions: 71COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 9c0281b40bbde90166e90ae3661b389e3175e521ac14ba7b4fc2ad5f1dcbb347
                            • Instruction ID: 8056a8f62f46cdee6968c2cc7ec45313495e30b61b7772e3754e5fb49934a89c
                            • Opcode Fuzzy Hash: 9c0281b40bbde90166e90ae3661b389e3175e521ac14ba7b4fc2ad5f1dcbb347
                            • Instruction Fuzzy Hash: 7B21D472A042469FCB01DF69D840F9AFBB2FF90354F05C57AD5059B266DB31E80AC790
                            Function 05AD8BC0 Relevance: .1, Instructions: 67COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 8773d08260da2b7f3c865c9b790ad9f7e51f338b2b17eb30508a7ceef4a35b97
                            • Instruction ID: 223a73686bdfb4386823beae997a9b2179f3fb8bc77379ce1f2238e8170e65c8
                            • Opcode Fuzzy Hash: 8773d08260da2b7f3c865c9b790ad9f7e51f338b2b17eb30508a7ceef4a35b97
                            • Instruction Fuzzy Hash: FC21813060010ADFCB15EB65D985D6EFBB2FF81200B148469D41E9B3A9DB34ED46CB61
                            Function 05ADE828 Relevance: .1, Instructions: 63COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b7aa604910d1247cf6fb51cb2d1084dfa31192675cd0ed9e5b0e0e01c38c03f5
                            • Instruction ID: 59a37bb6ef8e2441e723e421673132353b23ac4b64a6676143fa0138e035d6b0
                            • Opcode Fuzzy Hash: b7aa604910d1247cf6fb51cb2d1084dfa31192675cd0ed9e5b0e0e01c38c03f5
                            • Instruction Fuzzy Hash: 6521C031E042589FCB15EBA9C9059DEFFF9BF89700F04856AD413BB251DB749948CBA0
                            Function 0150D006 Relevance: .1, Instructions: 62COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1851588551.000000000150D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0150D000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_150d000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: b665d0a12648d77961094a8b921558da67b0fcd7d65798a5bcc6d9c17e7d7b22
                            • Instruction ID: 12937bfb5f6baee2f0848182d78c4fa4502d3d70632a761dc27fc88d6ee70e66
                            • Opcode Fuzzy Hash: b665d0a12648d77961094a8b921558da67b0fcd7d65798a5bcc6d9c17e7d7b22
                            • Instruction Fuzzy Hash: EA2192755093808FDB03CFA4D994715BF71FB46214F28C5DAD8498F6A7C33A980ACB62
                            Function 067ACBC8 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e6507b527d1dc3fbb3082eff9a38239b8b76b8317bd55a54459281ac324d78f4
                            • Instruction ID: a943244763914f44c42b4ffacdbb9d6ca0046a75ca18740b704338227fa90cda
                            • Opcode Fuzzy Hash: e6507b527d1dc3fbb3082eff9a38239b8b76b8317bd55a54459281ac324d78f4
                            • Instruction Fuzzy Hash: 11112074D0521CEFDB09CFAAE9487EDBBF6AB89301F10912AE404B3290DB745944CFA4
                            Function 05AD8BD0 Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4944c82eaadcbee0a8ca9bc9fdf70213361681b014e2232d173c3c974fcc40fa
                            • Instruction ID: 498cf196a4c0443f2ceaa3f4ba51f0496aa3f39c00352070750673919666a137
                            • Opcode Fuzzy Hash: 4944c82eaadcbee0a8ca9bc9fdf70213361681b014e2232d173c3c974fcc40fa
                            • Instruction Fuzzy Hash: C2114F3060010ACFCB14EB65DA84D6EFBB6FF84200B548429D41E9B3A8DB34ED45CB61
                            Function 014FD64F Relevance: .1, Instructions: 58COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1851431473.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_14fd000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                            • Instruction ID: 26622ac352d26512bd8318ebb17fa5e761f7cb06b292acf12f96329ebe076fa7
                            • Opcode Fuzzy Hash: c7c8d58dc0dea2b6e01ffeb94055e7b182a7219ccea2c20f3472bf21e95a7b9d
                            • Instruction Fuzzy Hash: 6E218E76904280DFDB16CF54D9C4B16BFA2FB88314F2486AADA490E366C33AD416CB91
                            Function 05ADE438 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 973488ed4ee68724e47e76cdfbd441cc2cebb2061a580b40887282ca1106b515
                            • Instruction ID: 00adae9677e13b2672146b317353903784d2af345632c8245feeb71510b046e0
                            • Opcode Fuzzy Hash: 973488ed4ee68724e47e76cdfbd441cc2cebb2061a580b40887282ca1106b515
                            • Instruction Fuzzy Hash: 01118F74B00348AFDB00EBA8D455A6DBFF6BF49210F6441ABE50ACB391DE319D058B91
                            Function 014FD3D3 Relevance: .1, Instructions: 56COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1851431473.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_14fd000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction ID: c40739f5ac03cce7eaee46cf1e1b7ada630e026ea1f7dde37053c64e29a66ed5
                            • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                            • Instruction Fuzzy Hash: DC11CD72804240CFDB02CF44D9C4B56BF61FB94224F24C2AAD9090A766C33AE45ACBA2
                            Function 067AD703 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ab29bffea24ff33ed39b3aea6473f4985e9a10eceba37fa53f0d0ac6c0d61ad4
                            • Instruction ID: 6cab0359da57268498e056e7c4bfb866b9a7c9248dec40ea1fd234f19022a749
                            • Opcode Fuzzy Hash: ab29bffea24ff33ed39b3aea6473f4985e9a10eceba37fa53f0d0ac6c0d61ad4
                            • Instruction Fuzzy Hash: 841153B68003499FDB20CFA9C844BEEBFF5EF48320F148419E558A7210C339A694CFA5
                            Function 067AD1B8 Relevance: .1, Instructions: 55COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d5f92075cd360c3f07748afd8946a4dc55e3e8b2607e0fc7a0e58c844fdb4a21
                            • Instruction ID: a98668a2147af38bfb3a3a0b581fa9e635a138a5997c4fb652f285fc18492476
                            • Opcode Fuzzy Hash: d5f92075cd360c3f07748afd8946a4dc55e3e8b2607e0fc7a0e58c844fdb4a21
                            • Instruction Fuzzy Hash: 401144728003099FDB20DF99C844BEEBBF4EF48320F108419E518A7210C335A950CFA5
                            Function 014FDA81 Relevance: .0, Instructions: 45COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1851431473.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_14fd000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7d70a347457b242328231a56c432ddd9fa155fda62acb27cc14bc1fcd1c921cf
                            • Instruction ID: eb65a77bce5bc9df3a2566fe0a0a7670ab2cd15c51f8f44d71ab0e8b4a79e046
                            • Opcode Fuzzy Hash: 7d70a347457b242328231a56c432ddd9fa155fda62acb27cc14bc1fcd1c921cf
                            • Instruction Fuzzy Hash: 9F01F731C0D3409AE7118A69CD84767BF98EF41320F08C56FEE090A3A6C279D845C675
                            Function 067AD4BB Relevance: .0, Instructions: 43COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6c2113a68f284b4add54b18c34ed316ed3283b43197431bf9ad1861199d8962e
                            • Instruction ID: 0b9a3e253fa1ff878dd13ee859597ece52ad11872925e5e6057b2956ecbc6280
                            • Opcode Fuzzy Hash: 6c2113a68f284b4add54b18c34ed316ed3283b43197431bf9ad1861199d8962e
                            • Instruction Fuzzy Hash: F0F0C8362053547FCB465EA59C149EF3F6BEBC9250B04441EF605C7251DA314D1597B1
                            Function 067ACB30 Relevance: .0, Instructions: 41COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: adc6e44546caf4039d7b8e93a64483d2e4b9aa0705e1b5f971b8496fbc920345
                            • Instruction ID: f44b637b3502ae14ba7c6394ed7c6e79e928f7b56e225fb17e99b6a79d2348b6
                            • Opcode Fuzzy Hash: adc6e44546caf4039d7b8e93a64483d2e4b9aa0705e1b5f971b8496fbc920345
                            • Instruction Fuzzy Hash: 20F0A47064A389EFC703CBB4A9119AA7F79DB47210F0442DAE544DB6A3C6310D09C7A2
                            Function 05ADD6A0 Relevance: .0, Instructions: 40COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a045cea78f6b44b71dc72656a63f296bfc03d09822b04c2971e9ba961c917352
                            • Instruction ID: 493a5633e2dca7e8756e9673c1ca02aa1d31fd0eea76533435b772fd29d819d1
                            • Opcode Fuzzy Hash: a045cea78f6b44b71dc72656a63f296bfc03d09822b04c2971e9ba961c917352
                            • Instruction Fuzzy Hash: A4F08C317107049BCB24AB75A449FBEBBB6FBC0621F044528E51687280EF719806CBA1
                            Function 067AC170 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 305b7d707d769624e938a71cc40615f59a5396f5ae39403dc1238c743a0790c2
                            • Instruction ID: 7f11d3baae0f411dac825d3fa08bb3ee692770362ce860927c1da88a5b78678a
                            • Opcode Fuzzy Hash: 305b7d707d769624e938a71cc40615f59a5396f5ae39403dc1238c743a0790c2
                            • Instruction Fuzzy Hash: 20F06D74E09309BFCB41DFB8D8419EEBFB4EB45300F0085AAE424A3201D7745A41DB91
                            Function 05ADD720 Relevance: .0, Instructions: 38COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ffc50c0ac496948c9c611667ce8092fa3dddb5e8fa57dc922cc8fbc9f4ec1cae
                            • Instruction ID: 8b943234933af125f9b8b7a361961a61d7a1b39faec3fe88ee2293268fe9e20f
                            • Opcode Fuzzy Hash: ffc50c0ac496948c9c611667ce8092fa3dddb5e8fa57dc922cc8fbc9f4ec1cae
                            • Instruction Fuzzy Hash: 9FF09035B402185BD764B774A91EFBEBF5ABB40710F1400AAEA078B280CE619C448BF5
                            Function 05AD7650 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: e1ed4684a7c133b5ee4fd6fb5dba9552d5f28d62f0f7a3bafc7088b8d6def751
                            • Instruction ID: 3f16472818e30ac67cccc483abed61f4938ade38ef2301e09b020ed727df9750
                            • Opcode Fuzzy Hash: e1ed4684a7c133b5ee4fd6fb5dba9552d5f28d62f0f7a3bafc7088b8d6def751
                            • Instruction Fuzzy Hash: 5EF04672A041959BD728DA35EC84BDAFF65EB45300F0088BAD19AE3241EA724984CB60
                            Function 014FDA80 Relevance: .0, Instructions: 36COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1851431473.00000000014FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 014FD000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_14fd000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 466856e545a8e12ef4272462f852bd243f083735e1eb1322de94c0ab23941799
                            • Instruction ID: ec687519b412a5243cacdb316fe10f16ea6b4502c82ead88a9bbf620eec8abd5
                            • Opcode Fuzzy Hash: 466856e545a8e12ef4272462f852bd243f083735e1eb1322de94c0ab23941799
                            • Instruction Fuzzy Hash: B2F062718093449EE7118E1ACDC4B63FFA8EB41734F18C95AEE094F396C2799C44CA71
                            Function 067AD4C8 Relevance: .0, Instructions: 35COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: ea8a9f00c192c5c4958b593c4080a75c6d37c27ead363193d4324a2d2923874c
                            • Instruction ID: 6997b662a79a4d1fe25c2dc2e3f9384d2e9972bddf0224560ac30fb80541fd93
                            • Opcode Fuzzy Hash: ea8a9f00c192c5c4958b593c4080a75c6d37c27ead363193d4324a2d2923874c
                            • Instruction Fuzzy Hash: 25F0E2323003196FCB45AE999C049AF3BABFBC8260B40442EFA19C3310DE31881197A1
                            Function 067AC180 Relevance: .0, Instructions: 27COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 6cb9d92c9772b79611b2af36ed689927f0c5b9753efa243bb10790c5d5d667e7
                            • Instruction ID: e3edb9296414046f46afc49105e8a9ea0222c097c1c61a71eaa657505f25e5c6
                            • Opcode Fuzzy Hash: 6cb9d92c9772b79611b2af36ed689927f0c5b9753efa243bb10790c5d5d667e7
                            • Instruction Fuzzy Hash: 31F098B4E04309EFCB45DFA9D9455AEBBB5FB49310F1096AAE824A3304D7705A44DB80
                            Function 05ADF6E8 Relevance: .0, Instructions: 26COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a4132a82015fd7d1be427dcaef5ef39b3d43a1f0d0c6901ed68da795155060a7
                            • Instruction ID: 6872de58e65539387e7892e6ba4535aba35a30621b6042dc27b6eba13f2813a5
                            • Opcode Fuzzy Hash: a4132a82015fd7d1be427dcaef5ef39b3d43a1f0d0c6901ed68da795155060a7
                            • Instruction Fuzzy Hash: 23F055302083404FD7426B28E548E9A7FB5AF00611B0A00AAF14BCB672EF209886DB10
                            Function 067ACB40 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d409e510e438a6324b531fcea5cfb582b7b662d43efc83607700dec529011850
                            • Instruction ID: 2e3f4d9e201bb21b0e4ff29ad1546b53ff03b63a2a124a3f14054bb5e87c7edb
                            • Opcode Fuzzy Hash: d409e510e438a6324b531fcea5cfb582b7b662d43efc83607700dec529011850
                            • Instruction Fuzzy Hash: 5EE08C70A4220EEFCB41EFB8E605A9DB7F9EB40310F1046ADA505A7264EB715E04EB80
                            Function 05ADE4A8 Relevance: .0, Instructions: 16COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 70d1db4d40b1cdb4c9b53e52e617f5e91cbe954f9795f8fb78b2bb6902fa15f5
                            • Instruction ID: 61de14fc0e2ebbc35f3681089145c1d0c9fd6f84927c7a0b9afc71051fb311e1
                            • Opcode Fuzzy Hash: 70d1db4d40b1cdb4c9b53e52e617f5e91cbe954f9795f8fb78b2bb6902fa15f5
                            • Instruction Fuzzy Hash: 2BD0A7343102109FC200971CD415D967FE9EB48A21B014096F905CB360CEB1EC0087C4
                            Function 067AD7B3 Relevance: .0, Instructions: 15COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 22554fd8aada8566e4fa547152af8ad53c44796fc944bd9413396cd6e3acfc11
                            • Instruction ID: 3d9cb4ad13c55ec6b6b0ad33d5b821828364ed3bfd95b40483aff91b7adcd6a8
                            • Opcode Fuzzy Hash: 22554fd8aada8566e4fa547152af8ad53c44796fc944bd9413396cd6e3acfc11
                            • Instruction Fuzzy Hash: 94D0122540F3896BC71697626C3946AFF2CAE0711130442CEF858C7957DA159820CBF7
                            Function 05ADD8B3 Relevance: .0, Instructions: 14COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1864676422.0000000005AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05AD0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_5ad0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: bf5391324caf666f396dc98f5773d55b2e59b9f4d4ffecd6fd1dafa94f3bfca2
                            • Instruction ID: 67a5f980ddbd13f7bce160365090e4995e994532c6463f8ec688222df2976cdd
                            • Opcode Fuzzy Hash: bf5391324caf666f396dc98f5773d55b2e59b9f4d4ffecd6fd1dafa94f3bfca2
                            • Instruction Fuzzy Hash: C1D0A7296406048FDB93B334981DF1E6BF77781318F840095D82383354E931C905CB71

                            Non-executed Functions

                            Function 067A615B Relevance: 9.2, Strings: 7, Instructions: 471COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: (_^q$(_^q$$^q$$^q$$^q$$^q$$^q
                            • API String ID: 0-2667574237
                            • Opcode ID: 59209bc618f3a32bfa5099127bfbc6eb70bf54b49da022b743ff5e06f3bab531
                            • Instruction ID: 97962866d750d2020b841509cb807e5ff1a8375797803d87b1563d575e0251dd
                            • Opcode Fuzzy Hash: 59209bc618f3a32bfa5099127bfbc6eb70bf54b49da022b743ff5e06f3bab531
                            • Instruction Fuzzy Hash: 68225A70A402099FDB15EFB4D950A9DBBB2FF89300F10896ED115AB368DB31AE45CF91
                            Function 067A6168 Relevance: 9.2, Strings: 7, Instructions: 464COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: (_^q$(_^q$$^q$$^q$$^q$$^q$$^q
                            • API String ID: 0-2667574237
                            • Opcode ID: d6784245b4fe8625f366483f4756f31fa23582d1e8947b25596d950212911822
                            • Instruction ID: f1eeab65ed2315d6b358f0cf896213fc8dfce884bd4dd0886566227c09025a1e
                            • Opcode Fuzzy Hash: d6784245b4fe8625f366483f4756f31fa23582d1e8947b25596d950212911822
                            • Instruction Fuzzy Hash: 89225A70A402099FDB15EFB4D950A9DBBB2FF89300F10896ED115AB368DB31AE45CF91
                            Function 067A5981 Relevance: 6.5, Strings: 5, Instructions: 278COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: (_^q$(_^q$$^q$$^q$$^q
                            • API String ID: 0-142850551
                            • Opcode ID: 6596e198f0942f541ffaed29d978fbdfd82ecba312d4ebbd89320bd54ca585f5
                            • Instruction ID: 55d60d379edd7749a6af8d67ff7ce41d9826ec0ef5a57375574fb8fd5051c0c8
                            • Opcode Fuzzy Hash: 6596e198f0942f541ffaed29d978fbdfd82ecba312d4ebbd89320bd54ca585f5
                            • Instruction Fuzzy Hash: 95C10270940209AFDF09EFB4D960A9DBBB6FF99300F10892ED511AB368DB31AD45CB51
                            Function 067A5990 Relevance: 6.5, Strings: 5, Instructions: 273COMMON
                            Download Yara Rule
                            Strings
                            Memory Dump Source
                            • Source File: 0000000C.00000002.1867522472.00000000067A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 067A0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_12_2_67a0000_mjCLFIohWTlhgd.jbxd
                            Similarity
                            • API ID:
                            • String ID: (_^q$(_^q$$^q$$^q$$^q
                            • API String ID: 0-142850551
                            • Opcode ID: 575be0ce19e9fdff134c38429366129cb8ddb1e5d39077e457a46fd156b0a183
                            • Instruction ID: c154d02568b6ac9a92aa37edf481b52868b4aeaf3cbbb40b2f7e10a493dd0693
                            • Opcode Fuzzy Hash: 575be0ce19e9fdff134c38429366129cb8ddb1e5d39077e457a46fd156b0a183
                            • Instruction Fuzzy Hash: 32C1F270940209AFDF09EFB4D960A9DBBB6FF99300F10892ED511AB368DB31AD45CB51